Debian Bug report logs - #988386
ntfs-3g: CVE-2021-33285 CVE-2021-35269 CVE-2021-35268 CVE-2021-33289 CVE-2021-33286 CVE-2021-35266 CVE-2021-33287 CVE-2021-35267 CVE-2021-39251 CVE-2021-39252 CVE-2021-39253 CVE-2021-39254 CVE-2021-39255 CVE-2021-39256 CVE-2021-39257 CVE-2021-39258 CVE-2021-39259 CVE-2021-39260 CVE-2021-39261 CVE-2021-39262 CVE-2021-39263

version graph

Package: ntfs-3g; Maintainer for ntfs-3g is Laszlo Boszormenyi (GCS) <gcs@debian.org>; Source for ntfs-3g is src:ntfs-3g (PTS, buildd, popcon).

Reported by: Jeremy Galindo <jgalindo@datto.com>

Date: Tue, 11 May 2021 16:03:02 UTC

Severity: grave

Tags: fixed-upstream, upstream

Found in versions ntfs-3g/1:2017.3.23AR.3-4, 2017.3.23AR.3

Fixed in versions ntfs-3g/1:2021.8.22-1, ntfs-3g/1:2017.3.23AR.3-4+deb11u1, ntfs-3g/1:2017.3.23AR.3-3+deb10u1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#988386; Package ntfs-3g. (Tue, 11 May 2021 16:03:04 GMT) (full text, mbox, link).


Acknowledgement sent to Jeremy Galindo <jgalindo@datto.com>:
New Bug report received and forwarded. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>. (Tue, 11 May 2021 16:03:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jeremy Galindo <jgalindo@datto.com>
To: submit@bugs.debian.org
Subject: Reporting CVE's from upstream
Date: Tue, 11 May 2021 12:00:40 -0400
[Message part 1 (text/plain, inline)]
Package: ntfs-3g
Version: 2017.3.23AR.3

For CVE's pending from upstream, is everything already mirrored so upstream
fixes are applied in the next release? I'm asking because the upstream
maintainers are trying to identify how soon their fixes will be applied to
your packages.

Thanks,




-- 

*Jeremy Galindo* Associate Mgr., Offensive Security
Datto, Inc. Direct Line www.datto.com
<http://www.datto.com/datto-signature/>

Join the conversation! [image: Facebook] <http://www.facebook.com/dattoinc>
[image: Twitter] <https://twitter.com/Datto> [image: LinkedIn]
<https://www.linkedin.com/company/5213385>  [image: Blog RSS]
<http://blog.datto.com/blog> [image: Slideshare]
<http://www.slideshare.net/backupify>  [image: Spiceworks]
<https://community.spiceworks.com/pages/datto>
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#988386; Package ntfs-3g. (Tue, 11 May 2021 19:51:03 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>. (Tue, 11 May 2021 19:51:03 GMT) (full text, mbox, link).


Message #10 received at 988386@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Jeremy Galindo <jgalindo@datto.com>, 988386@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: Bug#988386: Reporting CVE's from upstream
Date: Tue, 11 May 2021 21:47:36 +0200
Control: tags -1 + moreinfo

Hi

[disclaimer, not the maintainer here]

On Tue, May 11, 2021 at 12:00:40PM -0400, Jeremy Galindo wrote:
> Package: ntfs-3g
> Version: 2017.3.23AR.3
> 
> For CVE's pending from upstream, is everything already mirrored so upstream
> fixes are applied in the next release? I'm asking because the upstream
> maintainers are trying to identify how soon their fixes will be applied to
> your packages.

Can you be more specific, which CVEs are you referring to?

Regards,
Salvatore



Added tag(s) moreinfo. Request was from Salvatore Bonaccorso <carnil@debian.org> to 988386-submit@bugs.debian.org. (Tue, 11 May 2021 19:51:03 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#988386; Package ntfs-3g. (Tue, 11 May 2021 21:09:02 GMT) (full text, mbox, link).


Acknowledgement sent to Jeremy Galindo <jgalindo@datto.com>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>. (Tue, 11 May 2021 21:09:02 GMT) (full text, mbox, link).


