Version in base suite: 2017.3.23AR.3-4+deb11u1 Base version: ntfs-3g_2017.3.23AR.3-4+deb11u1 Target version: ntfs-3g_2017.3.23AR.3-4+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/ntfs-3g/ntfs-3g_2017.3.23AR.3-4+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/ntfs-3g/ntfs-3g_2017.3.23AR.3-4+deb11u2.dsc changelog | 23 +++ patches/0006-Used-a-default-usn-when-the-former-one-cannot-be-ret.patch | 50 ++++++ patches/0007-Made-sure-there-is-no-null-character-in-an-attribute.patch | 37 +++++ patches/0008-Avoided-allocating-and-reading-an-attribute-beyond-i.patch | 72 ++++++++++ patches/0009-Made-sure-the-client-log-data-does-not-overflow-from.patch | 66 +++++++++ patches/0010-Made-sure-there-is-no-null-character-in-an-attribute.patch | 43 +++++ patches/0011-Fixed-possible-out-of-buffer-condition-in-ntfsck.patch | 30 ++++ patches/0012-Fixed-operation-on-little-endian-data.patch | 29 ++++ patches/0013-Returned-an-error-code-when-the-help-or-version-opti.patch | 67 +++++++++ patches/0014-Hardened-the-checking-of-directory-offset-requested-.patch | 30 ++++ patches/series | 9 + 11 files changed, 456 insertions(+) diff -Nru ntfs-3g-2017.3.23AR.3/debian/changelog ntfs-3g-2017.3.23AR.3/debian/changelog --- ntfs-3g-2017.3.23AR.3/debian/changelog 2021-09-05 12:50:38.000000000 +0000 +++ ntfs-3g-2017.3.23AR.3/debian/changelog 2022-06-08 20:42:53.000000000 +0000 @@ -1,3 +1,26 @@ +ntfs-3g (1:2017.3.23AR.3-4+deb11u2) bullseye-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix multiple issues (Closes: #1011770) + - Used a default usn when the former one cannot be retrieved + (CVE-2022-30788) + - Made sure there is no null character in an attribute name + (CVE-2022-30786) + - Avoided allocating and reading an attribute beyond its full size + (CVE-2022-30784) + - Made sure the client log data does not overflow from restart page + (CVE-2022-30789) + - Made sure there is no null character in an attribute name (bis) + (CVE-2022-30786) + - Fixed possible out-of-buffer condition in ntfsck (CVE-2021-46790) + - Fixed operation on little endian data (CVE-2022-30788) + - Returned an error code when the --help or --version options are + used (CVE-2022-30783) + - Hardened the checking of directory offset requested by a readdir + (CVE-2022-30785, CVE-2022-30787) + + -- Salvatore Bonaccorso Wed, 08 Jun 2022 22:42:53 +0200 + ntfs-3g (1:2017.3.23AR.3-4+deb11u1) bullseye-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru ntfs-3g-2017.3.23AR.3/debian/patches/0006-Used-a-default-usn-when-the-former-one-cannot-be-ret.patch ntfs-3g-2017.3.23AR.3/debian/patches/0006-Used-a-default-usn-when-the-former-one-cannot-be-ret.patch --- ntfs-3g-2017.3.23AR.3/debian/patches/0006-Used-a-default-usn-when-the-former-one-cannot-be-ret.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntfs-3g-2017.3.23AR.3/debian/patches/0006-Used-a-default-usn-when-the-former-one-cannot-be-ret.patch 2022-06-08 20:42:53.000000000 +0000 @@ -0,0 +1,50 @@ +From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= +Date: Tue, 21 Sep 2021 10:53:16 +0200 +Subject: Used a default usn when the former one cannot be retrieved +Origin: https://github.com/tuxera/ntfs-3g/commit/a8818cf779d3a32f2f52337c6f258c16719625a3 +Bug-Debian: https://bugs.debian.org/1011770 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-30788 + +When creating a new MFT record, the former seq_no and usn are retrieved +to avoid the new one to be mistaken for the former one. +This may not be possible when the record is used for the first time +or after some bad error. In such situation use default values. +--- + libntfs-3g/mft.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/libntfs-3g/mft.c b/libntfs-3g/mft.c +index d0a601ffa17d..5052d1ec9766 100644 +--- a/libntfs-3g/mft.c ++++ b/libntfs-3g/mft.c +@@ -5,7 +5,7 @@ + * Copyright (c) 2004-2005 Richard Russon + * Copyright (c) 2004-2008 Szabolcs Szakacsits + * Copyright (c) 2005 Yura Pakhuchiy +- * Copyright (c) 2014-2018 Jean-Pierre Andre ++ * Copyright (c) 2014-2021 Jean-Pierre Andre + * + * This program/include file is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as published +@@ -1529,8 +1529,17 @@ found_free_rec: + goto undo_mftbmp_alloc; + } + ++ /* ++ * Retrieve the former seq_no and usn so that the new record ++ * cannot be mistaken for the former one. ++ * However the original record may just be garbage, so ++ * use some sensible value when they cannot be retrieved. ++ */ + seq_no = m->sequence_number; +- usn = *(le16*)((u8*)m + le16_to_cpu(m->usa_ofs)); ++ if (le16_to_cpu(m->usa_ofs) <= (NTFS_BLOCK_SIZE - 2)) ++ usn = *(le16*)((u8*)m + le16_to_cpu(m->usa_ofs & -2)); ++ else ++ usn = const_cpu_to_le16(1); + if (ntfs_mft_record_layout(vol, bit, m)) { + ntfs_log_error("Failed to re-format mft record.\n"); + free(m); +-- +2.36.1 + diff -Nru ntfs-3g-2017.3.23AR.3/debian/patches/0007-Made-sure-there-is-no-null-character-in-an-attribute.patch ntfs-3g-2017.3.23AR.3/debian/patches/0007-Made-sure-there-is-no-null-character-in-an-attribute.patch --- ntfs-3g-2017.3.23AR.3/debian/patches/0007-Made-sure-there-is-no-null-character-in-an-attribute.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntfs-3g-2017.3.23AR.3/debian/patches/0007-Made-sure-there-is-no-null-character-in-an-attribute.patch 2022-06-08 20:42:53.000000000 +0000 @@ -0,0 +1,37 @@ +From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= +Date: Tue, 21 Sep 2021 10:54:50 +0200 +Subject: Made sure there is no null character in an attribute name +Origin: https://github.com/tuxera/ntfs-3g/commit/838b6e35b43062353998853eab50cd0675201ed7 +Bug-Debian: https://bugs.debian.org/1011770 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-30786 + +When copying an attribute name which contains a null, it is truncated +and this may lead to accessing non-allocated bytes when relying on the +expected name length. Such names must therefore be rejected. +--- + libntfs-3g/attrib.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/libntfs-3g/attrib.c b/libntfs-3g/attrib.c +index e8d6fafb8242..00bfca844445 100644 +--- a/libntfs-3g/attrib.c ++++ b/libntfs-3g/attrib.c +@@ -414,7 +414,15 @@ ntfs_attr *ntfs_attr_open(ntfs_inode *ni, const ATTR_TYPES type, + na = ntfs_calloc(sizeof(ntfs_attr)); + if (!na) + goto out; ++ if (!name_len) ++ name = (ntfschar*)NULL; + if (name && name != AT_UNNAMED && name != NTFS_INDEX_I30) { ++ /* A null char leads to a short name and unallocated bytes */ ++ if (ntfs_ucsnlen(name, name_len) != name_len) { ++ ntfs_log_error("Null character in attribute name" ++ " of inode %lld\n",(long long)ni->mft_no); ++ goto err_out; ++ } + name = ntfs_ucsndup(name, name_len); + if (!name) + goto err_out; +-- +2.36.1 + diff -Nru ntfs-3g-2017.3.23AR.3/debian/patches/0008-Avoided-allocating-and-reading-an-attribute-beyond-i.patch ntfs-3g-2017.3.23AR.3/debian/patches/0008-Avoided-allocating-and-reading-an-attribute-beyond-i.patch --- ntfs-3g-2017.3.23AR.3/debian/patches/0008-Avoided-allocating-and-reading-an-attribute-beyond-i.