Stack-based buffer overflow when handling long path names

Resolves: #1074459, CVE-2014-0004
This commit is contained in:
Jan Safranek 2014-03-10 13:55:51 +01:00 committed by Debarshi Ray
parent 854aaa5970
commit 204f08495a
2 changed files with 104 additions and 1 deletions

View File

@ -0,0 +1,96 @@
From 4cd35a8db2c6a0b94218a89cb183f50e8550de0e Mon Sep 17 00:00:00 2001
From: David Zeuthen <zeuthen@gmail.com>
Date: Wed, 12 Feb 2014 20:01:41 -0800
Subject: [PATCH] CVE-2014-0004: Stack-based buffer overflow when handling long
path names
Fix this by being more careful when parsing strings.
Acknowledgements: This issue was discovered by Florian Weimer of the
Red Hat Product Security Team.
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
---
src/udisksmountmonitor.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/src/udisksmountmonitor.c b/src/udisksmountmonitor.c
index 8af1028..77cf94c 100644
--- a/src/udisksmountmonitor.c
+++ b/src/udisksmountmonitor.c
@@ -416,8 +416,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
guint mount_id;
guint parent_id;
guint major, minor;
- gchar encoded_root[PATH_MAX];
- gchar encoded_mount_point[PATH_MAX];
+ gchar encoded_root[4096];
+ gchar encoded_mount_point[4096];
gchar *mount_point;
dev_t dev;
@@ -425,7 +425,7 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
continue;
if (sscanf (lines[n],
- "%d %d %d:%d %s %s",
+ "%d %d %d:%d %4095s %4095s",
&mount_id,
&parent_id,
&major,
@@ -436,6 +436,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
udisks_warning ("Error parsing line '%s'", lines[n]);
continue;
}
+ encoded_root[sizeof encoded_root - 1] = '\0';
+ encoded_mount_point[sizeof encoded_mount_point - 1] = '\0';
/* Temporary work-around for btrfs, see
*
@@ -450,15 +452,17 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
sep = strstr (lines[n], " - ");
if (sep != NULL)
{
- gchar fstype[PATH_MAX];
- gchar mount_source[PATH_MAX];
+ gchar fstype[4096];
+ gchar mount_source[4096];
struct stat statbuf;
- if (sscanf (sep + 3, "%s %s", fstype, mount_source) != 2)
+ if (sscanf (sep + 3, "%4095s %4095s", fstype, mount_source) != 2)
{
udisks_warning ("Error parsing things past - for '%s'", lines[n]);
continue;
}
+ fstype[sizeof fstype - 1] = '\0';
+ mount_source[sizeof mount_source - 1] = '\0';
if (g_strcmp0 (fstype, "btrfs") != 0)
continue;
@@ -546,7 +550,7 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor *monitor,
lines = g_strsplit (contents, "\n", 0);
for (n = 0; lines[n] != NULL; n++)
{
- gchar filename[PATH_MAX];
+ gchar filename[4096];
struct stat statbuf;
dev_t dev;
@@ -557,11 +561,12 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor *monitor,
if (strlen (lines[n]) == 0)
continue;
- if (sscanf (lines[n], "%s", filename) != 1)
+ if (sscanf (lines[n], "%4095s", filename) != 1)
{
udisks_warning ("Error parsing line '%s'", lines[n]);
continue;
}
+ filename[sizeof filename - 1] = '\0';
if (stat (filename, &statbuf) != 0)
{
--
1.8.5.3

View File

@ -8,11 +8,13 @@
Summary: Disk Manager Summary: Disk Manager
Name: udisks2 Name: udisks2
Version: 2.1.2 Version: 2.1.2
Release: 1%{?dist} Release: 2%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Libraries Group: System Environment/Libraries
URL: http://www.freedesktop.org/wiki/Software/udisks URL: http://www.freedesktop.org/wiki/Software/udisks
Source0: http://udisks.freedesktop.org/releases/udisks-%{version}.tar.bz2 Source0: http://udisks.freedesktop.org/releases/udisks-%{version}.tar.bz2
# https://bugzilla.redhat.com/show_bug.cgi?id=1074459
Patch1: udisks-2.x.x-CVE-2014-0004.patch
BuildRequires: glib2-devel >= %{glib2_version} BuildRequires: glib2-devel >= %{glib2_version}
BuildRequires: gobject-introspection-devel >= %{gobject_introspection_version} BuildRequires: gobject-introspection-devel >= %{gobject_introspection_version}
@ -91,6 +93,7 @@ daemon. This package is for the udisks 2.x series.
%prep %prep
%setup -q -n udisks-%{version} %setup -q -n udisks-%{version}
%patch1 -p1
%build %build
# we can't use _hardened_build here, see # we can't use _hardened_build here, see
@ -154,6 +157,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.a
# Note: please don't forget the %{?dist} in the changelog. Thanks # Note: please don't forget the %{?dist} in the changelog. Thanks
%changelog %changelog
* Mon Mar 10 2014 Jan Safranek <jsafrane@redhat.com>- 2.1.2-2%{?dist}
- Fix CVE-2014-0004: stack-based buffer overflow when handling long path names
(#1074459)
* Wed Jan 15 2014 Tomas Bzatek <tbzatek@redhat.com> - 2.1.2-1%{?dist} * Wed Jan 15 2014 Tomas Bzatek <tbzatek@redhat.com> - 2.1.2-1%{?dist}
- Update to 2.1.2 - Update to 2.1.2