Message #17 received at 988386@bugs.debian.org (full text, mbox, reply):

From: Jeremy Galindo <jgalindo@datto.com>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 988386@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#988386: Reporting CVE's from upstream
Date: Tue, 11 May 2021 16:58:09 -0400
[Message part 1 (text/plain, inline)]
They're awaiting confirmation from MITRE, but the upstream maintainers
wanted to be able to answer the question:

And what, in your opinion, will be the distributions wanting to do ?
> Either fix their current release version or upgrade to the latest one ?
> Will they want the individual patches or switch to the new tarball ?
> Rebasing the patches to an old version should be easy enough, but this
> could lead to some complexity in managing the update reports (Fedora
> and Ubuntu are not currently releasing the same version).
>

On Tue, May 11, 2021 at 3:47 PM Salvatore Bonaccorso <carnil@debian.org>
wrote:

> Control: tags -1 + moreinfo
>
> Hi
>
> [disclaimer, not the maintainer here]
>
> On Tue, May 11, 2021 at 12:00:40PM -0400, Jeremy Galindo wrote:
> > Package: ntfs-3g
> > Version: 2017.3.23AR.3
> >
> > For CVE's pending from upstream, is everything already mirrored so
> upstream
> > fixes are applied in the next release? I'm asking because the upstream
> > maintainers are trying to identify how soon their fixes will be applied
> to
> > your packages.
>
> Can you be more specific, which CVEs are you referring to?
>
> Regards,
> Salvatore
>
>

-- 

*Jeremy Galindo* Associate Mgr., Offensive Security
Datto, Inc. Direct Line www.datto.com
<http://www.datto.com/datto-signature/>

Join the conversation! [image: Facebook] <http://www.facebook.com/dattoinc>
[image: Twitter] <https://twitter.com/Datto> [image: LinkedIn]
<https://www.linkedin.com/company/5213385>  [image: Blog RSS]
<http://blog.datto.com/blog> [image: Slideshare]
<http://www.slideshare.net/backupify>  [image: Spiceworks]
<https://community.spiceworks.com/pages/datto>
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#988386; Package ntfs-3g. (Wed, 12 May 2021 06:15:03 GMT) (full text, mbox, link).


Acknowledgement sent to László Böszörményi (GCS) <gcs@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>. (Wed, 12 May 2021 06:15:03 GMT) (full text, mbox, link).


Message #22 received at 988386@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>
To: Jeremy Galindo <jgalindo@datto.com>, 988386@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: Bug#988386: Reporting CVE's from upstream
Date: Wed, 12 May 2021 08:13:42 +0200
Control: tags -1 -moreinfo

Hi Jeremy,

On Tue, May 11, 2021 at 11:09 PM Jeremy Galindo <jgalindo@datto.com> wrote:
> They're awaiting confirmation from MITRE, but the upstream maintainers wanted to be able to answer the question:
>
>> And what, in your opinion, will be the distributions wanting to do ?
>> Either fix their current release version or upgrade to the latest one ?
>> Will they want the individual patches or switch to the new tarball ?
>> Rebasing the patches to an old version should be easy enough, but this
>> could lead to some complexity in managing the update reports (Fedora
>> and Ubuntu are not currently releasing the same version).
 Current Debian release is in a deep freeze state. Important and
serious bug fixes are still accepted, but not other changes and
especially not new upstream releases.
Next stable Debian will be released with the ntfs-3g 2017.3.23AR.3
version. Can you provide patch(es) for this or should I do those? If
there's sensitive information, we can continue in private until a
coordinated security update. Please include the Security Team in the
communication then.

> On Tue, May 11, 2021 at 3:47 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
>> On Tue, May 11, 2021 at 12:00:40PM -0400, Jeremy Galindo wrote:
>> > For CVE's pending from upstream, is everything already mirrored so upstream
>> > fixes are applied in the next release? I'm asking because the upstream
>> > maintainers are trying to identify how soon their fixes will be applied to
>> > your packages.
>>
>> Can you be more specific, which CVEs are you referring to?
 Thanks Salvatore for the followup, the original mail landed in my
spam folder and wouldn't see that for a day or two otherwise.

