From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kei Kebreau Subject: Re: [PATCH] gnu: ntfs-3g: Fix CVE-2017-0358. Date: Thu, 09 Feb 2017 22:28:56 -0500 Message-ID: <87k28ysozr.fsf@openmailbox.org> References: <87bmuboxqf.fsf@openmailbox.org> <878tpft2dt.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170209224346.GA20362@jasmine> <87o9ybrmiw.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <877f4yq3jv.fsf@openmailbox.org> <87a89usuh0.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47897) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cc1ta-0002sr-80 for guix-devel@gnu.org; Thu, 09 Feb 2017 22:29:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cc1tW-0003L9-4Z for guix-devel@gnu.org; Thu, 09 Feb 2017 22:29:14 -0500 Received: from lb1.openmailbox.org ([5.79.108.160]:32945 helo=mail.openmailbox.org) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cc1tV-0003L3-S4 for guix-devel@gnu.org; Thu, 09 Feb 2017 22:29:10 -0500 In-Reply-To: <87a89usuh0.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> (Marius Bakke's message of "Fri, 10 Feb 2017 02:30:35 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Marius Bakke Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Marius Bakke writes: > Kei Kebreau writes: > >> Marius Bakke writes: >> >>> Leo Famulari writes: >>> >>>> On Thu, Feb 09, 2017 at 11:39:42PM +0100, Marius Bakke wrote: >>>>> Kei Kebreau writes: >>>>>=20 >>>>> > Reviewers, how does this patch look to you? >>>>>=20 >>>>> AFAIU from CVE-2017-0358, ntfs-3g is only vulnerable when installed >>>>> setuid root, which is not the case on guix. >>>>>=20 >>>>> FWIW Debian do not carry this patch, but have fixed the CVE according= to >>>>> the changelog. So I doubt this patch is necessary. >>>> >>>> There have been a couple security-related bugs publicized recently that >>>> are only dangerous when the software is installed setuid root. >>>> >>>> Although we don't do that by default, system administrators can do it = on >>>> GuixSD. I also think that Guix is valuable as a distribution mechanism >>>> of free source code, and we should fix bugs for that use case. >>>> >>>> So, I was thinking that we should fix these bugs unless they require >>>> grafting, and then we should fix them in core-updates. >>>> >>>> WDYT? >>> >>> That does make a lot of sense. Reading up on execl(3), it looks like >>> this patch does the right thing and can't hurt even when not setuid. >>> >>> Mind=3Dchanged! :P=20 >> >> Are we all agreed on pushing this change? > > I agree with Leo that we should try to cover for all use cases of > software from Guix, so this change LGTM. Great! Pushed as 1a82ba660e88e731841882523084e5d878267b53. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEg7ZwOtzKO2lLzi2m5qXuPBlGeg0FAlidM3gACgkQ5qXuPBlG eg0r/w/+O86e+xJxntfLtwV6kQQMORDRwh1vM702pfroeUa7210+XP1F5dbiHi41 ChiLHUNsU0ilNccO1pLy5rClbIFAdaRaWBkO0EtJ3ChN+fAEdbknnuu28qkALBiu nS+DB68YAmAeNtm/LRAlxlZ03i0hsDTLzkPhfcwPbn82O2mzcfPhLkToL10pY9Kd JXS2r+P3Q7aTQYxpRHkz0eNbQe6s5eCByoNPzd2HPdr8boGRK0AZweKj5djEl15U 2ltMQaD4Z2rDkK9fd17qbjYm5pLjUy8vlHwtMYv19Qrn0JFVDZPzHh0sHtzOI8uP eNSep1+Thsfcls8HTtuwWcQiKgXLw4XI/skdP/AO+c6dOkhCsaXxpuZJo2rGZypY IQp0OT0HfP51QR1V4s5FFWo3xXdBIGP9Y542gBpWIP+gNmZ4yVH1ieWkZPNYW65z mqKj766PTlrW0i7sNePw+glXR8r8MB1g92YkqyPBQDmQHlIIRua1MvN4gSfC5CF5 JVyrT4+Dpowzp3J0PwmLjgeLDOIQtBplWW4iJoHBJYNbYnkgOl/bAkGFf0c0vAoJ v2yRo0MUoK+xv7G88J5cGBsaOkzwGSN8MK3YddVm7emNTFUm8sxFFvMpNZqk+Svs 7BVO7PZgIU07qFlXRNptz2bO0UoIJTDj2+7dK9hE+3J7f7/xJhw= =Zi8Y -----END PGP SIGNATURE----- --=-=-=--