Your message dated Thu, 04 Oct 2007 21:17:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#445315: fixed in ntfs-3g 1:1.913-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: ntfs-3g
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ntfs-3g.
CVE-2007-5159[0]:
| The ntfs-3g package before 1.913-2.fc7 in Fedora 7, and an ntfs-3g
| package in Ubuntu 7.10/Gutsy, assign incorrect permissions (setuid
| root) to mount.ntfs-3g, which allows local users with fuse group
| membership to read from and write to arbitrary block devices, possibly
| involving a file descriptor leak.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5159
Kind regards
Nico
--
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpHpElFb09Cu.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: ntfs-3g
Source-Version: 1:1.913-2
We believe that the bug you reported is fixed in the latest version of
ntfs-3g, which is due to be installed in the Debian FTP archive:
libntfs-3g-dev_1.913-2_i386.deb
to pool/main/n/ntfs-3g/libntfs-3g-dev_1.913-2_i386.deb
libntfs-3g12_1.913-2_i386.deb
to pool/main/n/ntfs-3g/libntfs-3g12_1.913-2_i386.deb
ntfs-3g_1.913-2.diff.gz
to pool/main/n/ntfs-3g/ntfs-3g_1.913-2.diff.gz
ntfs-3g_1.913-2.dsc
to pool/main/n/ntfs-3g/ntfs-3g_1.913-2.dsc
ntfs-3g_1.913-2_i386.deb
to pool/main/n/ntfs-3g/ntfs-3g_1.913-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Cécile (Le_Vert) <[EMAIL PROTECTED]> (supplier of updated ntfs-3g package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 04 Oct 2007 22:20:11 +0200
Source: ntfs-3g
Binary: libntfs-3g12 libntfs-3g-dev ntfs-3g
Architecture: source i386
Version: 1:1.913-2
Distribution: unstable
Urgency: high
Maintainer: Adam Cécile (Le_Vert) <[EMAIL PROTECTED]>
Changed-By: Adam Cécile (Le_Vert) <[EMAIL PROTECTED]>
Description:
libntfs-3g-dev - ntfs-3g filesystem in userspace (FUSE) library headers
libntfs-3g12 - ntfs-3g filesystem in userspace (FUSE) library
ntfs-3g - read-write NTFS driver for FUSE
Closes: 443418 445315
Changes:
ntfs-3g (1:1.913-2) unstable; urgency=HIGH
.
* Security set to HIGH because it fixes a critical issue.
* Do not set ntfs-3g binary setuid with group fuse.
This could allows local users with fuse group membership to read from and
write to arbitrary block devices, possibly involving a file descriptor
leak. (CVE-2007-5159) (Closes: #445315).
* Update README.Debian and long description (Closes: #443418).
Files:
d78b3922b070ba3c4429d1d3630d8d19 666 otherosfs optional ntfs-3g_1.913-2.dsc
25b59e12e7a0339c5e7fb9f5ec50e5fa 8716 otherosfs optional
ntfs-3g_1.913-2.diff.gz
ff55880ffe8c82b8f758bb3e426661b8 22802 otherosfs optional
ntfs-3g_1.913-2_i386.deb
2cce6304222590904b28c75ec43140a8 56890 libdevel optional
libntfs-3g-dev_1.913-2_i386.deb
bd5383d72209f78b53eb427ff4d97c7b 93350 libs optional
libntfs-3g12_1.913-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD4DBQFHBVU4HYflSXNkfP8RAn6PAKCXyBXFN6atHMIRqYaMJa3C58hNwwCXXrQF
xoEvFFE5bMbIKyeLXSOjLw==
=BmgK
-----END PGP SIGNATURE-----
--- End Message ---