Regards,
Laszlo/GCS



Removed tag(s) moreinfo. Request was from László Böszörményi (GCS) <gcs@debian.org> to 988386-submit@bugs.debian.org. (Wed, 12 May 2021 06:15:03 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#988386; Package ntfs-3g. (Thu, 02 Sep 2021 07:15:02 GMT) (full text, mbox, link).


Acknowledgement sent to Amr Ibrahim <amribrahim1987@hotmail.com>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>. (Thu, 02 Sep 2021 07:15:02 GMT) (full text, mbox, link).


Message #29 received at 988386@bugs.debian.org (full text, mbox, reply):

From: Amr Ibrahim <amribrahim1987@hotmail.com>
To: "988386@bugs.debian.org" <988386@bugs.debian.org>
Subject: ntfs-3g is now on GitHub
Date: Thu, 2 Sep 2021 07:10:24 +0000
[Message part 1 (text/plain, inline)]
ntfs-3g is now on GitHub.
https://github.com/tuxera/ntfs-3g

The security vulnerabilities are resolved in version 2021.8.22.
https://www.openwall.com/lists/oss-security/2021/08/30/1
[Message part 2 (text/html, inline)]

Changed Bug title to 'ntfs-3g: CVE-2021-33285 CVE-2021-35269 CVE-2021-35268 CVE-2021-33289 CVE-2021-33286 CVE-2021-35266 CVE-2021-33287 CVE-2021-35267 CVE-2021-39251 CVE-2021-39252 CVE-2021-39253 CVE-2021-39254 CVE-2021-39255 CVE-2021-39256 CVE-2021-39257 CVE-2021-39258 CVE-2021-39259 CVE-2021-39260 CVE-2021-39261 CVE-2021-39262 CVE-2021-39263' from 'Reporting CVE's from upstream'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 02 Sep 2021 20:48:02 GMT) (full text, mbox, link).


Severity set to 'grave' from 'normal' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 02 Sep 2021 20:48:02 GMT) (full text, mbox, link).


Marked as found in versions ntfs-3g/1:2017.3.23AR.3-4. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 02 Sep 2021 20:48:03 GMT) (full text, mbox, link).


Added tag(s) upstream and fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 02 Sep 2021 20:48:03 GMT) (full text, mbox, link).


Reply sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility. (Fri, 03 Sep 2021 23:03:08 GMT) (full text, mbox, link).


Notification sent to Jeremy Galindo <jgalindo@datto.com>:
Bug acknowledged by developer. (Fri, 03 Sep 2021 23:03:09 GMT) (full text, mbox, link).


Message #42 received at 988386-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 988386-close@bugs.debian.org
Subject: Bug#988386: fixed in ntfs-3g 1:2021.8.22-1
Date: Fri, 03 Sep 2021 23:00:09 +0000
Source: ntfs-3g
Source-Version: 1:2021.8.22-1
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>