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntfs-3g-2017.3.23AR.3/debian/patches/0008-Avoided-allocating-and-reading-an-attribute-beyond-i.patch 2022-06-08 20:42:53.000000000 +0000 @@ -0,0 +1,72 @@ +From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= +Date: Tue, 21 Sep 2021 10:56:06 +0200 +Subject: Avoided allocating and reading an attribute beyond its full size +Origin: https://github.com/tuxera/ntfs-3g/commit/60717a846deaaea47e50ce58872869f7bd1103b5 +Bug-Debian: https://bugs.debian.org/1011770 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-30784 + +Before reading a full attribute value for internal use, its expected +length has been checked to be < 0x40000. However the allocated size +in the runlist may be much bigger as a consequence of a bug or malice. +To prevent malloc'ing excessive size, restrict the size of the last +run to read to the needed length. +--- + libntfs-3g/attrib.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/libntfs-3g/attrib.c b/libntfs-3g/attrib.c +index 00bfca844445..51c8536ff8c6 100644 +--- a/libntfs-3g/attrib.c ++++ b/libntfs-3g/attrib.c +@@ -216,6 +216,7 @@ s64 ntfs_get_attribute_value(const ntfs_volume *vol, + if (total + (rl[i].length << vol->cluster_size_bits) >= + sle64_to_cpu(a->data_size)) { + unsigned char *intbuf = NULL; ++ s64 intlth; + /* + * We have reached the last run so we were going to + * overflow when executing the ntfs_pread() which is +@@ -229,8 +230,18 @@ s64 ntfs_get_attribute_value(const ntfs_volume *vol, + * We have reached the end of data size so we were + * going to overflow in the same fashion. + * Temporary fix: same as above. ++ * ++ * For safety, limit the amount to read to the ++ * needed size, knowing that the whole attribute ++ * size has been checked to be <= 0x40000. + */ +- intbuf = ntfs_malloc(rl[i].length << vol->cluster_size_bits); ++ intlth = (sle64_to_cpu(a->data_size) - total ++ + vol->cluster_size - 1) ++ >> vol->cluster_size_bits; ++ if (rl[i].length < intlth) ++ intlth = rl[i].length; ++ intbuf = (u8*)ntfs_malloc(intlth ++ << vol->cluster_size_bits); + if (!intbuf) { + free(rl); + return 0; +@@ -246,14 +257,15 @@ s64 ntfs_get_attribute_value(const ntfs_volume *vol, + * - Yes we can, in sparse files! But not necessarily + * size of 16, just run length. + */ +- r = ntfs_pread(vol->dev, rl[i].lcn << +- vol->cluster_size_bits, rl[i].length << +- vol->cluster_size_bits, intbuf); +- if (r != rl[i].length << vol->cluster_size_bits) { ++ r = ntfs_pread(vol->dev, ++ rl[i].lcn << vol->cluster_size_bits, ++ intlth << vol->cluster_size_bits, ++ intbuf); ++ if (r != intlth << vol->cluster_size_bits) { + #define ESTR "Error reading attribute value" + if (r == -1) + ntfs_log_perror(ESTR); +- else if (r < rl[i].length << ++ else if (r < intlth << + vol->cluster_size_bits) { + ntfs_log_debug(ESTR ": Ran out of input data.