ntfs-3g: add security fix for CVE-2017-0358
Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write
NTFS driver for FUSE does not not scrub the environment before
executing modprobe to load the fuse module. This influence the behavior
of modprobe (MODPROBE_OPTIONS environment variable, --config and
--dirname options) potentially allowing for local root privilege
escalation if ntfs-3g is installed setuid.
Notice that Buildroot does NOT install netfs-3g setuid root, but custom
permission tables might be used, causing it to vulnerable to the above.
ntfs-3g does not seem to have a publicly available version control system
and no new releases have been made, so instead grab the patch from Debian.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
projects / buildroot.git / commit