!45 fix CVE-2023-52890

From: @kylin-qiaojijun Reviewed-by: @wk333 Signed-off-by: @wk333
2024-06-17 06:31:19 +00:00 · 2024-06-17 06:31:19 +00:00 · 8e534f4ee3
commit 8e534f4ee3
parent 33075a922b 0e6b06b25a
2 changed files with 43 additions and 1 deletions
--- a/3000-CVE-2023-52890.patch
+++ b/3000-CVE-2023-52890.patch
@ -0,0 +1,37 @@
+From 75dcdc2cf37478fad6c0e3427403d198b554951d Mon Sep 17 00:00:00 2001
+From: Erik Larsson <erik@tuxera.com>
+Date: Tue, 13 Jun 2023 17:47:15 +0300
+Subject: [PATCH] unistr.c: Fix use-after-free in 'ntfs_uppercase_mbs'.
+
+If 'utf8_to_unicode' throws an error due to an invalid UTF-8 sequence,
+then 'n' will be less than 0 and the loop will terminate without storing
+anything in '*t'. After the loop the uppercase string's allocation is
+freed, however after it is freed it is unconditionally accessed through
+'*t', which points into the freed allocation, for the purpose of NULL-
+terminating the string. This leads to a use-after-free.
+Fixed by only NULL-terminating the string when no error has been thrown.
+
+Thanks for Jeffrey Bencteux for reporting this issue:
+https://github.com/tuxera/ntfs-3g/issues/84
+---
+ libntfs-3g/unistr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libntfs-3g/unistr.c b/libntfs-3g/unistr.c
+index 5854b3b7..db8ddf42 100644
+--- a/libntfs-3g/unistr.c
+++ b/libntfs-3g/unistr.c
+@@ -1189,8 +1189,9 @@ char *ntfs_uppercase_mbs(const char *low,
+ 			free(upp);
+ 			upp = (char*)NULL;
+ 			errno = EILSEQ;
+		} else {
+			*t = 0;
+ 		}
+-		*t = 0;
+ 	}
+ 	return (upp);
+ }
+-- 
+2.20.1
+
--- a/ntfs-3g.spec
+++ b/ntfs-3g.spec
@ -1,6 +1,6 @@
 Name:          ntfs-3g
 Version:       2022.5.17
-Release:       2
+Release:       3
 Epoch:         2
 Summary:       Linux NTFS userspace driver
 License:       GPLv2+
@ -11,6 +11,8 @@ Patch1:        add-version-and-help-usage.patch
 Patch2:	       CVE-2022-40284_1.patch
 Patch3:        CVE-2022-40284_2.patch

+Patch3000:        3000-CVE-2023-52890.patch
+
 BuildRequires: libtool, libattr-devel, libconfig-devel, libgcrypt-devel, gnutls-devel, libuuid-devel
 Provides:      ntfsprogs-fuse = %{epoch}:%{version}-%{release}
 Obsoletes:     ntfsprogs-fuse
@ -91,6 +93,9 @@ rm -rf $RPM_BUILD_ROOT%{_defaultdocdir}/%{name}/README
 %{_mandir}/man*/*

 %changelog
+* Mon Jun 17 2024 qiaojijun<qiaojijun@kylinos.cn> - 2:2022.5.17-3
+- fix CVE-2023-52890
+
 * Thu Nov 10 2022 liyuxiang<liyuxiang@ncti-gba.cn> - 2:2022.5.17-2
 - fix CVE-2022-40284