We believe that the bug you reported is fixed in the latest version of
ntfs-3g, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 988386@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated ntfs-3g package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 02 Sep 2021 18:10:12 +0200
Source: ntfs-3g
Binary: libntfs-3g89 libntfs-3g89-dbgsym ntfs-3g ntfs-3g-dbgsym ntfs-3g-dev ntfs-3g-dev-dbgsym ntfs-3g-udeb
Architecture: source amd64
Version: 1:2021.8.22-1
Distribution: experimental
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 libntfs-3g89 - read/write NTFS driver for FUSE (runtime library)
 ntfs-3g    - read/write NTFS driver for FUSE
 ntfs-3g-dev - read/write NTFS driver for FUSE (development)
 ntfs-3g-udeb - read/write NTFS driver for FUSE (udeb)
Closes: 988386
Changes:
 ntfs-3g (1:2021.8.22-1) experimental; urgency=high
 .
   * New upstream release (closes: #988386) fixing CVE-2021-33285,
     CVE-2021-35269, CVE-2021-35268, CVE-2021-33289, CVE-2021-33286,
     CVE-2021-35266, CVE-2021-33287, CVE-2021-35267, CVE-2021-39251,
     CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255,
     CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259,
     CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, CVE-2021-39263: multiple
     buffer overflows.
   * Library transition from libntfs-3g886 to libntfs-3g89 .
Checksums-Sha1:
 8c2fa9724907b8f15b49c1aa0599674e7bfca454 2135 ntfs-3g_2021.8.22-1.dsc
 20304c0f5621deff5ed898b56c7848ea2d945621 899447 ntfs-3g_2021.8.22.orig.tar.gz
 2997885b5ddd295af322ee7e74cf6338566f6517 22460 ntfs-3g_2021.8.22-1.debian.tar.xz
 e56a0ca8e7e828f321cb684305ebb6b60550bcfe 416780 libntfs-3g89-dbgsym_2021.8.22-1_amd64.deb
 403fcbd497b8561e372751aa055eff4fc79f1f7e 171028 libntfs-3g89_2021.8.22-1_amd64.deb
 d50dfa4b680d687e0b4a9771188277985939d8b8 1157236 ntfs-3g-dbgsym_2021.8.22-1_amd64.deb
 d114d18ff685d7061436afd4ea9d338f6c8b85ee 56688 ntfs-3g-dev-dbgsym_2021.8.22-1_amd64.deb
 2d8b61f7057a8cb1152735e2b1a68b4cd3384be8 242556 ntfs-3g-dev_2021.8.22-1_amd64.deb
 303cc04ad7e5feb57a2412480bae2c2121288d8a 230452 ntfs-3g-udeb_2021.8.22-1_amd64.udeb
 d77ee39509a74917e6a903bedfcc02a2c20bb275 8739 ntfs-3g_2021.8.22-1_amd64.buildinfo
 14e96e91d111793eaa5975fdf64987b6b68657db 410956 ntfs-3g_2021.8.22-1_amd64.deb
Checksums-Sha256:
 b3a841e5f0f20959f149544f701aa4c51f22809b985acedc2d3c585a4fc6735c 2135 ntfs-3g_2021.8.22-1.dsc
 5cb9fa93bf2b9685e3f1b598861f6082786e76562989a5752c7379dbe0e989a2 899447 ntfs-3g_2021.8.22.orig.tar.gz
 7e40005b083227d1ce0f9069993fb3c65bd8c8bd3f5c561288aa119bf40b0994 22460 ntfs-3g_2021.8.22-1.debian.tar.xz
