CVE-2019-9755

Published: 21 March 2019

An integer underflow issue exists in ntfs-3g 2017.3.23. A local attacker could potentially exploit this by running /bin/ntfs-3g with specially crafted arguments from a specially crafted directory to cause a heap buffer overflow, resulting in a crash or the ability to execute arbitrary code. In installations where /bin/ntfs-3g is a setuid-root binary, this could lead to a local escalation of privileges.

Priority

High

CVSS 3 base score: 7.0

Status

Package Release Status
ntfs-3g
Launchpad, Ubuntu, Debian 		Upstream
Released (2017.3.23AR.4)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1:2017.3.23-2ubuntu0.18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1:2015.3.14AR.1-1ubuntu0.2)
Ubuntu 14.04 ESM (Trusty Tahr) Ignored

Notes

AuthorNote
chrisccoulson 
This bug only has security implications when ntfs-3g is
installed as setuid-root. It's ignored in Ubuntu releases prior to
xenial, as it isn't installed as setuid-root in these releases.

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM

Further reading