AVG-2749 log

Package ntfs-3g
Status Fixed
Severity Unknown
Type unknown
Affected 2021.8.22-1
Fixed 2022.5.17-1
Current 2022.10.3-1 [extra]
Ticket None
Created Mon Jun 6 18:09:09 2022
Advisory Pending
Issue Severity Remote Type Description
CVE-2022-30789 Unknown Unknown Unknown
A crafted NTFS image can cause a heap-based buffer overflow in ntfs_check_log_client_array in NTFS-3G through 2021.8.22.
CVE-2022-30788 Unknown Unknown Unknown
A crafted NTFS image can cause a heap-based buffer overflow in ntfs_mft_rec_alloc in NTFS-3G through 2021.8.22.
CVE-2022-30786 Unknown Unknown Unknown
A crafted NTFS image can cause a heap-based buffer overflow in ntfs_names_full_collate in NTFS-3G through 2021.8.22.
CVE-2022-30784 Unknown Unknown Unknown
A crafted NTFS image can cause heap exhaustion in ntfs_get_attribute_value in NTFS-3G through 2021.8.22.
References
https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-xchm-ph5h-hw4x
https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-6mv4-4v73-xw58
https://www.openwall.com/lists/oss-security/2022/05/26/1
Notes
didn't add CVE-2021-46790 (CVSS 9.8) because `ntfsck` is not provided by `ntfs-3g`, although I yet have to check wether it was present in the previous version or removed when it was deprecated

TODO: look up wether ntfs-3g is built with the internal libfuse or not as it determines wether the second advisory applies