 117090269778c152fa9a410402d078751e54d9deea720b602aeabb2014ed0553 416780 libntfs-3g89-dbgsym_2021.8.22-1_amd64.deb
 b9bb250b277f04510e30bcbd819336c46dbfe78bca493d58189bceaecda936f6 171028 libntfs-3g89_2021.8.22-1_amd64.deb
 d3129a3900c9b9be4a82751993fb8f85dd63814048ffef31b817db1b626305d7 1157236 ntfs-3g-dbgsym_2021.8.22-1_amd64.deb
 e5a88ea0be5fad40687d0488e79cc0ed9a3f5d1d410625ae9488ab428874221a 56688 ntfs-3g-dev-dbgsym_2021.8.22-1_amd64.deb
 b515b40a9bceefede9dc266cafc8bd265d7639cade8b72b104587beed989dd8b 242556 ntfs-3g-dev_2021.8.22-1_amd64.deb
 7fa74775c7917c9d303cac40f0990159da4a606224bee3a8026289683315ee5a 230452 ntfs-3g-udeb_2021.8.22-1_amd64.udeb
 190ee3cca1468fa45b565393ef1718c598ab0b92c12b3056e8f20c749cd89126 8739 ntfs-3g_2021.8.22-1_amd64.buildinfo
 5ac0117ed5b8a93930de189d11ecd028dcce034fc871d3cd6e219f9ab0adecef 410956 ntfs-3g_2021.8.22-1_amd64.deb
Files:
 96bc151ff37bdb44492c16865902538f 2135 otherosfs optional ntfs-3g_2021.8.22-1.dsc
 dc232b7a2232dcfaee9df4b6dd353ae4 899447 otherosfs optional ntfs-3g_2021.8.22.orig.tar.gz
 028ecfa169287b276043289176b0668f 22460 otherosfs optional ntfs-3g_2021.8.22-1.debian.tar.xz
 bcc65c6db0ca9c453f689248fa1b14e3 416780 debug optional libntfs-3g89-dbgsym_2021.8.22-1_amd64.deb
 fa7d38041fa489b95e53e4a9fbbc39d9 171028 libs optional libntfs-3g89_2021.8.22-1_amd64.deb
 c6dacd8f655e5f5da18b49505db20470 1157236 debug optional ntfs-3g-dbgsym_2021.8.22-1_amd64.deb
 9b5a4caf2f6910255a4789289d524e9f 56688 debug optional ntfs-3g-dev-dbgsym_2021.8.22-1_amd64.deb
 c2f90a4cee0390839e61ab75ba9e28ea 242556 libdevel optional ntfs-3g-dev_2021.8.22-1_amd64.deb
 b791fd7d383ee40140a1b2ab4cc422fb 230452 debian-installer optional ntfs-3g-udeb_2021.8.22-1_amd64.udeb
 e35f0b698bb9c881aedd5f7826a56c12 8739 otherosfs optional ntfs-3g_2021.8.22-1_amd64.buildinfo
 ce4758c758587c67ea25659b34e75b16 410956 otherosfs optional ntfs-3g_2021.8.22-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmExABsACgkQ3OMQ54ZM
yL/W4g/8DhUnyIGgxL5GX3mnunhruxdWj8pXRwf72zt5PxXTtUDZZwR2PLiNnY2k
gDL085cevxya/yD/J/5ddTjor/CYzIc5fwMY43qgnNTqmdnVNc6tWiEmTdYNy87R
8l486M7GIK/n/DL3LbCnuqrF96NP8vPy2qAY1i6vUaENsobMQGD/B2W+FvN3n47Q
yZSJZwd/p2iYjsJYEoSsYdCe3fOQDPbvZG4QjKKtQRRy0se6dqj5oa5w1AoDrWjD
ZSxNuh1WxEtzOUX/yKWVYWsQO4v6Pi5qQsqNKOApHWFGjW8rWwJaF/ifVolGzjnl
oUbQVWOzUVFotnuty/v5StXSW1iwakSezKkWTiYJbWeQyKAfCycpwtbQE7euE9M7
3ZR3FatgzB97qCCZ7pcRZkAW1uVSffBXaiOXC75P2QyzEn3SH35Nnf7We1iMNFlX
kG3KYHflEqbHsMsuGAqMrRVjPAoQJ3D9JclrlbIgVBjVfg18fONhd2JzYoAIxyRT
XreqKPiAxfPcsgwG0irW7cMpxcY3nubkn5ItZUBnDl0FeMR5m7JcRfipqeuBfOHH
n7dAi1axjAv6/PduwK8pUBVTFEHai1l5kCPZ4DUBovfUqQ/OzC7iPVuEeqqrrtTP
oSBv3Q7B2QvraVCu02Wawcesf1xK6NUNl3VVGZ6mas177VII51Q=
=Z/gj
-----END PGP SIGNATURE-----




Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Fri, 10 Sep 2021 10:51:07 GMT) (full text, mbox, link).


Notification sent to Jeremy Galindo <jgalindo@datto.com>:
Bug acknowledged by developer. (Fri, 10 Sep 2021 10:51:07 GMT) (full text, mbox, link).


Message #47 received at 988386-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 988386-close@bugs.debian.org
Subject: Bug#988386: fixed in ntfs-3g 1:2017.3.23AR.3-4+deb11u1
Date: Fri, 10 Sep 2021 10:47:45 +0000
Source: ntfs-3g
Source-Version: 1:2017.3.23AR.3-4+deb11u1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
ntfs-3g, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 988386@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ntfs-3g package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 05 Sep 2021 14:50:38 +0200
Source: ntfs-3g
Architecture: source
Version: 1:2017.3.23AR.3-4+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 988386
Changes:
 ntfs-3g (1:2017.3.23AR.3-4+deb11u1) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed an endianness error in ntfscp
   * Checked the locations of MFT and MFTMirr at startup
   * Fix multiple buffer overflows.
     CVE-2021-33285, CVE-2021-35269, CVE-2021-35268, CVE-2021-33289,
     CVE-2021-33286, CVE-2021-35266, CVE-2021-33287, CVE-2021-35267,
     CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254,
     CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258,
     CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262,
     CVE-2021-39263. (Closes: #988386)
Checksums-Sha1: 
 78fea16aae37f144a4cc06c4e3af5e4c386fcb05 2369 ntfs-3g_2017.3.23AR.3-4+deb11u1.dsc
 18a483bb91cb5cb532454ae5c4f18d71e5cd9b80 1277609 ntfs-3g_2017.3.23AR.3.orig.tar.gz
 8b1c7734a2fbe740d3e9de4d77e421498acece81 34860 ntfs-3g_2017.3.23AR.3-4+deb11u1.debian.tar.xz
Checksums-Sha256: 
 715b6fd6aaf2ecb26bc0d734bce34e3f66ede437431b217b0d5164f2d7797f72 2369 ntfs-3g_2017.3.23AR.3-4+deb11u1.dsc
 a83fbd533259abd5b73dc37635cc003a697248375702ddcc39af129957a7564b 1277609 ntfs-3g_2017.3.23AR.3.orig.tar.gz
 482ae83729b3b0df0ad8d678cd6c72ee93d5033bd06bae81b98abd5cdd97650e 34860 ntfs-3g_2017.3.23AR.3-4+deb11u1.debian.tar.xz
Files: 
 22917eed6b5ceaf761d8fa81a022669c 2369 otherosfs optional ntfs-3g_2017.3.23AR.3-4+deb11u1.dsc
 5202fb9d41b0db673b73da4ca9bb88b5 1277609 otherosfs optional ntfs-3g_2017.3.23AR.3.orig.tar.gz
 3fe14d3806a99104faa2286d431a58fb 34860 otherosfs optional ntfs-3g_2017.3.23AR.3-4+deb11u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmE0wctfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EUZ0P/AhE3ULpPg3WeJN7dAreQtWPIKUZssVI
9beZQ4/kRPlws52Q+8NEdKXylxry2Tf8ZV7SW8z8kM55BDBChk8h3CcKQmvTL0M4
RIZ4FTsXUHxaoKtoVG04vF9FOCafHV2WUq/dQvCV0SGMBFqAg54eE+kmd8Z4Mnci
qpDKsm7zm5dVii+3oVddj1e06WBz+FRvvs0Et+49vjrcVGoNTgdqPAuCBxrA6sNW
CLbajp6bBMROhwIZHKFOwKhFA1QgyyjKXIyYMA+UDF/aDRoYHyeK/6XjNuMppwZt
dUm8kwCQuEAjkMAFKVltQZQOY/SSw9WP/wxUNOayjbtc3pSflsLBZhI3cgi3NFRF
x26vK40KeTX6P5QIHgr+GdlAwHM1hWEK3u7UarlRRpMxKvzmVVVDY1O+haGU8P64
SRnvkdfm7K+ukZ+/AdpbAe7wCxri01paE+Bpq5EmSdDTCWsHKPlrma+WH6uF30c7
K3wnOWbRLx0xzNJsT/W96iewg1Wq275DFZZDEPDuO/mneomBLiv78gHsS62QQx3t
YJrDD+ZJOfs8x2Pt0dT4+S9a+y7L8Sdhb95R0B8vBhtOrm36aXbR0dXbPT2NuCNR
jO03lY9y0DS3PGpCRNNlY+uifpRagE84A/BE1nP3KL7DIgKN9nEhKC2dxADTEel+
1nOsLJIelefC
=g/I3
-----END PGP SIGNATURE-----




Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Fri, 10 Sep 2021 10:51:09 GMT) (full text, mbox, link).


Notification sent to Jeremy Galindo <jgalindo@datto.com>:
Bug acknowledged by developer. (Fri, 10 Sep 2021 10:51:09 GMT) (full text, mbox, link).


