Security update for ntfs-3g_ntfsprogs

Announcement ID:	SUSE-SU-2021:2971-1
Rating:	important
References:	bsc#1189720
Cross-References:	CVE-2019-9755 CVE-2021-33285 CVE-2021-33286 CVE-2021-33287 CVE-2021-33289 CVE-2021-35266 CVE-2021-35267 CVE-2021-35268 CVE-2021-35269 CVE-2021-39251 CVE-2021-39252 CVE-2021-39253 CVE-2021-39255 CVE-2021-39256 CVE-2021-39257 CVE-2021-39258 CVE-2021-39259 CVE-2021-39260 CVE-2021-39261 CVE-2021-39262 CVE-2021-39263
CVSS scores:	CVE-2019-9755 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2019-9755 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2019-9755 ( NVD ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33285 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33286 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33287 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33289 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-35266 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-35267 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-35268 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-35269 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-39251 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-39252 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-39253 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-39255 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-39256 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-39257 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-39258 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-39259 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-39260 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-39261 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-39262 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-39263 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Workstation Extension 15 SP2 SUSE Linux Enterprise Workstation Extension 15 SP3

An update that solves 21 vulnerabilities can now be installed.

Description:

This update for ntfs-3g_ntfsprogs fixes the following issues:

Update to version 2021.8.22 (bsc#1189720):

• Fixed compile error when building with libfuse < 2.8.0
• Fixed obsolete macros in configure.ac
• Signalled support of UTIME_OMIT to external libfuse2
• Fixed an improper macro usage in ntfscp.c
• Updated the repository change in the README
• Fixed vulnerability threats caused by maliciously tampered NTFS partitions

• Security fixes: CVE-2021-33285, CVE-2021-33286, CVE-2021-33287, CVE-2021-33289, CVE-2021-35266, CVE-2021-35267, CVE-2021-35268, CVE-2021-35269, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE_2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, CVE-2021-39263.

• Library soversion is now 89

• Changes in version 2017.3.23

• Delegated processing of special reparse points to external plugins
• Allowed kernel cacheing by lowntfs-3g when not using Posix ACLs
• Enabled fallback to read-only mount when the volume is hibernated
• Made a full check for whether an extended attribute is allowed
• Moved secaudit and usermap to ntfsprogs (now ntfssecaudit and ntfsusermap)
• Enabled encoding broken UTF-16 into broken UTF-8
• Autoconfigured selecting <sys/sysmacros.h> vs <sys/mkdev>
• Allowed using the full library API on systems without extended attributes support
• Fixed DISABLE_PLUGINS as the condition for not using plugins
• Corrected validation of multi sector transfer protected records
• Denied creating/removing files from $Extend
• Returned the size of locale encoded target as the size of symlinks

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Workstation Extension 15 SP2
  zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-2971=1
• SUSE Linux Enterprise Workstation Extension 15 SP3
  zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-2971=1

Package List:

• SUSE Linux Enterprise Workstation Extension 15 SP2 (x86_64)
  • libntfs-3g87-debuginfo-2021.8.22-3.8.1
  • ntfs-3g_ntfsprogs-debugsource-2021.8.22-3.8.1
  • ntfsprogs-debuginfo-2021.8.22-3.8.1
  • libntfs-3g87-2021.8.22-3.8.1
  • ntfsprogs-2021.8.22-3.8.1
  • libntfs-3g-devel-2021.8.22-3.8.1
  • ntfs-3g-debuginfo-2021.8.22-3.8.1
  • ntfs-3g_ntfsprogs-debuginfo-2021.8.22-3.8.1
  • ntfs-3g-2021.8.22-3.8.1
• SUSE Linux Enterprise Workstation Extension 15 SP3 (x86_64)
  • libntfs-3g87-debuginfo-2021.8.22-3.8.1
  • ntfs-3g_ntfsprogs-debugsource-2021.8.22-3.8.1
  • ntfsprogs-debuginfo-2021.8.22-3.8.1
  • libntfs-3g87-2021.8.22-3.8.1
  • ntfsprogs-2021.8.22-3.8.1
  • libntfs-3g-devel-2021.8.22-3.8.1
  • ntfs-3g-debuginfo-2021.8.22-3.8.1
  • ntfs-3g_ntfsprogs-debuginfo-2021.8.22-3.8.1
  • ntfs-3g-2021.8.22-3.8.1

References:

• https://www.suse.com/security/cve/CVE-2019-9755.html
• https://www.suse.com/security/cve/CVE-2021-33285.html
• https://www.suse.com/security/cve/CVE-2021-33286.html
• https://www.suse.com/security/cve/CVE-2021-33287.html
• https://www.suse.com/security/cve/CVE-2021-33289.html
• https://www.suse.com/security/cve/CVE-2021-35266.html
• https://www.suse.com/security/cve/CVE-2021-35267.html
• https://www.suse.com/security/cve/CVE-2021-35268.html
• https://www.suse.com/security/cve/CVE-2021-35269.html
• https://www.suse.com/security/cve/CVE-2021-39251.html
• https://www.suse.com/security/cve/CVE-2021-39252.html
• https://www.suse.com/security/cve/CVE-2021-39253.html
• https://www.suse.com/security/cve/CVE-2021-39255.html
• https://www.suse.com/security/cve/CVE-2021-39256.html
• https://www.suse.com/security/cve/CVE-2021-39257.html
• https://www.suse.com/security/cve/CVE-2021-39258.html
• https://www.suse.com/security/cve/CVE-2021-39259.html
• https://www.suse.com/security/cve/CVE-2021-39260.html
• https://www.suse.com/security/cve/CVE-2021-39261.html
• https://www.suse.com/security/cve/CVE-2021-39262.html
• https://www.suse.com/security/cve/CVE-2021-39263.html
• https://bugzilla.suse.com/show_bug.cgi?id=1189720