Version in base suite: 2022.10.3-1+deb12u2

Base version: ntfs-3g_2022.10.3-1+deb12u2
Target version: ntfs-3g_2022.10.3-1+deb12u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/ntfs-3g/ntfs-3g_2022.10.3-1+deb12u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/ntfs-3g/ntfs-3g_2022.10.3-1+deb12u3.dsc

 changelog                                   |    8 +++
 patches/ntfs-3g_2022.10.3-cve_2026-02.patch |   59 ++++++++++++++++++++++++++++
 patches/series                              |    1 
 3 files changed, 68 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpnoqesklp/ntfs-3g_2022.10.3-1+deb12u2.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpnoqesklp/ntfs-3g_2022.10.3-1+deb12u3.dsc: no acceptable signature found
diff -Nru ntfs-3g-2022.10.3/debian/changelog ntfs-3g-2022.10.3/debian/changelog
--- ntfs-3g-2022.10.3/debian/changelog	2024-10-27 14:16:10.000000000 +0000
+++ ntfs-3g-2022.10.3/debian/changelog	2026-04-16 21:28:39.000000000 +0000
@@ -1,3 +1,11 @@
+ntfs-3g (1:2022.10.3-1+deb12u3) bookworm-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * acls.c: Fix heap buffer overflow in 'ntfs_build_permissions_posix'
+    (CVE-2026-40706)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 16 Apr 2026 23:28:39 +0200
+
 ntfs-3g (1:2022.10.3-1+deb12u2) bookworm; urgency=medium
 
   * Move fuse to simple dependency (closes: #983359).
diff -Nru ntfs-3g-2022.10.3/debian/patches/ntfs-3g_2022.10.3-cve_2026-02.patch ntfs-3g-2022.10.3/debian/patches/ntfs-3g_2022.10.3-cve_2026-02.patch
--- ntfs-3g-2022.10.3/debian/patches/ntfs-3g_2022.10.3-cve_2026-02.patch	1970-01-01 00:00:00.000000000 +0000
+++ ntfs-3g-2022.10.3/debian/patches/ntfs-3g_2022.10.3-cve_2026-02.patch	2026-04-16 21:26:18.000000000 +0000
@@ -0,0 +1,59 @@
+From 082a52e3c7100d452485b6c5ef648cd99fc3395c Mon Sep 17 00:00:00 2001
+From: Erik Larsson <erik@tuxera.com>
+Date: Tue, 24 Feb 2026 10:04:31 +0200
+Subject: [PATCH] acls.c: Fix heap buffer overflow in
+ 'ntfs_build_permissions_posix'.
+
+The root cause was that the memory allocated for the ACE entries was
+insufficient for the worst case scenario when group entries were added
+for mask entries that didn't have a corresponding group entry already.
+Fixed by allocating space for the worst case number of ACE entries.
+
+This was reported by Andrea Bocchetti with a thorough report which made
+it very easy to fix.
+
+This is a backport of the original patch to version 2022.10.3.
+---
+ libntfs-3g/acls.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/libntfs-3g/acls.c b/libntfs-3g/acls.c
+index 9f16fecd..4cf534bf 100644
+--- a/libntfs-3g/acls.c
++++ b/libntfs-3g/acls.c
+@@ -3716,12 +3716,27 @@ struct POSIX_SECURITY *ntfs_build_permissions_posix(
+ 		/*
+ 		 * Build a raw posix security descriptor
+ 		 * by just translating permissions and ids
+-		 * Add 2 to the count of ACE to be able to insert
+-		 * a group ACE later in access and default ACLs
+-		 * and add 2 more to be able to insert ACEs for owner
+-		 * and 2 more for other
++		 *
++		 * The worst case number of ACE entries consists of:
++		 * - 'acecount' ACE entries from the main loop (see below)
++		 *   iterating over the 'securattr' array.
++		 * - 1 ACE entry which may be added when creating world
++		 *   permissions if none exist.
++		 * - 1 ACE entry which may be added when setting basic owner
++		 *   permissions if none exist (both lists).
++		 * - 1 ACE entry which may be added when duplicating world
++		 *   permissions as group_obj permissions if none exist.
++		 * - 'acecount + 2' ACE entries which may be added when
++		 *   duplicating world permissions as group permissions if they
++		 *   were converted to masks and the masks are not followed by a
++		 *   group entry.
++		 * - 1 ACE entry which may be added when inserting a default
++		 *   mask if none is present and there are designated users or
++		 *   groups.
++		 *
++		 * This amounts to 2*acecnt + 6 ACE entries in the worst case.
+ 		 */
+-	alloccnt = acecnt + 6;
++	alloccnt = 2*acecnt + 6;
+ 	pxdesc = (struct POSIX_SECURITY*)malloc(
+ 				sizeof(struct POSIX_SECURITY)
+ 				+ alloccnt*sizeof(struct POSIX_ACE));
+-- 
+2.51.0
+
diff -Nru ntfs-3g-2022.10.3/debian/patches/series ntfs-3g-2022.10.3/debian/patches/series
--- ntfs-3g-2022.10.3/debian/patches/series	2024-06-23 12:11:42.000000000 +0000
+++ ntfs-3g-2022.10.3/debian/patches/series	2026-04-16 21:26:49.000000000 +0000
@@ -1 +1,2 @@
 0001-Fix_use-after-free_in_ntfs_uppercase_mbs.patch
+ntfs-3g_2022.10.3-cve_2026-02.patch