Message #52 received at 988386-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 988386-close@bugs.debian.org
Subject: Bug#988386: fixed in ntfs-3g 1:2017.3.23AR.3-3+deb10u1
Date: Fri, 10 Sep 2021 10:48:50 +0000
Source: ntfs-3g
Source-Version: 1:2017.3.23AR.3-3+deb10u1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
ntfs-3g, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 988386@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ntfs-3g package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 05 Sep 2021 14:53:02 +0200
Source: ntfs-3g
Architecture: source
Version: 1:2017.3.23AR.3-3+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 988386
Changes:
 ntfs-3g (1:2017.3.23AR.3-3+deb10u1) buster-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed an endianness error in ntfscp
   * Checked the locations of MFT and MFTMirr at startup
   * Fix multiple buffer overflows.
     CVE-2021-33285, CVE-2021-35269, CVE-2021-35268, CVE-2021-33289,
     CVE-2021-33286, CVE-2021-35266, CVE-2021-33287, CVE-2021-35267,
     CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254,
     CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258,
     CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262,
     CVE-2021-39263. (Closes: #988386)
Checksums-Sha1: 
 4c9b98ac5aba5635d06fdfd59e070c11b06145b2 2363 ntfs-3g_2017.3.23AR.3-3+deb10u1.dsc
 7da89778338c57bc3326107c3413d36883496f39 34876 ntfs-3g_2017.3.23AR.3-3+deb10u1.debian.tar.xz
Checksums-Sha256: 
 a36b939deba2bf22a98ee6d340162b2bfb103d65c13daeffb10fd3a49dcd6b5e 2363 ntfs-3g_2017.3.23AR.3-3+deb10u1.dsc
 35def7823d7690c9d54496a145fb11107ccb0f6073e35f06e4cad5d1e73a0fae 34876 ntfs-3g_2017.3.23AR.3-3+deb10u1.debian.tar.xz
Files: 
 321f8a585f4202d4c699eb6dc92011d3 2363 otherosfs optional ntfs-3g_2017.3.23AR.3-3+deb10u1.dsc
 08b36230b5ab1d9a4ea53417fcfdbd38 34876 otherosfs optional ntfs-3g_2017.3.23AR.3-3+deb10u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmE0ygRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ems4P/jyNLRN6ZY6m4d83JPIMTZOY8x9yLB0E
cXPMs1DPhYz+l32WkWgsqB7ZYJmhQNiDcSoSJ7Srh9EVV9xeBpmKkgXg4K0G6nqs
pUxKJj0iySEqI15EbmzzYPgrEzHudFVRNruFi74aaiIkb2Gov315K0e+MUH2qvBG
ZRv0nrXuGVtwCRSPVeB0J6dUGJl+GCWMv7c6dH9SrrhbUhf1QGqGgJFQzFZ8L/L/
5269eEmStLvWy2ZuaNizfRmA3cpYKiiSIsniyrHNox0AZhn6+vZcCKFYjWsAYi5L
tgDhOinHeAp2Y3k7k2ef1cJ1qokcNKxa6Fk2/IYyEwAy7hW/OuF+EorhguCD9LF2
i8NemPr1dUhhrszfyqs5jOBSb/orvXjzrzYlizDnse4XYkOW/gPucWpbSGYMEkIm
lSr+cejqftje/8Y3k2jF3mHlOUpznsXEsJPViEKU0lW3xADeDRe1mLD6FNa33Clr
8FRBJtnzspTkxcqMZNXAKYG+Usop5oPhBuaNBD3DYH+XShGpR8NYOuy7jFxVLALp
QgBJunvDE3Geu+FwP2o5qAkeWFQS0vfYNKQLaSqE3tYkpC52MbaWPvxbM4nxx0h5
JoFeBaM+f14XaV1aXdsBkOcd2p7AQoMO64fREX/P+DOKfjfz0UCewYkRYhMqgWBl
t3Svmxdb46QE
=8ttz
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 10 Oct 2021 07:28:43 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:09:14 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.