NTFS-3G: Remote code execution, possible privilege escalation — GLSA 202007-45

A buffer overflow in NTFS-3g might allow local or remote attacker(s) to execute arbitrary code, or escalate privileges.

Affected packages

sys-fs/ntfs3g on all architectures
Affected versions < 2017.3.23-r3
Unaffected versions >= 2017.3.23-r3

Background

NTFS-3G is a stable, full-featured, read-write NTFS driver for various operating systems.

Description

An integer underflow issue exists in NTFS-3G which may cause a heap buffer overflow with crafted input.

Impact

A remote attacker may be able to execute arbitrary code while a local attacker may be able to escalate privileges.

Workaround

There is no known workaround at this time.

Resolution

All NTFS-3G users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-fs/ntfs3g-2017.3.23-r3"
 

References

Release date
July 27, 2020

Latest revision
July 27, 2020: 1

Severity
high

Exploitable
remote

Bugzilla entries