SUSE-SU-2021:2965-1: important: Security update for ntfs-3g_ntfsprogs

[sle-security-updates at lists.suse.com]

   SUSE Security Update: Security update for ntfs-3g_ntfsprogs
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:2965-1
Rating:             important
References:         #1189720 
Cross-References:   CVE-2017-0358 CVE-2019-9755 CVE-2021-33285
                    CVE-2021-33286 CVE-2021-33287 CVE-2021-33289
                    CVE-2021-35266 CVE-2021-35267 CVE-2021-35268
                    CVE-2021-35269 CVE-2021-39251 CVE-2021-39252
                    CVE-2021-39253 CVE-2021-39255 CVE-2021-39256
                    CVE-2021-39257 CVE-2021-39258 CVE-2021-39259
                    CVE-2021-39260 CVE-2021-39261 CVE-2021-39262
                    CVE-2021-39263
CVSS scores:
                    CVE-2017-0358 (NVD) : 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2019-9755 (NVD) : 7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2019-9755 (SUSE): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    SUSE Linux Enterprise Workstation Extension 12-SP5
                    SUSE Linux Enterprise Software Development Kit 12-SP5
______________________________________________________________________________

   An update that fixes 22 vulnerabilities is now available.

Description:

   This update for ntfs-3g_ntfsprogs fixes the following issues:

   Update to version 2021.8.22 (bsc#1189720):

   * Signalled support of UTIME_OMIT to external libfuse2
   * Updated the repository change in the README
   * Fixed vulnerability threats caused by maliciously tampered NTFS
     partitions
   * Security fixes: CVE-2021-33285, CVE-2021-33286, CVE-2021-33287,
     CVE-2021-33289, CVE-2021-35266, CVE-2021-35267, CVE-2021-35268,
     CVE-2021-35269, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253,
     CVE_2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257,
     CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261,
     CVE-2021-39262, CVE-2021-39263.

   Changes in version 2017.3.23:

   * Delegated processing of special reparse points to external plugins
   * Allowed kernel cacheing by lowntfs-3g when not using Posix ACLs
   * Enabled fallback to read-only mount when the volume is hibernated
   * Made a full check for whether an extended attribute is allowed
   * Moved secaudit and usermap to ntfsprogs (now ntfssecaudit and
     ntfsusermap)
   * Enabled encoding broken UTF-16 into broken UTF-8
   * Autoconfigured selecting <sys/sysmacros.h> vs <sys/mkdev>
   * Allowed using the full library API on systems without extended
     attributes support
   * Fixed DISABLE_PLUGINS as the condition for not using plugins
   * Corrected validation of multi sector transfer protected records
   * Denied creating/removing files from $Extend
   * Returned the size of locale encoded target as the size of symlinks

   Changes in version 2016.2.22:

   - Changes to NTFS-3G driver:

     - Write as much data as possible in compressed attribute pwrite
     - Fixed getting space for making an index non resident
     - Alleviated constraints relative to reparse points
     - Fixed special case of decompressing a runlist
     - Fixed returning the trimming count to fstrim()
     - Fixed the range of valid subauthority counts in a SID
     - Updated the read-only flag even when the security attribute was cached
     - Defended against reusing data from an invalid MFT record
     - Simplified NTFS ACLs when group same as owner and same permission as
       world
     - Packed/unpacked st_rdev transported as 32-bits on Solaris 64-bits
     - Zero uninitialized bytes before writing compressed data
     - Clear the environment when starting mount or umount
     - Implemented rewinding a directory in lowntfs-3g
     - Use incremental offsets when reading a directory in lowntfs-3g

   - Changes to mkntfs:

     - Make installing mkntfs /sbin symlinks dependent on ENABLE_MOUNT_HELPER
     - Mention the starting sector when it overflows in mkntfs
     - Upgraded the upper-case table to same as Windows 7, 8 and 10

   - Changes to ntfsresize:

     - Fixed relocating the MFT runlists
     - Decode the full list of bad clusters
     - Fixed resizing an extended bad cluster list

   - Changes to ntfsclone:

     - Decoded the full list of bad clusters

   - Changes to ntfsinfo:

     - Displayed reparse point information

   - Changes to ntfsdecrypt:

     - Fixed DESX decryption

   - Changes to ntfswipe:

     - Added clarifications about several options to the manual

   - New ntfsprogs tool:

     - Included ntfsrecover to recover the updates committed by Windows
       (experimental)

   - Overall:
     - Made a general cleanup of endianness types for easier checks

   Changes in version 2015.3.14:

   - ntfs-3g: Fixed inserting a new ACL after wiping out by chkdsk
   - ntfs-3g: Fixed Windows-type inheritance
   - ntfs-3g: Fixed ignoring the umask mount option when permissions are used
   - ntfs-3g: Fixed checking permissions when Posix ACLs are compiled in but
     not enabled
   - ntfs-3g: Disabled option remove_hiberfile on read-only mounts
   - ntfs-3g: Implemented an extended attribute to get/set EAs
   - ntfs-3g: Avoid full runlist updating in more situations
   - ntfs-3g: Update ctime after setting an ACL
   - ntfs-3g: Use MFT record 15 for the first extent to MFT:DATA
   - ntfs-3g: Ignore the sloppy mount option (-s)
   - ntfs-3g: Implemented FITRIM (fstrim) ioctl
   - ntfs-3g: Reengineered the compression algorithm
   - ntfsprogs: Added manuals for ntfsdecrypt, ntfswipe, ntfstruncate and
     ntfsfallocate


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Workstation Extension 12-SP5:

      zypper in -t patch SUSE-SLE-WE-12-SP5-2021-2965=1

   - SUSE Linux Enterprise Software Development Kit 12-SP5:

      zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-2965=1



Package List:

   - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64):

      libntfs-3g84-2021.8.22-5.9.1
      libntfs-3g84-debuginfo-2021.8.22-5.9.1
      ntfs-3g-2021.8.22-5.9.1
      ntfs-3g-debuginfo-2021.8.22-5.9.1
      ntfs-3g_ntfsprogs-debugsource-2021.8.22-5.9.1
      ntfsprogs-2021.8.22-5.9.1
      ntfsprogs-debuginfo-2021.8.22-5.9.1

   - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64):

      libntfs-3g-devel-2021.8.22-5.9.1
      libntfs-3g84-2021.8.22-5.9.1
      libntfs-3g84-debuginfo-2021.8.22-5.9.1
      ntfs-3g_ntfsprogs-debugsource-2021.8.22-5.9.1


References:

   https://www.suse.com/security/cve/CVE-2017-0358.html
   https://www.suse.com/security/cve/CVE-2019-9755.html
   https://www.suse.com/security/cve/CVE-2021-33285.html
   https://www.suse.com/security/cve/CVE-2021-33286.html
   https://www.suse.com/security/cve/CVE-2021-33287.html
   https://www.suse.com/security/cve/CVE-2021-33289.html
   https://www.suse.com/security/cve/CVE-2021-35266.html
   https://www.suse.com/security/cve/CVE-2021-35267.html
   https://www.suse.com/security/cve/CVE-2021-35268.html
   https://www.suse.com/security/cve/CVE-2021-35269.html
   https://www.suse.com/security/cve/CVE-2021-39251.html
   https://www.suse.com/security/cve/CVE-2021-39252.html
   https://www.suse.com/security/cve/CVE-2021-39253.html
   https://www.suse.com/security/cve/CVE-2021-39255.html
   https://www.suse.com/security/cve/CVE-2021-39256.html
   https://www.suse.com/security/cve/CVE-2021-39257.html
   https://www.suse.com/security/cve/CVE-2021-39258.html
   https://www.suse.com/security/cve/CVE-2021-39259.html
   https://www.suse.com/security/cve/CVE-2021-39260.html
   https://www.suse.com/security/cve/CVE-2021-39261.html
   https://www.suse.com/security/cve/CVE-2021-39262.html
   https://www.suse.com/security/cve/CVE-2021-39263.html
   https://bugzilla.suse.com/1189720