[Bug 1821250] Re: Drop setuid bit from /bin/ntfs-3g
This bug was fixed in the package ntfs-3g - 1:2017.3.23-2ubuntu0.18.10.2 --- ntfs-3g (1:2017.3.23-2ubuntu0.18.10.2) cosmic-security; urgency=medium * Fix LP: #1821250 - Don't install /bin/ntfs-3g as setuid root. If administrators want to allow unprivileged users to be able to mount NTFS images, they can restore this functionality by changing the permissions of /bin/ntfs-3g with dpkg-statoverride - update debian/ntfs-3g.postinst -- Chris Coulson Thu, 21 Mar 2019 21:23:27 + ** Changed in: ntfs-3g (Ubuntu Cosmic) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1821250 Title: Drop setuid bit from /bin/ntfs-3g To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntfs-3g/+bug/1821250/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1821250] Re: Drop setuid bit from /bin/ntfs-3g
This bug was fixed in the package ntfs-3g - 1:2015.3.14AR.1-1ubuntu0.3 --- ntfs-3g (1:2015.3.14AR.1-1ubuntu0.3) xenial-security; urgency=medium * Fix LP: #1821250 - Don't install /bin/ntfs-3g as setuid root. If administrators want to allow unprivileged users to be able to mount NTFS images, they can restore this functionality by changing the permissions of /bin/ntfs-3g with dpkg-statoverride - update debian/ntfs-3g.postinst -- Chris Coulson Thu, 21 Mar 2019 21:33:36 + -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1821250 Title: Drop setuid bit from /bin/ntfs-3g To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntfs-3g/+bug/1821250/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1821250] Re: Drop setuid bit from /bin/ntfs-3g
This bug was fixed in the package ntfs-3g - 1:2017.3.23-2ubuntu0.18.04.2 --- ntfs-3g (1:2017.3.23-2ubuntu0.18.04.2) bionic-security; urgency=medium * Fix LP: #1821250 - Don't install /bin/ntfs-3g as setuid root. If administrators want to allow unprivileged users to be able to mount NTFS images, they can restore this functionality by changing the permissions of /bin/ntfs-3g with dpkg-statoverride - update debian/ntfs-3g.postinst -- Chris Coulson Thu, 21 Mar 2019 21:33:01 + ** Changed in: ntfs-3g (Ubuntu Bionic) Status: New => Fix Released ** Changed in: ntfs-3g (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1821250 Title: Drop setuid bit from /bin/ntfs-3g To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntfs-3g/+bug/1821250/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1821250] Re: Drop setuid bit from /bin/ntfs-3g
** Changed in: ntfs-3g (Ubuntu Xenial) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1821250 Title: Drop setuid bit from /bin/ntfs-3g To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntfs-3g/+bug/1821250/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1821250] Re: Drop setuid bit from /bin/ntfs-3g
Hey Chris! Do you need any action performed on this package? Or will you copy it over soon? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1821250 Title: Drop setuid bit from /bin/ntfs-3g To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntfs-3g/+bug/1821250/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1821250] Re: Drop setuid bit from /bin/ntfs-3g
** Tags removed: verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-xenial ** Tags added: verification-done verification-done-bionic verification-done-cosmic verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1821250 Title: Drop setuid bit from /bin/ntfs-3g To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntfs-3g/+bug/1821250/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1821250] Re: Drop setuid bit from /bin/ntfs-3g
Note that the security team intends to copy these updates to the security pockets after the SRU verification has been completed. ** Description changed: /bin/ntfs-3g has been installed as setuid-root since xenial, but this is discouraged upstream (see https://www.tuxera.com/community/ntfs-3g- - faq/#useroption). As a hardening improvement, this should not be setuid. + faq/#useroption) and recently contributed to CVE-2019-9755 + (https://usn.ubuntu.com/3914-1/). As a hardening improvement, this + should not be setuid. - This does break one use-case - unprivileged users will not be able to - mount NTFS image files. As far as I'm aware, there are no other use- - cases that are broken by this change. It doesn't affect automounting of - removable volumes or mounting of NTFS block devices (which unprivileged - users can't mount anyway). Administrators that want to allow - unprivileged users to mount NTFS image files can change the permissions - of /bin/ntfs-3g using dpkg-statoverride. + [ Test case ] + Upgrade ntfs-3g and then mount, use and unmount your NTFS volumes as usual. + + [ Regression potential ] + This does break one use-case - unprivileged users will not be able to mount NTFS image files. As far as I'm aware, there are no other use-cases that are broken by this change. It doesn't affect automounting of removable volumes or mounting of NTFS block devices (which unprivileged users can't mount anyway). Administrators that want to allow unprivileged users to mount NTFS image files can change the permissions of /bin/ntfs-3g using dpkg-statoverride. ** Tags added: verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-xenial ** Description changed: /bin/ntfs-3g has been installed as setuid-root since xenial, but this is discouraged upstream (see https://www.tuxera.com/community/ntfs-3g- faq/#useroption) and recently contributed to CVE-2019-9755 (https://usn.ubuntu.com/3914-1/). As a hardening improvement, this should not be setuid. [ Test case ] Upgrade ntfs-3g and then mount, use and unmount your NTFS volumes as usual. [ Regression potential ] - This does break one use-case - unprivileged users will not be able to mount NTFS image files. As far as I'm aware, there are no other use-cases that are broken by this change. It doesn't affect automounting of removable volumes or mounting of NTFS block devices (which unprivileged users can't mount anyway). Administrators that want to allow unprivileged users to mount NTFS image files can change the permissions of /bin/ntfs-3g using dpkg-statoverride. + This does break one use-case - unprivileged users will not be able to mount NTFS image files. Based on discussions offline, we think this is an edge case and consider it to be an acceptable trade-off. As far as I'm aware, there are no other use-cases that are broken by this change. It doesn't affect automounting of removable volumes or mounting of NTFS block devices (which unprivileged users can't mount anyway). Administrators that want to allow unprivileged users to mount NTFS image files can change the permissions of /bin/ntfs-3g using dpkg-statoverride. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1821250 Title: Drop setuid bit from /bin/ntfs-3g To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntfs-3g/+bug/1821250/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs