GNU bug report logs -
#50488
[PATCH] gnu: ntfs-3g: Update to 2021.8.22 [security fixes].
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Thu, 9 Sep 2021 17:22:02 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 50488 in the body.
You can then email your comments to 50488 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#50488; Package
guix-patches.
(Thu, 09 Sep 2021 17:22:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Thu, 09 Sep 2021 17:22:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
The upstream security advisory is named NTFS3G-SA-2021-0001.
Fixes CVE-2021-33285, CVE-2021-35269, CVE-2021-35268, CVE-2021-33289,
CVE-2021-33286, CVE-2021-35266, CVE-2021-33287, CVE-2021-35267, CVE-2021-39251,
CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256,
CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261,
CVE-2021-39262, CVE-2021-39263.
For more information:
https://seclists.org/oss-sec/2021/q3/139
* gnu/packages/linux.scm (ntfs-3g): Update to 2021.8.22.
[source]: Remove obsolete patch.
* gnu/packages/patches/ntfs-3g-CVE-2019-9755.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
---
gnu/local.mk | 1 -
gnu/packages/linux.scm | 9 ++-
.../patches/ntfs-3g-CVE-2019-9755.patch | 72 -------------------
3 files changed, 4 insertions(+), 78 deletions(-)
delete mode 100644 gnu/packages/patches/ntfs-3g-CVE-2019-9755.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 2a56c4a9e2..451cd9d1c1 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1507,7 +1507,6 @@ dist_patch_DATA = \
%D%/packages/patches/nsis-source-date-epoch.patch \
%D%/packages/patches/nss-increase-test-timeout.patch \
%D%/packages/patches/nss-3.56-pkgconfig.patch \
- %D%/packages/patches/ntfs-3g-CVE-2019-9755.patch \
%D%/packages/patches/nvi-assume-preserve-path.patch \
%D%/packages/patches/nvi-dbpagesize-binpower.patch \
%D%/packages/patches/nvi-db4.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 4281ce4b0a..5860a49df7 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -5902,15 +5902,14 @@ invocations of itself.")
(define-public ntfs-3g
(package
(name "ntfs-3g")
- (version "2017.3.23")
+ (version "2021.8.22")
(source (origin
(method url-fetch)
(uri (string-append "https://tuxera.com/opensource/"
"ntfs-3g_ntfsprogs-" version ".tgz"))
- (patches (search-patches "ntfs-3g-CVE-2019-9755.patch"))
(sha256
(base32
- "1mb228p80hv97pgk3myyvgp975r9mxq56c6bdn1n24kngcfh4niy"))
+ "1yrf42xr92qv3pads8lzp5nyssz6875ncfgg8v3jwjyr0nm87f2m"))
(modules '((guix build utils)))
(snippet '(begin
;; Install under $prefix.
@@ -5919,8 +5918,8 @@ invocations of itself.")
"@sbindir@"))
#t))))
(build-system gnu-build-system)
- (inputs `(("util-linux" ,util-linux)
- ("fuse" ,fuse))) ;libuuid
+ (inputs `(("util-linux" ,util-linux) ; libuuid
+ ("fuse" ,fuse)))
(native-inputs `(("pkg-config" ,pkg-config)))
(arguments
'(#:configure-flags (list "--disable-static"
diff --git a/gnu/packages/patches/ntfs-3g-CVE-2019-9755.patch b/gnu/packages/patches/ntfs-3g-CVE-2019-9755.patch
deleted file mode 100644
index a7794aed47..0000000000
--- a/gnu/packages/patches/ntfs-3g-CVE-2019-9755.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-Fix CVE-2019-9755:
-
-https://security-tracker.debian.org/tracker/CVE-2019-9755
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9755
-
-Patch copied from upstream source repository:
-
-https://sourceforge.net/p/ntfs-3g/ntfs-3g/ci/85c1634a26faa572d3c558d4cf8aaaca5202d4e9/
-
-From 85c1634a26faa572d3c558d4cf8aaaca5202d4e9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jean-pierre.andre <at> wanadoo.fr>
-Date: Wed, 19 Dec 2018 15:57:50 +0100
-Subject: [PATCH] Fixed reporting an error when failed to build the mountpoint
-
-The size check was inefficient because getcwd() uses an unsigned int
-argument.
