group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1821250] Re: Drop setuid bit from /bin/ntfs-3g

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1821250@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Apr 2019 15:32:58 -0000
Reply-to: Bug 1821250 <1821250@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package ntfs-3g - 1:2017.3.23-2ubuntu0.18.10.2

---------------
ntfs-3g (1:2017.3.23-2ubuntu0.18.10.2) cosmic-security; urgency=medium

  * Fix LP: #1821250 - Don't install /bin/ntfs-3g as setuid root. If
    administrators want to allow unprivileged users to be able to mount NTFS
    images, they can restore this functionality by changing the permissions of
    /bin/ntfs-3g with dpkg-statoverride
    - update debian/ntfs-3g.postinst

 -- Chris Coulson <chris.coulson@xxxxxxxxxxxxx>  Thu, 21 Mar 2019
21:23:27 +0000

** Changed in: ntfs-3g (Ubuntu Cosmic)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1821250

Title:
  Drop setuid bit from /bin/ntfs-3g

Status in ntfs-3g package in Ubuntu:
  Fix Released
Status in ntfs-3g source package in Xenial:
  Fix Released
Status in ntfs-3g source package in Bionic:
  Fix Released
Status in ntfs-3g source package in Cosmic:
  Fix Released

Bug description:
  /bin/ntfs-3g has been installed as setuid-root since xenial, but this
  is discouraged upstream (see https://www.tuxera.com/community/ntfs-3g-
  faq/#useroption) and recently contributed to CVE-2019-9755
  (https://usn.ubuntu.com/3914-1/). As a hardening improvement, this
  should not be setuid.

  [ Test case ]
  Upgrade ntfs-3g and then mount, use and unmount your NTFS volumes as usual.

  [ Regression potential ]
  This does break one use-case - unprivileged users will not be able to mount NTFS image files. Based on discussions offline, we think this is an edge case and consider it to be an acceptable trade-off. As far as I'm aware, there are no other use-cases that are broken by this change. It doesn't affect automounting of removable volumes or mounting of NTFS block devices (which unprivileged users can't mount anyway). Administrators that want to allow unprivileged users to mount NTFS image files can change the permissions of /bin/ntfs-3g using dpkg-statoverride.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntfs-3g/+bug/1821250/+subscriptions

References

[Bug 1821250] [NEW] Drop setuid bit from /bin/ntfs-3g
From: Chris Coulson, 2019-03-21