CVE-2021-33289 – ntfs-3g: Heap buffer overflow triggered by a specially crafted MFT section
https://notcve.org/view.php?id=CVE-2021-33289
In NTFS-3G versions < 2021.8.22, when a specially crafted MFT section is supplied in an NTFS image a heap buffer overflow can occur and allow for code execution. En NTFS-3G versiones anteriores a 2021.8.22, cuando se suministra una sección MFT especialmente manipulada en una imagen NTFS, puede producirse un desbordamiento del búfer de la pila y permitir la ejecución de código The ntfs3g package is susceptible to a heap overflow on crafted input. When processing the MFT, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. • http://ntfs-3g.com http://www.openwall.com/lists/oss-security/2021/08/30/1 https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/766ISTT3KCARKFUIQT7N6WV6T63XOKG3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSEKTKHO5HFZHWZNJNBJZA56472KRUZI https://security.gentoo.org/glsa/202301-01 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVE-2021-33285 – ntfs-3g: Out-of-bounds heap buffer access in ntfs_get_attribute_value() due to incorrect check of bytes_in_use value in MFT records
https://notcve.org/view.php?id=CVE-2021-33285
In NTFS-3G versions < 2021.8.22, when a specially crafted NTFS attribute is supplied to the function ntfs_get_attribute_value, a heap buffer overflow can occur allowing for memory disclosure or denial of service. The vulnerability is caused by an out-of-bound buffer access which can be triggered by mounting a crafted ntfs partition. The root cause is a missing consistency check after reading an MFT record : the "bytes_in_use" field should be less than the "bytes_allocated" field. When it is not, the parsing of the records proceeds into the wild. En NTFS-3G versiones anteriores a 2021.8.22, cuando es suministrado un atributo NTFS especialmente diseñado a la función ntfs_get_attribute_value, puede ocurrir un desbordamiento del búfer de la pila, permitiendo una divulgación de memoria o una denegación de servicio. • http://www.openwall.com/lists/oss-security/2021/08/30/1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988386 https://bugzilla.redhat.com/show_bug.cgi?id=2001608 https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/766ISTT3KCARKFUIQT7N6WV6T63XOKG3 https://lists.fedoraproject.org/archives/list/package-announce%40lists • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVE-2021-39260 – ntfs-3g: Out-of-bounds access in ntfs_inode_sync_standard_information()
https://notcve.org/view.php?id=CVE-2021-39260
A crafted NTFS image can cause an out-of-bounds access in ntfs_inode_sync_standard_information in NTFS-3G < 2021.8.22. Una imagen NTFS diseñada puede causar un acceso fuera de límites en la función ntfs_inode_sync_standard_information en NTFS-3G versiones anteriores a 2021.8.22 The ntfs3g package is susceptible to a heap overflow on crafted input. When processing an NTFS image, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability • https://github.com/tuxera/ntfs-3g/releases https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html https://security.gentoo.org/glsa/202301-01 https://www.debian.org/security/2021/dsa-4971 https://access.redhat.com/security/cve/CVE-2021-39260 https://bugzilla.redhat.com/show_bug.cgi?id=2001661 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVE-2021-39261 – ntfs-3g: Heap buffer overflow in ntfs_compressed_pwrite()
https://notcve.org/view.php?id=CVE-2021-39261
A crafted NTFS image can cause a heap-based buffer overflow in ntfs_compressed_pwrite in NTFS-3G < 2021.8.22. Una imagen NTFS diseñada puede causar un desbordamiento del búfer en la región heap de la memoria en la función ntfs_compressed_pwrite en NTFS-3G versiones anteriores a 2021.8.22 The ntfs3g package is susceptible to a heap overflow on crafted input. When processing an NTFS image, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. • https://github.com/tuxera/ntfs-3g/releases https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html https://security.gentoo.org/glsa/202301-01 https://www.debian.org/security/2021/dsa-4971 https://access.redhat.com/security/cve/CVE-2021-39261 https://bugzilla.redhat.com/show_bug.cgi?id=2001662 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVE-2021-35266 – ntfs-3g: Heap buffer overflow triggered by a specially crafted NTFS inode pathname
https://notcve.org/view.php?id=CVE-2021-35266
In NTFS-3G versions < 2021.8.22, when a specially crafted NTFS inode pathname is supplied in an NTFS image a heap buffer overflow can occur resulting in memory disclosure, denial of service and even code execution. En NTFS-3G versiones anteriores a 2021.8.22, cuando se suministra un nombre de ruta de inodo NTFS especialmente diseñado en una imagen NTFS, puede ocurrir un desbordamiento del búfer de la pila, resultando en una divulgación de memoria, una denegación de servicio e incluso una ejecución de código The ntfs3g package is susceptible to a heap overflow on crafted input. When processing an NTFS inode pathname, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. • http://ntfs-3g.com http://www.openwall.com/lists/oss-security/2021/08/30/1 https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/766ISTT3KCARKFUIQT7N6WV6T63XOKG3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSEKTKHO5HFZHWZNJNBJZA56472KRUZI https://security.gentoo.org/glsa/202301-01 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •