Stack-based buffer overflow when handling long path names
Resolves: #1074459, CVE-2014-0004
This commit is contained in:
parent
854aaa5970
commit
204f08495a
96
udisks-2.x.x-CVE-2014-0004.patch
Normal file
96
udisks-2.x.x-CVE-2014-0004.patch
Normal file
@ -0,0 +1,96 @@
|
|||||||
|
From 4cd35a8db2c6a0b94218a89cb183f50e8550de0e Mon Sep 17 00:00:00 2001
|
||||||
|
From: David Zeuthen <zeuthen@gmail.com>
|
||||||
|
Date: Wed, 12 Feb 2014 20:01:41 -0800
|
||||||
|
Subject: [PATCH] CVE-2014-0004: Stack-based buffer overflow when handling long
|
||||||
|
path names
|
||||||
|
|
||||||
|
Fix this by being more careful when parsing strings.
|
||||||
|
|
||||||
|
Acknowledgements: This issue was discovered by Florian Weimer of the
|
||||||
|
Red Hat Product Security Team.
|
||||||
|
|
||||||
|
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
|
||||||
|
---
|
||||||
|
src/udisksmountmonitor.c | 21 +++++++++++++--------
|
||||||
|
1 file changed, 13 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/udisksmountmonitor.c b/src/udisksmountmonitor.c
|
||||||
|
index 8af1028..77cf94c 100644
|
||||||
|
--- a/src/udisksmountmonitor.c
|
||||||
|
+++ b/src/udisksmountmonitor.c
|
||||||
|
@@ -416,8 +416,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
|
||||||
|
guint mount_id;
|
||||||
|
guint parent_id;
|
||||||
|
guint major, minor;
|
||||||
|
- gchar encoded_root[PATH_MAX];
|
||||||
|
- gchar encoded_mount_point[PATH_MAX];
|
||||||
|
+ gchar encoded_root[4096];
|
||||||
|
+ gchar encoded_mount_point[4096];
|
||||||
|
gchar *mount_point;
|
||||||
|
dev_t dev;
|
||||||
|
|
||||||
|
@@ -425,7 +425,7 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if (sscanf (lines[n],
|
||||||
|
- "%d %d %d:%d %s %s",
|
||||||
|
+ "%d %d %d:%d %4095s %4095s",
|
||||||
|
&mount_id,
|
||||||
|
&parent_id,
|
||||||
|
&major,
|
||||||
|
@@ -436,6 +436,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
|
||||||
|
udisks_warning ("Error parsing line '%s'", lines[n]);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
+ encoded_root[sizeof encoded_root - 1] = '\0';
|
||||||
|
+ encoded_mount_point[sizeof encoded_mount_point - 1] = '\0';
|
||||||
|
|
||||||
|
/* Temporary work-around for btrfs, see
|
||||||
|
*
|
||||||
|
@@ -450,15 +452,17 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
|
||||||
|
sep = strstr (lines[n], " - ");
|
||||||
|
if (sep != NULL)
|
||||||
|
{
|
||||||
|
- gchar fstype[PATH_MAX];
|
||||||
|
- gchar mount_source[PATH_MAX];
|
||||||
|
+ gchar fstype[4096];
|
||||||
|
+ gchar mount_source[4096];
|
||||||
|
struct stat statbuf;
|
||||||
|
|
||||||
|
- if (sscanf (sep + 3, "%s %s", fstype, mount_source) != 2)
|
||||||
|
+ if (sscanf (sep + 3, "%4095s %4095s", fstype, mount_source) != 2)
|
||||||
|
{
|
||||||
|
udisks_warning ("Error parsing things past - for '%s'", lines[n]);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
+ fstype[sizeof fstype - 1] = '\0';
|
||||||
|
+ mount_source[sizeof mount_source - 1] = '\0';
|
||||||
|
|
||||||
|
if (g_strcmp0 (fstype, "btrfs") != 0)
|
||||||
|
continue;
|
||||||
|
@@ -546,7 +550,7 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor *monitor,
|
||||||
|
lines = g_strsplit (contents, "\n", 0);
|
||||||
|
for (n = 0; lines[n] != NULL; n++)
|
||||||
|
{
|
||||||
|
- gchar filename[PATH_MAX];
|
||||||
|
+ gchar filename[4096];
|
||||||
|
struct stat statbuf;
|
||||||
|
dev_t dev;
|
||||||
|
|
||||||
|
@@ -557,11 +561,12 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor *monitor,
|
||||||
|
if (strlen (lines[n]) == 0)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
- if (sscanf (lines[n], "%s", filename) != 1)
|
||||||
|
+ if (sscanf (lines[n], "%4095s", filename) != 1)
|
||||||
|
{
|
||||||
|
udisks_warning ("Error parsing line '%s'", lines[n]);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
+ filename[sizeof filename - 1] = '\0';
|
||||||
|
|
||||||
|
if (stat (filename, &statbuf) != 0)
|
||||||
|
{
|
||||||
|
--
|
||||||
|
1.8.5.3
|
||||||
|
|
@ -8,11 +8,13 @@
|
|||||||
Summary: Disk Manager
|
Summary: Disk Manager
|
||||||
Name: udisks2
|
Name: udisks2
|
||||||
Version: 2.1.2
|
Version: 2.1.2
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
URL: http://www.freedesktop.org/wiki/Software/udisks
|
URL: http://www.freedesktop.org/wiki/Software/udisks
|
||||||
Source0: http://udisks.freedesktop.org/releases/udisks-%{version}.tar.bz2
|
Source0: http://udisks.freedesktop.org/releases/udisks-%{version}.tar.bz2
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1074459
|
||||||
|
Patch1: udisks-2.x.x-CVE-2014-0004.patch
|
||||||
|
|
||||||
BuildRequires: glib2-devel >= %{glib2_version}
|
BuildRequires: glib2-devel >= %{glib2_version}
|
||||||
BuildRequires: gobject-introspection-devel >= %{gobject_introspection_version}
|
BuildRequires: gobject-introspection-devel >= %{gobject_introspection_version}
|
||||||
@ -91,6 +93,7 @@ daemon. This package is for the udisks 2.x series.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n udisks-%{version}
|
%setup -q -n udisks-%{version}
|
||||||
|
%patch1 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# we can't use _hardened_build here, see
|
# we can't use _hardened_build here, see
|
||||||
@ -154,6 +157,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.a
|
|||||||
|
|
||||||
# Note: please don't forget the %{?dist} in the changelog. Thanks
|
# Note: please don't forget the %{?dist} in the changelog. Thanks
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Mar 10 2014 Jan Safranek <jsafrane@redhat.com>- 2.1.2-2%{?dist}
|
||||||
|
- Fix CVE-2014-0004: stack-based buffer overflow when handling long path names
|
||||||
|
(#1074459)
|
||||||
|
|
||||||
* Wed Jan 15 2014 Tomas Bzatek <tbzatek@redhat.com> - 2.1.2-1%{?dist}
|
* Wed Jan 15 2014 Tomas Bzatek <tbzatek@redhat.com> - 2.1.2-1%{?dist}
|
||||||
- Update to 2.1.2
|
- Update to 2.1.2
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user