Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch ntfs-3g for CVE-2026-40706 [HIGH] - branch main" #16857

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/ntfs-3g/CVE-2026-40706.patch

@@ -0,0 +1,60 @@
+From b27303905e208e89b9cb7cc5aab9f57339424a86 Mon Sep 17 00:00:00 2001
+From: Erik Larsson <erik@tuxera.com>
+Date: Tue, 24 Feb 2026 10:04:31 +0200
+Subject: [PATCH] acls.c: Fix heap buffer overflow in
+ 'ntfs_build_permissions_posix'.
+
+The root cause was that the memory allocated for the ACE entries was
+insufficient for the worst case scenario when group entries were added
+for mask entries that didn't have a corresponding group entry already.
+Fixed by allocating space for the worst case number of ACE entries.
+
+This was reported by Andrea Bocchetti with a thorough report which made
+it very easy to fix.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/tuxera/ntfs-3g/commit/e48e1ef2a1fcff13a590c2224ec21c5bd5d3e92e.patch
+---
+ libntfs-3g/acls.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/libntfs-3g/acls.c b/libntfs-3g/acls.c
+index 9f16fec..4cf534b 100644
+--- a/libntfs-3g/acls.c
++++ b/libntfs-3g/acls.c
+@@ -3716,12 +3716,27 @@ struct POSIX_SECURITY *ntfs_build_permissions_posix(
+ 		/*
+ 		 * Build a raw posix security descriptor
+ 		 * by just translating permissions and ids
+-		 * Add 2 to the count of ACE to be able to insert
+-		 * a group ACE later in access and default ACLs
+-		 * and add 2 more to be able to insert ACEs for owner
+-		 * and 2 more for other
++		 *
++		 * The worst case number of ACE entries consists of:
++		 * - 'acecount' ACE entries from the main loop (see below)
++		 *   iterating over the 'securattr' array.
++		 * - 1 ACE entry which may be added when creating world
++		 *   permissions if none exist.
++		 * - 1 ACE entry which may be added when setting basic owner
++		 *   permissions if none exist (both lists).
++		 * - 1 ACE entry which may be added when duplicating world
++		 *   permissions as group_obj permissions if none exist.
++		 * - 'acecount + 2' ACE entries which may be added when
++		 *   duplicating world permissions as group permissions if they
++		 *   were converted to masks and the masks are not followed by a
++		 *   group entry.
++		 * - 1 ACE entry which may be added when inserting a default
++		 *   mask if none is present and there are designated users or
++		 *   groups.
++		 *
++		 * This amounts to 2*acecnt + 6 ACE entries in the worst case.
+ 		 */
+-	alloccnt = acecnt + 6;
++	alloccnt = 2*acecnt + 6;
+ 	pxdesc = (struct POSIX_SECURITY*)malloc(
+ 				sizeof(struct POSIX_SECURITY)
+ 				+ alloccnt*sizeof(struct POSIX_ACE));
+-- 
+2.45.4
+

SPECS/ntfs-3g/ntfs-3g.spec

@@ -1,14 +1,15 @@
 Summary:        Linux NTFS userspace driver
 Name:           ntfs-3g
 Version:        2022.10.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://www.tuxera.com/company/open-source/
 Source0:        https://tuxera.com/opensource/%{name}_ntfsprogs-%{version}.tgz
 Patch0:         ntfs-3g_ntfsprogs-2011.10.9-RC-ntfsck-unsupported-return-0.patch
 Patch1:         CVE-2023-52890.patch
+Patch2:         CVE-2026-40706.patch
 
 BuildRequires:  fuse-devel
 BuildRequires:  gnutls-devel
@@ -171,6 +172,9 @@ rm -rf %{buildroot}%{_defaultdocdir}/%{name}/README
 %exclude %{_mandir}/man8/ntfs-3g*
 
 %changelog
+* Thu Apr 23 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2022.10.3-3
+- Patch for CVE-2026-40706
+
 * Mon Jun 17 2024 Suresh Thelkar <sthelkar@microsoft.com> - 2022.10.3-2
 - Patch CVE-2023-52890