Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ntfs-3g_ntfsprogs for openSUSE:Factory checked in at 2026-04-25 21:35:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ntfs-3g_ntfsprogs (Old) and /work/SRC/openSUSE:Factory/.ntfs-3g_ntfsprogs.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ntfs-3g_ntfsprogs" Sat Apr 25 21:35:09 2026 rev:34 rq:1348793 version:2022.10.3 Changes: -------- --- /work/SRC/openSUSE:Factory/ntfs-3g_ntfsprogs/ntfs-3g_ntfsprogs.changes 2025-06-04 20:26:46.160548106 +0200 +++ /work/SRC/openSUSE:Factory/.ntfs-3g_ntfsprogs.new.11940/ntfs-3g_ntfsprogs.changes 2026-04-25 21:35:12.032473591 +0200 @@ -1,0 +2,5 @@ +Fri Apr 17 22:20:45 UTC 2026 - Scott Reeves <[email protected]> + +- Add ntfs3g-heap-overflow.patch: bsc#1262216 CVE-2026-40706. + +------------------------------------------------------------------- New: ---- ntfs3g-heap-overflow.patch ----------(New B)---------- New: - Add ntfs3g-heap-overflow.patch: bsc#1262216 CVE-2026-40706. ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ntfs-3g_ntfsprogs.spec ++++++ --- /var/tmp/diff_new_pack.vlJWVN/_old 2026-04-25 21:35:12.576495762 +0200 +++ /var/tmp/diff_new_pack.vlJWVN/_new 2026-04-25 21:35:12.576495762 +0200 @@ -1,7 +1,7 @@ # # spec file for package ntfs-3g_ntfsprogs # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -32,6 +32,8 @@ Source: https://tuxera.com/opensource/%{name}-%{version}.tgz # PATCH-FIX-UPSTREAM ntfs3g-unistr-use-after-free.patch boo#1226007 [email protected] -- fix use after free in ntfs_uppercase_mbs. Patch0: ntfs3g-unistr-use-after-free.patch +# PATCH-FIX-UPSTREAM ntfs3g-heap-overflow.patch bsc#1262216 [email protected] -- fix heap overflow +Patch1: ntfs3g-heap-overflow.patch BuildRequires: gnutls-devel BuildRequires: hwinfo-devel BuildRequires: libgcrypt-devel ++++++ ntfs3g-heap-overflow.patch ++++++ >From 082a52e3c7100d452485b6c5ef648cd99fc3395c Mon Sep 17 00:00:00 2001 From: Erik Larsson <[email protected]> Date: Tue, 24 Feb 2026 10:04:31 +0200 Subject: [PATCH] acls.c: Fix heap buffer overflow in 'ntfs_build_permissions_posix'. The root cause was that the memory allocated for the ACE entries was insufficient for the worst case scenario when group entries were added for mask entries that didn't have a corresponding group entry already. Fixed by allocating space for the worst case number of ACE entries. This was reported by Andrea Bocchetti with a thorough report which made it very easy to fix. This is a backport of the original patch to version 2022.10.3. --- libntfs-3g/acls.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/libntfs-3g/acls.c b/libntfs-3g/acls.c index 9f16fecd..4cf534bf 100644 --- a/libntfs-3g/acls.c +++ b/libntfs-3g/acls.c @@ -3716,12 +3716,27 @@ struct POSIX_SECURITY *ntfs_build_permissions_posix( /* * Build a raw posix security descriptor * by just translating permissions and ids - * Add 2 to the count of ACE to be able to insert - * a group ACE later in access and default ACLs - * and add 2 more to be able to insert ACEs for owner - * and 2 more for other + * + * The worst case number of ACE entries consists of: + * - 'acecount' ACE entries from the main loop (see below) + * iterating over the 'securattr' array. + * - 1 ACE entry which may be added when creating world + * permissions if none exist. + * - 1 ACE entry which may be added when setting basic owner + * permissions if none exist (both lists). + * - 1 ACE entry which may be added when duplicating world + * permissions as group_obj permissions if none exist. + * - 'acecount + 2' ACE entries which may be added when + * duplicating world permissions as group permissions if they + * were converted to masks and the masks are not followed by a + * group entry. + * - 1 ACE entry which may be added when inserting a default + * mask if none is present and there are designated users or + * groups. + * + * This amounts to 2*acecnt + 6 ACE entries in the worst case. */ - alloccnt = acecnt + 6; + alloccnt = 2*acecnt + 6; pxdesc = (struct POSIX_SECURITY*)malloc( sizeof(struct POSIX_SECURITY) + alloccnt*sizeof(struct POSIX_ACE)); -- 2.51.0