\n"); + errno = EIO; +-- +2.36.1 + diff -Nru ntfs-3g-2017.3.23AR.3/debian/patches/0009-Made-sure-the-client-log-data-does-not-overflow-from.patch ntfs-3g-2017.3.23AR.3/debian/patches/0009-Made-sure-the-client-log-data-does-not-overflow-from.patch --- ntfs-3g-2017.3.23AR.3/debian/patches/0009-Made-sure-the-client-log-data-does-not-overflow-from.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntfs-3g-2017.3.23AR.3/debian/patches/0009-Made-sure-the-client-log-data-does-not-overflow-from.patch 2022-06-08 20:42:53.000000000 +0000 @@ -0,0 +1,66 @@ +From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= +Date: Wed, 20 Oct 2021 09:53:28 +0200 +Subject: Made sure the client log data does not overflow from restart page +Origin: https://github.com/tuxera/ntfs-3g/commit/6efc1305c1951c1d72181f449f2fab68fa25fae8 +Bug-Debian: https://bugs.debian.org/1011770 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-30789 + +Strengthen the consistency check of the length of restart pages, and +check that log client records are within such a restart page. +--- + libntfs-3g/logfile.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/libntfs-3g/logfile.c b/libntfs-3g/logfile.c +index adc0557f580b..9c3155e78759 100644 +--- a/libntfs-3g/logfile.c ++++ b/libntfs-3g/logfile.c +@@ -287,9 +287,19 @@ static BOOL ntfs_check_log_client_array(RESTART_PAGE_HEADER *rp) + LOG_CLIENT_RECORD *ca, *cr; + u16 nr_clients, idx; + BOOL in_free_list, idx_is_first; ++ u32 offset_clients; + + ntfs_log_trace("Entering.\n"); ++ /* The restart area must be fully within page */ ++ if ((le16_to_cpu(rp->restart_area_offset) + sizeof(RESTART_AREA)) ++ > le32_to_cpu(rp->system_page_size)) ++ goto err_out; + ra = (RESTART_AREA*)((u8*)rp + le16_to_cpu(rp->restart_area_offset)); ++ offset_clients = le16_to_cpu(rp->restart_area_offset) ++ + le16_to_cpu(ra->client_array_offset); ++ /* The clients' records must begin within page */ ++ if (offset_clients >= le32_to_cpu(rp->system_page_size)) ++ goto err_out; + ca = (LOG_CLIENT_RECORD*)((u8*)ra + + le16_to_cpu(ra->client_array_offset)); + /* +@@ -308,6 +318,10 @@ check_list: + idx = le16_to_cpu(cr->next_client)) { + if (!nr_clients || idx >= le16_to_cpu(ra->log_clients)) + goto err_out; ++ /* The client record must be fully within page */ ++ if ((offset_clients + (idx + 1)*sizeof(LOG_CLIENT_RECORD)) ++ > le32_to_cpu(rp->system_page_size)) ++ goto err_out; + /* Set @cr to the current log client record. */ + cr = ca + idx; + /* The first log client record must not have a prev_client. */ +@@ -380,7 +394,14 @@ static int ntfs_check_and_load_restart_page(ntfs_attr *log_na, + /* + * Allocate a buffer to store the whole restart page so we can multi + * sector transfer deprotect it. ++ * For safety, make sure this is consistent with the usa_count ++ * and shorter than the full log size + */ ++ if ((le32_to_cpu(rp->system_page_size) ++ > (u32)(le16_to_cpu(rp->usa_count) - 1)*NTFS_BLOCK_SIZE) ++ || (le32_to_cpu(rp->system_page_size) ++ > le64_to_cpu(log_na->data_size))) ++ return (EINVAL); + trp = ntfs_malloc(le32_to_cpu(rp->system_page_size)); + if (!trp) + return errno; +-- +2.36.1 + diff -Nru ntfs-3g-2017.3.23AR.3/debian/patches/0010-Made-sure-there-is-no-null-character-in-an-attribute.patch ntfs-3g-2017.3.23AR.3/debian/patches/0010-Made-sure-there-is-no-null-character-in-an-attribute.patch --- ntfs-3g-2017.3.23AR.3/debian/patches/0010-Made-sure-there-is-no-null-character-in-an-attribute.