[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] gnu: ntfs-3g: Fix CVE-2017-0358.

From: Marius Bakke
Subject: Re: [PATCH] gnu: ntfs-3g: Fix CVE-2017-0358.
Date: Fri, 10 Feb 2017 02:30:35 +0100
User-agent: Notmuch/0.23.5 ( Emacs/25.1.1 (x86_64-unknown-linux-gnu)

Kei Kebreau <address@hidden> writes:

> Marius Bakke <address@hidden> writes:
>> Leo Famulari <address@hidden> writes:
>>> On Thu, Feb 09, 2017 at 11:39:42PM +0100, Marius Bakke wrote:
>>>> Kei Kebreau <address@hidden> writes:
>>>> > Reviewers, how does this patch look to you?
>>>> AFAIU from CVE-2017-0358, ntfs-3g is only vulnerable when installed
>>>> setuid root, which is not the case on guix.
>>>> FWIW Debian do not carry this patch, but have fixed the CVE according to
>>>> the changelog. So I doubt this patch is necessary.
>>> There have been a couple security-related bugs publicized recently that
>>> are only dangerous when the software is installed setuid root.
>>> Although we don't do that by default, system administrators can do it on
>>> GuixSD. I also think that Guix is valuable as a distribution mechanism
>>> of free source code, and we should fix bugs for that use case.
>>> So, I was thinking that we should fix these bugs unless they require
>>> grafting, and then we should fix them in core-updates.
>>> WDYT?
>> That does make a lot of sense. Reading up on execl(3), it looks like
>> this patch does the right thing and can't hurt even when not setuid.
>> Mind=changed! :P 
> Are we all agreed on pushing this change?

I agree with Leo that we should try to cover for all use cases of
software from Guix, so this change LGTM.

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]