CVE-2015-3202
ntfs-3g - security update
EPSS 0.34%
Description
fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature.
How to fix CVE-2015-3202
To remediate CVE-2015-3202, upgrade the affected package to a fixed version below.
- Debian/fuse—upgrade to 2.9.3-16 or later
- Debian/fuse—upgrade to 2.8.4-1.1+deb6u1 or later
- Debian/fuse—upgrade to 2.9.0-2+deb7u2 or later
- —upgrade to 1:2014.2.15AR.3-3 or later
- —upgrade to 1:2010.3.6-1+deb6u1 or later
- —upgrade to 1:2010.3.6-1+deb6u2 or later
- —upgrade to 1:2012.1.15AR.5-2.1+deb7u1 or later
- —upgrade to 1:2012.1.15AR.5-2.1+deb7u2 or later
Is CVE-2015-3202 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (8)
- from 0, < 2.9.3-16
- from 0, < 2.8.4-1.1+deb6u1
- from 0, < 2.9.0-2+deb7u2
- from 0, < 1:2014.2.15AR.3-3
- from 0, < 1:2010.3.6-1+deb6u1
- from 0, < 1:2010.3.6-1+deb6u2
- from 0, < 1:2012.1.15AR.5-2.1+deb7u1
- from 0, < 1:2012.1.15AR.5-2.1+deb7u2