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntfs-3g-2017.3.23AR.3/debian/patches/0010-Made-sure-there-is-no-null-character-in-an-attribute.patch 2022-06-08 20:42:53.000000000 +0000 @@ -0,0 +1,43 @@ +From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= +Date: Fri, 5 Nov 2021 08:41:20 +0100 +Subject: Made sure there is no null character in an attribute name (bis) +Origin: https://github.com/tuxera/ntfs-3g/commit/5ce8941bf47291cd6ffe7cdb1797253f1cc3a86f +Bug-Debian: https://bugs.debian.org/1011770 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-30786 + +When copying an attribute name which contains a null, it is truncated +and this may lead to accessing non-allocated bytes when relying on the +expected name length. Such (illegal) names must therefore be rejected. +--- + libntfs-3g/attrib.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/libntfs-3g/attrib.c b/libntfs-3g/attrib.c +index 51c8536ff8c6..efb91943810a 100644 +--- a/libntfs-3g/attrib.c ++++ b/libntfs-3g/attrib.c +@@ -452,8 +452,19 @@ ntfs_attr *ntfs_attr_open(ntfs_inode *ni, const ATTR_TYPES type, + + if (!name) { + if (a->name_length) { +- name = ntfs_ucsndup((ntfschar*)((u8*)a + le16_to_cpu( +- a->name_offset)), a->name_length); ++ ntfschar *attr_name; ++ ++ attr_name = (ntfschar*)((u8*)a ++ + le16_to_cpu(a->name_offset)); ++ /* A null character leads to illegal memory access */ ++ if (ntfs_ucsnlen(attr_name, a->name_length) ++ != a->name_length) { ++ ntfs_log_error("Null character in attribute" ++ " name in inode %lld\n", ++ (long long)ni->mft_no); ++ goto put_err_out; ++ } ++ name = ntfs_ucsndup(attr_name, a->name_length); + if (!name) + goto put_err_out; + newname = name; +-- +2.36.1 + diff -Nru ntfs-3g-2017.3.23AR.3/debian/patches/0011-Fixed-possible-out-of-buffer-condition-in-ntfsck.patch ntfs-3g-2017.3.23AR.3/debian/patches/0011-Fixed-possible-out-of-buffer-condition-in-ntfsck.patch --- ntfs-3g-2017.3.23AR.3/debian/patches/0011-Fixed-possible-out-of-buffer-condition-in-ntfsck.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntfs-3g-2017.3.23AR.3/debian/patches/0011-Fixed-possible-out-of-buffer-condition-in-ntfsck.patch 2022-06-08 20:42:53.000000000 +0000 @@ -0,0 +1,30 @@ +From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= +Date: Tue, 10 May 2022 10:30:24 +0200 +Subject: Fixed possible out-of-buffer condition in ntfsck +Origin: https://github.com/tuxera/ntfs-3g/commit/96412e28e5c7ac2d15f1cff8c825330bbb60976e +Bug-Debian: https://bugs.debian.org/1011770 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-46790 + +A bad usa_count could lead to an out-of-buffer condition. Just avoid +the issue and report the error, still not fix it. +--- + ntfsprogs/ntfsck.