From f82b288c06cdee0cea160019aad2477ef3582658 Mon Sep 17 00:00:00 2001 From: qiaojijun Date: Mon, 17 Jun 2024 10:58:05 +0800 Subject: [PATCH] fix CVE-2023-52890 from: https://github.com/tuxera/ntfs-3g/commit/75dcdc2cf37478fad6c0e3427403d198b554951d (cherry picked from commit 0e6b06b25a7061bdd9e7f3325940058209e79445) --- 3000-CVE-2023-52890.patch | 37 +++++++++++++++++++++++++++++++++++++ ntfs-3g.spec | 7 ++++++- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 3000-CVE-2023-52890.patch diff --git a/3000-CVE-2023-52890.patch b/3000-CVE-2023-52890.patch new file mode 100644 index 0000000..2f7443a --- /dev/null +++ b/3000-CVE-2023-52890.patch @@ -0,0 +1,37 @@ +From 75dcdc2cf37478fad6c0e3427403d198b554951d Mon Sep 17 00:00:00 2001 +From: Erik Larsson +Date: Tue, 13 Jun 2023 17:47:15 +0300 +Subject: [PATCH] unistr.c: Fix use-after-free in 'ntfs_uppercase_mbs'. + +If 'utf8_to_unicode' throws an error due to an invalid UTF-8 sequence, +then 'n' will be less than 0 and the loop will terminate without storing +anything in '*t'. After the loop the uppercase string's allocation is +freed, however after it is freed it is unconditionally accessed through +'*t', which points into the freed allocation, for the purpose of NULL- +terminating the string. This leads to a use-after-free. +Fixed by only NULL-terminating the string when no error has been thrown. + +Thanks for Jeffrey Bencteux for reporting this issue: +https://github.com/tuxera/ntfs-3g/issues/84 +--- + libntfs-3g/unistr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libntfs-3g/unistr.c b/libntfs-3g/unistr.c +index 5854b3b7..db8ddf42 100644 +--- a/libntfs-3g/unistr.c ++++ b/libntfs-3g/unistr.c +@@ -1189,8 +1189,9 @@ char *ntfs_uppercase_mbs(const char *low, + free(upp); + upp = (char*)NULL; + errno = EILSEQ; ++ } else { ++ *t = 0; + } +- *t = 0; + } + return (upp); + } +-- +2.20.1 + diff --git a/ntfs-3g.spec b/ntfs-3g.spec index de134f8..e08221e 100644 --- a/ntfs-3g.spec +++ b/ntfs-3g.spec @@ -1,6 +1,6 @@ Name: ntfs-3g Version: 2022.5.17 -Release: 2 +Release: 3 Epoch: 2 Summary: Linux NTFS userspace driver License: GPLv2+ @@ -11,6 +11,8 @@ Patch1: add-version-and-help-usage.patch Patch2: CVE-2022-40284_1.patch Patch3: CVE-2022-40284_2.patch +Patch3000: 3000-CVE-2023-52890.patch + BuildRequires: libtool, libattr-devel, libconfig-devel, libgcrypt-devel, gnutls-devel, libuuid-devel Provides: ntfsprogs-fuse = %{epoch}:%{version}-%{release} Obsoletes: ntfsprogs-fuse @@ -91,6 +93,9 @@ rm -rf $RPM_BUILD_ROOT%{_defaultdocdir}/%{name}/README %{_mandir}/man*/* %changelog +* Mon Jun 17 2024 qiaojijun - 2:2022.5.17-3 +- fix CVE-2023-52890 + * Thu Nov 10 2022 liyuxiang - 2:2022.5.17-2 - fix CVE-2022-40284 -- Gitee