Security update for ntfs-3g_ntfsprogs SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1244-1 Final 1 1 2021-09-09T06:21:47Z current 2021-09-09T06:21:47Z 2021-09-09T06:21:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ntfs-3g_ntfsprogs This update for ntfs-3g_ntfsprogs fixes the following issues: Update to version 2021.8.22 (bsc#1189720): * Fixed compile error when building with libfuse < 2.8.0 * Fixed obsolete macros in configure.ac * Signalled support of UTIME_OMIT to external libfuse2 * Fixed an improper macro usage in ntfscp.c * Updated the repository change in the README * Fixed vulnerability threats caused by maliciously tampered NTFS partitions * Security fixes: CVE-2021-33285, CVE-2021-33286, CVE-2021-33287, CVE-2021-33289, CVE-2021-35266, CVE-2021-35267, CVE-2021-35268, CVE-2021-35269, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE_2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, CVE-2021-39263. - Library soversion is now 89 * Changes in version 2017.3.23 * Delegated processing of special reparse points to external plugins * Allowed kernel cacheing by lowntfs-3g when not using Posix ACLs * Enabled fallback to read-only mount when the volume is hibernated * Made a full check for whether an extended attribute is allowed * Moved secaudit and usermap to ntfsprogs (now ntfssecaudit and ntfsusermap) * Enabled encoding broken UTF-16 into broken UTF-8 * Autoconfigured selecting <sys/sysmacros.h> vs <sys/mkdev> * Allowed using the full library API on systems without extended attributes support * Fixed DISABLE_PLUGINS as the condition for not using plugins * Corrected validation of multi sector transfer protected records * Denied creating/removing files from $Extend * Returned the size of locale encoded target as the size of symlinks This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1244 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ E-Mail link for openSUSE-SU-2021:1244-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1189720 SUSE Bug 1189720 https://www.suse.com/security/cve/CVE-2019-9755/ SUSE CVE CVE-2019-9755 page https://www.suse.com/security/cve/CVE-2021-33285/ SUSE CVE CVE-2021-33285 page https://www.suse.com/security/cve/CVE-2021-33286/ SUSE CVE CVE-2021-33286 page https://www.suse.com/security/cve/CVE-2021-33287/ SUSE CVE CVE-2021-33287 page https://www.suse.com/security/cve/CVE-2021-33289/ SUSE CVE CVE-2021-33289 page https://www.suse.com/security/cve/CVE-2021-35266/ SUSE CVE CVE-2021-35266 page https://www.suse.com/security/cve/CVE-2021-35267/ SUSE CVE CVE-2021-35267 page https://www.suse.com/security/cve/CVE-2021-35268/ SUSE CVE CVE-2021-35268 page https://www.suse.com/security/cve/CVE-2021-35269/ SUSE CVE CVE-2021-35269 page https://www.suse.com/security/cve/CVE-2021-39251/ SUSE CVE CVE-2021-39251 page https://www.suse.com/security/cve/CVE-2021-39252/ SUSE CVE CVE-2021-39252 page https://www.suse.com/security/cve/CVE-2021-39253/ SUSE CVE CVE-2021-39253 page https://www.suse.com/security/cve/CVE-2021-39255/ SUSE CVE CVE-2021-39255 page https://www.suse.com/security/cve/CVE-2021-39256/ SUSE CVE CVE-2021-39256 page https://www.suse.com/security/cve/CVE-2021-39257/ SUSE CVE CVE-2021-39257 page https://www.suse.com/security/cve/CVE-2021-39258/ SUSE CVE CVE-2021-39258 page https://www.suse.com/security/cve/CVE-2021-39259/ SUSE CVE CVE-2021-39259 page https://www.suse.com/security/cve/CVE-2021-39260/ SUSE CVE CVE-2021-39260 page https://www.suse.com/security/cve/CVE-2021-39261/ SUSE CVE CVE-2021-39261 page https://www.suse.com/security/cve/CVE-2021-39262/ SUSE CVE CVE-2021-39262 page https://www.suse.com/security/cve/CVE-2021-39263/ SUSE CVE CVE-2021-39263 page openSUSE Leap 15.2 libntfs-3g-devel-2021.8.22-lp152.5.3.1 libntfs-3g87-2021.8.22-lp152.5.3.1 ntfs-3g-2021.8.22-lp152.5.3.1 ntfsprogs-2021.8.22-lp152.5.3.1 ntfsprogs-extra-2021.8.22-lp152.5.3.1 libntfs-3g-devel-2021.8.22-lp152.5.3.1 as a component of openSUSE Leap 15.2 libntfs-3g87-2021.8.22-lp152.5.3.1 as a component of openSUSE Leap 15.2 ntfs-3g-2021.8.22-lp152.5.3.1 as a component of openSUSE Leap 15.2 ntfsprogs-2021.8.22-lp152.5.3.1 as a component of openSUSE Leap 15.2 ntfsprogs-extra-2021.8.22-lp152.5.3.1 as a component of openSUSE Leap 15.2 An integer underflow issue exists in ntfs-3g 2017.3.23. A local attacker could potentially exploit this by running /bin/ntfs-3g with specially crafted arguments from a specially crafted directory to cause a heap buffer overflow, resulting in a crash or the ability to execute arbitrary code. In installations where /bin/ntfs-3g is a setuid-root binary, this could lead to a local escalation of privileges. CVE-2019-9755 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2019-9755.html CVE-2019-9755 https://bugzilla.suse.com/1130165 SUSE Bug 1130165 In NTFS-3G versions < 2021.8.22, when a specially crafted NTFS attribute is supplied to the function ntfs_get_attribute_value, a heap buffer overflow can occur allowing for memory disclosure or denial of service. The vulnerability is caused by an out-of-bound buffer access which can be triggered by mounting a crafted ntfs partition. The root cause is a missing consistency check after reading an MFT record : the "bytes_in_use" field should be less than the "bytes_allocated" field. When it is not, the parsing of the records proceeds into the wild. CVE-2021-33285 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-33285.html CVE-2021-33285 In NTFS-3G versions < 2021.8.22, when a specially crafted unicode string is supplied in an NTFS image a heap buffer overflow can occur and allow for code execution. CVE-2021-33286 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-33286.html CVE-2021-33286 In NTFS-3G versions < 2021.8.22, when specially crafted NTFS attributes are read in the function ntfs_attr_pread_i, a heap buffer overflow can occur and allow for writing to arbitrary memory or denial of service of the application. CVE-2021-33287 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-33287.html CVE-2021-33287 In NTFS-3G versions < 2021.8.22, when a specially crafted MFT section is supplied in an NTFS image a heap buffer overflow can occur and allow for code execution. CVE-2021-33289 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-33289.html CVE-2021-33289 In NTFS-3G versions < 2021.8.22, when a specially crafted NTFS inode pathname is supplied in an NTFS image a heap buffer overflow can occur resulting in memory disclosure, denial of service and even code execution. CVE-2021-35266 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-35266.html CVE-2021-35266 NTFS-3G versions < 2021.8.22, a stack buffer overflow can occur when correcting differences in the MFT and MFTMirror allowing for code execution or escalation of privileges when setuid-root. CVE-2021-35267 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-35267.html CVE-2021-35267 In NTFS-3G versions < 2021.8.22, when a specially crafted NTFS inode is loaded in the function ntfs_inode_real_open, a heap buffer overflow can occur allowing for code execution and escalation of privileges. CVE-2021-35268 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-35268.html CVE-2021-35268 NTFS-3G versions < 2021.8.22, when a specially crafted NTFS attribute from the MFT is setup in the function ntfs_attr_setup_flag, a heap buffer overflow can occur allowing for code execution and escalation of privileges. CVE-2021-35269 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-35269.html CVE-2021-35269 A crafted NTFS image can cause a NULL pointer dereference in ntfs_extent_inode_open in NTFS-3G < 2021.8.22. CVE-2021-39251 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-39251.html CVE-2021-39251 A crafted NTFS image can cause an out-of-bounds read in ntfs_ie_lookup in NTFS-3G < 2021.8.22. CVE-2021-39252 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-39252.html CVE-2021-39252 A crafted NTFS image can cause an out-of-bounds read in ntfs_runlists_merge_i in NTFS-3G < 2021.8.22. CVE-2021-39253 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-39253.html CVE-2021-39253 A crafted NTFS image can trigger an out-of-bounds read, caused by an invalid attribute in ntfs_attr_find_in_attrdef, in NTFS-3G < 2021.8.22. CVE-2021-39255 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-39255.html CVE-2021-39255 A crafted NTFS image can cause a heap-based buffer overflow in ntfs_inode_lookup_by_name in NTFS-3G < 2021.8.22. CVE-2021-39256 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-39256.html CVE-2021-39256 A crafted NTFS image with an unallocated bitmap can lead to a endless recursive function call chain (starting from ntfs_attr_pwrite), causing stack consumption in NTFS-3G < 2021.8.22. CVE-2021-39257 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-39257.html CVE-2021-39257 A crafted NTFS image can cause out-of-bounds reads in ntfs_attr_find and ntfs_external_attr_find in NTFS-3G < 2021.8.22. CVE-2021-39258 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-39258.html CVE-2021-39258 A crafted NTFS image can trigger an out-of-bounds access, caused by an unsanitized attribute length in ntfs_inode_lookup_by_name, in NTFS-3G < 2021.8.22. CVE-2021-39259 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-39259.html CVE-2021-39259 A crafted NTFS image can cause an out-of-bounds access in ntfs_inode_sync_standard_information in NTFS-3G < 2021.8.22. CVE-2021-39260 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-39260.html CVE-2021-39260 A crafted NTFS image can cause a heap-based buffer overflow in ntfs_compressed_pwrite in NTFS-3G < 2021.8.22. CVE-2021-39261 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-39261.html CVE-2021-39261 A crafted NTFS image can cause an out-of-bounds access in ntfs_decompress in NTFS-3G < 2021.8.22. CVE-2021-39262 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-39262.html CVE-2021-39262 A crafted NTFS image can trigger a heap-based buffer overflow, caused by an unsanitized attribute in ntfs_get_attribute_value, in NTFS-3G < 2021.8.22. CVE-2021-39263 openSUSE Leap 15.2:libntfs-3g-devel-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:libntfs-3g87-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfs-3g-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-2021.8.22-lp152.5.3.1 openSUSE Leap 15.2:ntfsprogs-extra-2021.8.22-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I22R7EMWP6WBQIXDCKB4KJMMB67TMZK/ https://www.suse.com/security/cve/CVE-2021-39263.html CVE-2021-39263