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ntfsprogs/ntfsck.c b/ntfsprogs/ntfsck.c +index d49f3f96c499..8c1264112e6b 100644 +--- a/ntfsprogs/ntfsck.c ++++ b/ntfsprogs/ntfsck.c +@@ -616,7 +616,8 @@ static BOOL check_file_record(u8 *buffer, u16 buflen) + + // Remove update seq & check it. + usa = *(u16*)(buffer+usa_ofs); // The value that should be at the end of every sector. +- assert_u32_equal(usa_count-1, buflen/NTFS_BLOCK_SIZE, "USA length"); ++ if (assert_u32_equal(usa_count-1, buflen/NTFS_BLOCK_SIZE, "USA length")) ++ return (1); + for (i=1;i +Date: Tue, 10 May 2022 10:40:17 +0200 +Subject: Fixed operation on little endian data +Origin: https://github.com/tuxera/ntfs-3g/commit/bce5734a757fd59d70a52f4d4fe9abe260629b3a +Bug-Debian: https://bugs.debian.org/1011770 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-30788 + +Forcing an even usa_of, in a recent security patch, must be made on cpu +endian data. +--- + libntfs-3g/mft.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libntfs-3g/mft.c b/libntfs-3g/mft.c +index 5052d1ec9766..aefbb5f13c12 100644 +--- a/libntfs-3g/mft.c ++++ b/libntfs-3g/mft.c +@@ -1537,7 +1537,7 @@ found_free_rec: + */ + seq_no = m->sequence_number; + if (le16_to_cpu(m->usa_ofs) <= (NTFS_BLOCK_SIZE - 2)) +- usn = *(le16*)((u8*)m + le16_to_cpu(m->usa_ofs & -2)); ++ usn = *(le16*)((u8*)m + (le16_to_cpu(m->usa_ofs) & -2)); + else + usn = const_cpu_to_le16(1); + if (ntfs_mft_record_layout(vol, bit, m)) { +-- +2.36.1 + diff -Nru ntfs-3g-2017.3.23AR.3/debian/patches/0013-Returned-an-error-code-when-the-help-or-version-opti.patch ntfs-3g-2017.3.23AR.3/debian/patches/0013-Returned-an-error-code-when-the-help-or-version-opti.patch --- ntfs-3g-2017.3.23AR.3/debian/patches/0013-Returned-an-error-code-when-the-help-or-version-opti.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntfs-3g-2017.3.23AR.3/debian/patches/0013-Returned-an-error-code-when-the-help-or-version-opti.patch 2022-06-08 20:42:53.000000000 +0000 @@ -0,0 +1,67 @@ +From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= +Date: Tue, 10 May 2022 10:44:34 +0200 +Subject: Returned an error code when the --help or --version options are used +Origin: https://github.com/tuxera/ntfs-3g/commit/7f81935f32e58e8fec22bc46683b1b067469405f +Bug-Debian: https://bugs.debian.org/1011770 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-30783 + +Accepting --help or --version options may leave the ntfs-3g process in an +unclean state, so reject them while processing options. Also reject +them in libfuse-lite. + +[Salvatore Bonaccorso: Backport to 2017.3.23AR.3 for context changes in +src/ntfs-3g_common.c and src/ntfs-3g_common.h] +--- + libfuse-lite/mount.c | 3 +-- + src/ntfs-3g_common.c | 6 ++++++ + src/ntfs-3g_common.h | 2 ++ + 3 files changed, 9 insertions(+), 2 deletions(-) + +--- a/libfuse-lite/mount.c ++++ b/libfuse-lite/mount.c +@@ -670,11 +670,10 @@ int fuse_kern_mount(const char *mountpoi + fprintf(stderr, "fuse: 'allow_other' and 'allow_root' options are mutually exclusive\n"); + goto out; + } +- res = 0; ++ res = -1; + if (mo.ishelp) + goto out; + +- res = -1; + if (get_mnt_flag_opts(&mnt_opts, mo.flags) == -1) + goto out; + #ifndef __SOLARIS__ +--- a/src/ntfs-3g_common.c ++++ b/src/ntfs-3g_common.c +@@ -130,6 +130,10 @@ const struct DEFOPTION optionlist[] = { + { "usermapping", OPT_USERMAPPING, FLGOPT_STRING }, + { "xattrmapping", OPT_XATTRMAPPING, FLGOPT_STRING }, + { "efs_raw", OPT_EFS_RAW, FLGOPT_BOGUS }, ++ { "--help", OPT_HELP, FLGOPT_BOGUS }, ++ { "-h", OPT_HELP, FLGOPT_BOGUS }, ++ { "--version", OPT_VERSION, FLGOPT_BOGUS }, ++ { "-V", OPT_VERSION, FLGOPT_BOGUS }, + { (const char*)NULL, 0, 0 } /* end marker */ + } ; + +@@ -502,6 +506,8 @@ char *parse_mount_options(ntfs_fuse_cont + * mounted or not. + * (falling through to default) + */ ++ case OPT_HELP : /* Could lead to unclean condition */ ++ case OPT_VERSION : /* Could lead to unclean condition */ + default : + ntfs_log_error("'%s' is an unsupported option.