ELA-736-1 ntfs-3g security update

local privilege escalation

2022-11-22
Packagentfs-3g
Version1:2014.2.15AR.2-1+deb8u7 (jessie), 1:2016.2.22AR.1+dfsg-1+deb9u4 (stretch)
Related CVEs CVE-2022-40284


Yuchen Zeng and Eduardo Vela discovered a buffer overflow in NTFS-3G, a read-write NTFS driver for FUSE, due to incorrect validation of some of the NTFS metadata. A local user can take advantage of this flaw for local root privilege escalation.



For Debian 8 jessie, these problems have been fixed in version 1:2014.2.15AR.2-1+deb8u7.

For Debian 9 stretch, these problems have been fixed in version 1:2016.2.22AR.1+dfsg-1+deb9u4.

We recommend that you upgrade your ntfs-3g packages.

Further information about Extended LTS security advisories can be found at: debian Extended Long term support