----
- src/lowntfs-3g.c | 6 +++++-
- src/ntfs-3g.c | 6 +++++-
- 2 files changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/src/lowntfs-3g.c b/src/lowntfs-3g.c
-index 993867fa..0660439b 100644
---- a/src/lowntfs-3g.c
-+++ b/src/lowntfs-3g.c
-@@ -4411,7 +4411,8 @@ int main(int argc, char *argv[])
- else {
- ctx->abs_mnt_point = (char*)ntfs_malloc(PATH_MAX);
- if (ctx->abs_mnt_point) {
-- if (getcwd(ctx->abs_mnt_point,
-+ if ((strlen(opts.mnt_point) < PATH_MAX)
-+ && getcwd(ctx->abs_mnt_point,
- PATH_MAX - strlen(opts.mnt_point) - 1)) {
- strcat(ctx->abs_mnt_point, "/");
- strcat(ctx->abs_mnt_point, opts.mnt_point);
-@@ -4419,6 +4420,9 @@ int main(int argc, char *argv[])
- /* Solaris also wants the absolute mount point */
- opts.mnt_point = ctx->abs_mnt_point;
- #endif /* defined(__sun) && defined (__SVR4) */
-+ } else {
-+ free(ctx->abs_mnt_point);
-+ ctx->abs_mnt_point = (char*)NULL;
- }
- }
- }
-diff --git a/src/ntfs-3g.c b/src/ntfs-3g.c
-index 6ce89fef..4e0912ae 100644
---- a/src/ntfs-3g.c
-+++ b/src/ntfs-3g.c
-@@ -4148,7 +4148,8 @@ int main(int argc, char *argv[])
- else {
- ctx->abs_mnt_point = (char*)ntfs_malloc(PATH_MAX);
- if (ctx->abs_mnt_point) {
-- if (getcwd(ctx->abs_mnt_point,
-+ if ((strlen(opts.mnt_point) < PATH_MAX)
-+ && getcwd(ctx->abs_mnt_point,
- PATH_MAX - strlen(opts.mnt_point) - 1)) {
- strcat(ctx->abs_mnt_point, "/");
- strcat(ctx->abs_mnt_point, opts.mnt_point);
-@@ -4156,6 +4157,9 @@ int main(int argc, char *argv[])
- /* Solaris also wants the absolute mount point */
- opts.mnt_point = ctx->abs_mnt_point;
- #endif /* defined(__sun) && defined (__SVR4) */
-+ } else {
-+ free(ctx->abs_mnt_point);
-+ ctx->abs_mnt_point = (char*)NULL;
- }
- }
- }
---
-2.21.0
-
--
2.33.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#50488; Package
guix-patches.
(Tue, 21 Sep 2021 12:56:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 50488 <at> debbugs.gnu.org (full text, mbox):
Hi Leo,
Leo Famulari <leo <at> famulari.name> skribis:
> The upstream security advisory is named NTFS3G-SA-2021-0001.
>
> Fixes CVE-2021-33285, CVE-2021-35269, CVE-2021-35268, CVE-2021-33289,
> CVE-2021-33286, CVE-2021-35266, CVE-2021-33287, CVE-2021-35267, CVE-2021-39251,
> CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256,
> CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261,
> CVE-2021-39262, CVE-2021-39263.
>
> For more information:
>
> https://seclists.org/oss-sec/2021/q3/139
>
> * gnu/packages/linux.scm (ntfs-3g): Update to 2021.8.22.
> [source]: Remove obsolete patch.
> * gnu/packages/patches/ntfs-3g-CVE-2019-9755.patch: Delete file.
> * gnu/local.mk (dist_patch_DATA): Remove it.
LGTM, thanks for taking care of it!
Ludo’.
bug closed, send any further explanations to
50488 <at> debbugs.gnu.org and Leo Famulari <leo <at> famulari.name>
Request was from
Leo Famulari <leo <at> famulari.name>
to
control <at> debbugs.gnu.org.
(Tue, 21 Sep 2021 17:31:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#50488; Package
guix-patches.
(Tue, 21 Sep 2021 17:31:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 50488-done <at> debbugs.gnu.org (full text, mbox):
On Tue, Sep 21, 2021 at 02:55:09PM +0200, Ludovic Courtès wrote:
> Hi Leo,
>
> Leo Famulari <leo <at> famulari.name> skribis:
>
> > The upstream security advisory is named NTFS3G-SA-2021-0001.
> >
> > Fixes CVE-2021-33285, CVE-2021-35269, CVE-2021-35268, CVE-2021-33289,
> > CVE-2021-33286, CVE-2021-35266, CVE-2021-33287, CVE-2021-35267, CVE-2021-39251,
> > CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256,
> > CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261,
> > CVE-2021-39262, CVE-2021-39263.
> >
> > For more information:
> >
> > https://seclists.org/oss-sec/2021/q3/139
> >
> > * gnu/packages/linux.scm (ntfs-3g): Update to 2021.8.22.
> > [source]: Remove obsolete patch.
> > * gnu/packages/patches/ntfs-3g-CVE-2019-9755.patch: Delete file.
> > * gnu/local.mk (dist_patch_DATA): Remove it.
>
> LGTM, thanks for taking care of it!
Thanks for the reminder! Pushed as
1e3262d74fe96cf3bc3b8b3914379ef9e37672df
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 20 Oct 2021 11:24:12 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 182 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.