\n", + poptl->name); +--- a/src/ntfs-3g_common.h ++++ b/src/ntfs-3g_common.h +@@ -92,6 +92,8 @@ enum { + OPT_USERMAPPING, + OPT_XATTRMAPPING, + OPT_EFS_RAW, ++ OPT_HELP, ++ OPT_VERSION, + } ; + + /* Option flags */ diff -Nru ntfs-3g-2017.3.23AR.3/debian/patches/0014-Hardened-the-checking-of-directory-offset-requested-.patch ntfs-3g-2017.3.23AR.3/debian/patches/0014-Hardened-the-checking-of-directory-offset-requested-.patch --- ntfs-3g-2017.3.23AR.3/debian/patches/0014-Hardened-the-checking-of-directory-offset-requested-.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntfs-3g-2017.3.23AR.3/debian/patches/0014-Hardened-the-checking-of-directory-offset-requested-.patch 2022-06-08 20:42:53.000000000 +0000 @@ -0,0 +1,30 @@ +From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= +Date: Tue, 10 May 2022 10:48:18 +0200 +Subject: Hardened the checking of directory offset requested by a readdir +Origin: https://github.com/tuxera/ntfs-3g/commit/fb28eef6f1c26170566187c1ab7dc913a13ea43c +Bug-Debian: https://bugs.debian.org/1011770 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-30787 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-30785 + +When asked for the next directory entries, make sure the chunk offset +is within valid values, otherwise return no more entries in chunk. +--- + libfuse-lite/fuse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libfuse-lite/fuse.c b/libfuse-lite/fuse.c +index 6f9242b776b6..3d653e634b93 100644 +--- a/libfuse-lite/fuse.c ++++ b/libfuse-lite/fuse.c +@@ -2223,7 +2223,7 @@ static void fuse_lib_readdir(fuse_req_t req, fuse_ino_t ino, size_t size, + } + } + if (dh->filled) { +- if (off < dh->len) { ++ if ((off >= 0) && (off < dh->len)) { + if (off + size > dh->len) + size = dh->len - off; + } else +-- +2.36.1 + diff -Nru ntfs-3g-2017.3.23AR.3/debian/patches/series ntfs-3g-2017.3.23AR.3/debian/patches/series --- ntfs-3g-2017.3.23AR.3/debian/patches/series 2021-09-05 12:50:38.000000000 +0000 +++ ntfs-3g-2017.3.23AR.3/debian/patches/series 2022-06-08 20:42:53.000000000 +0000 @@ -3,3 +3,12 @@ 0003-Fixed-an-endianness-error-in-ntfscp.patch 0004-Checked-the-locations-of-MFT-and-MFTMirr-at-startup.patch 0005-Fix-multiple-buffer-overflows.patch +0006-Used-a-default-usn-when-the-former-one-cannot-be-ret.patch +0007-Made-sure-there-is-no-null-character-in-an-attribute.patch +0008-Avoided-allocating-and-reading-an-attribute-beyond-i.patch +0009-Made-sure-the-client-log-data-does-not-overflow-from.patch +0010-Made-sure-there-is-no-null-character-in-an-attribute.patch +0011-Fixed-possible-out-of-buffer-condition-in-ntfsck.patch +0012-Fixed-operation-on-little-endian-data.patch +0013-Returned-an-error-code-when-the-help-or-version-opti.patch +0014-Hardened-the-checking-of-directory-offset-requested-.patch