CVE-2015-3202

EPSS 0.34%

ntfs-3g - security update

Published: 7/2/2015Modified: 3/9/2026

Also known as:DSA-3268-2DEBIAN-CVE-2015-3202

Description

fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature.

Affected packages (8)

Debian/fusefrom 0, < 2.9.3-16
Debian/fusefrom 0, < 2.8.4-1.1+deb6u1
Debian/fusefrom 0, < 2.9.0-2+deb7u2
Debian/ntfs-3gfrom 0, < 1:2014.2.15AR.3-3
Debian/ntfs-3gfrom 0, < 1:2010.3.6-1+deb6u1
Debian/ntfs-3gfrom 0, < 1:2010.3.6-1+deb6u2
Debian/ntfs-3gfrom 0, < 1:2012.1.15AR.5-2.1+deb7u1
Debian/ntfs-3gfrom 0, < 1:2012.1.15AR.5-2.1+deb7u2

References (1)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2015-3202