Bug 1204734 (CVE-2022-40284) - VUL-0: CVE-2022-40284: ntfs-3g_ntfsprogs: incorrect validation of some of the NTFS metadata that could cause buffer overflow
Summary: VUL-0: CVE-2022-40284: ntfs-3g_ntfsprogs: incorrect validation of some of the...
Status: RESOLVED FIXED
Alias: CVE-2022-40284
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/346196/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-40284:7.8:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-26 07:29 UTC by Thomas Leroy
Modified: 2024-05-03 09:01 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-10-26 07:29:13 UTC 
Hi,

A security vulnerability was identified in the open source NTFS-3G project.

CVE id reserved for vulnerability is CVE-2022-40284.

Tarball: https://tuxera.com/opensource/jSQMrBqx0t-ntfs-3g_ntfsprogs-2022.10.3.tgz
Patches: https://tuxera.com/opensource/jSQMrBqx0t-patches-2022.10.3.tgz

This vulnerability results from incorrect validation of some of the NTFS metadata that could cause
buffer overflow. Due to possible exploitations, we recommend the vulnerability is not publicly
disclosed before 31st October 2022.

We recommend all distributions should apply the update. For any questions or support please
feel free to reach out to following:

Jean-Pierre Andre (jean-pierre DOT andre AT wanadoo DOT fr) - Project maintainer or
Rakesh Pandit (rakesh AT tuxera DOT com) - Tuxera Inc. Engineer

Thank you.

With best regards,
Tuxera Open Source Team
Comment 3 Thomas Leroy 2022-10-26 09:38:51 UTC 
All maintained codestreams are affected:
- SUSE:SLE-12:Update
- SUSE:SLE-15:Update
- openSUSE:Factory
Comment 7 Marcus Meissner 2022-10-31 12:19:46 UTC 
public via oss-sec

A security vulnerability was identified in the open source NTFS-3G and
NTFSPROGS software. The vulnerability was confirmed and resolved. To
our knowledge, this vulnerability has not been exploited.

This vulnerability may allow an attacker using a maliciously crafted
NTFS-formatted image file or external storage to potentially execute
arbitrary privileged code, if the attacker has either local access and
the ntfs-3g binary is setuid root, or if the attacker has physical
access to an external port to a computer which is configured to run
the ntfs-3g binary or one of the ntfsprogs tools when the external
storage is plugged into the computer. This vulnerability results from
incorrect validation of some of the NTFS metadata that could
potentially cause buffer overflow, which could be exploited by an
attacker. Common ways for attackers to gain physical access to a
machine is through social engineering or an evil maid attack on an
unattended computer.

We recommend installing and applying the update with the security
fixes, and advise to follow security guidance and frameworks such as
NIST for assessing and improving an organization’s abilities to
prevent, detect, and respond to security threats and cyber attacks.

AFFECTED PRODUCTS: All previous versions of open source NTFS-3G
and NTFSPROGS.

This release code is available on :
https://github.com/tuxera/ntfs-3g/releases/tag/2022.10.3
and the new release tarball can be downloaded from :
https://tuxera.com/opensource/ntfs-3g_ntfsprogs-2022.10.3.tgz

We would like to thank Yuchen Zeng and Eduardo Vela for having
reported on the flaw they discovered.

WORKAROUND: None

SOLUTION: 2022.10.3

PROJECT URL: https://github.com/tuxera/ntfs-3g

ADVISORY ID: NTFS3G-SA-2022-0003

ISSUE DATE: 31.10.2022

SEVERITY: Moderate

CVEs: CVE-2022-40284

CVSS SCORE: 5.0-6.7
Comment 8 Swamp Workflow Management 2022-11-03 17:19:14 UTC 
SUSE-SU-2022:3865-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1204734
CVE References: CVE-2022-40284
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    ntfs-3g_ntfsprogs-2022.5.17-5.17.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ntfs-3g_ntfsprogs-2022.5.17-5.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-11-03 17:19:51 UTC 
SUSE-SU-2022:3866-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1204734
CVE References: CVE-2022-40284
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    ntfs-3g_ntfsprogs-2022.5.17-150000.3.16.1
openSUSE Leap 15.3 (src):    ntfs-3g_ntfsprogs-2022.5.17-150000.3.16.1
SUSE Linux Enterprise Workstation Extension 15-SP4 (src):    ntfs-3g_ntfsprogs-2022.5.17-150000.3.16.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    ntfs-3g_ntfsprogs-2022.5.17-150000.3.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Robert Frohl 2024-05-03 09:01:45 UTC 
done, closing