Stack-based buffer overflow when handling long path names
Resolves: #1074459, CVE-2014-0004
This commit is contained in:
parent
854aaa5970
commit
204f08495a
96
udisks-2.x.x-CVE-2014-0004.patch
Normal file
96
udisks-2.x.x-CVE-2014-0004.patch
Normal file
@ -0,0 +1,96 @@
|
||||
From 4cd35a8db2c6a0b94218a89cb183f50e8550de0e Mon Sep 17 00:00:00 2001
|
||||
From: David Zeuthen <zeuthen@gmail.com>
|
||||
Date: Wed, 12 Feb 2014 20:01:41 -0800
|
||||
Subject: [PATCH] CVE-2014-0004: Stack-based buffer overflow when handling long
|
||||
path names
|
||||
|
||||
Fix this by being more careful when parsing strings.
|
||||
|
||||
Acknowledgements: This issue was discovered by Florian Weimer of the
|
||||
Red Hat Product Security Team.
|
||||
|
||||
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
|
||||
---
|
||||
src/udisksmountmonitor.c | 21 +++++++++++++--------
|
||||
1 file changed, 13 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/udisksmountmonitor.c b/src/udisksmountmonitor.c
|
||||
index 8af1028..77cf94c 100644
|
||||
--- a/src/udisksmountmonitor.c
|
||||
+++ b/src/udisksmountmonitor.c
|
||||
@@ -416,8 +416,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
|
||||
guint mount_id;
|
||||
guint parent_id;
|
||||
guint major, minor;
|
||||
- gchar encoded_root[PATH_MAX];
|
||||
- gchar encoded_mount_point[PATH_MAX];
|
||||
+ gchar encoded_root[4096];
|
||||
+ gchar encoded_mount_point[4096];
|
||||
gchar *mount_point;
|
||||
dev_t dev;
|
||||
|
||||
@@ -425,7 +425,7 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
|
||||
continue;
|
||||
|
||||
if (sscanf (lines[n],
|
||||
- "%d %d %d:%d %s %s",
|
||||
+ "%d %d %d:%d %4095s %4095s",
|
||||
&mount_id,
|
||||
&parent_id,
|
||||
&major,
|
||||
@@ -436,6 +436,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
|
||||
udisks_warning ("Error parsing line '%s'", lines[n]);
|
||||
continue;
|
||||
}
|
||||
+ encoded_root[sizeof encoded_root - 1] = '\0';
|
||||
+ encoded_mount_point[sizeof encoded_mount_point - 1] = '\0';
|
||||
|
||||
/* Temporary work-around for btrfs, see
|
||||
*
|
||||
@@ -450,15 +452,17 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
|
||||
sep = strstr (lines[n], " - ");
|
||||
if (sep != NULL)
|
||||
{
|
||||
- gchar fstype[PATH_MAX];
|
||||
- gchar mount_source[PATH_MAX];
|
||||
+ gchar fstype[4096];
|
||||
+ gchar mount_source[4096];
|
||||
struct stat statbuf;
|
||||
|
||||
- if (sscanf (sep + 3, "%s %s", fstype, mount_source) != 2)
|
||||
+ if (sscanf (sep + 3, "%4095s %4095s", fstype, mount_source) != 2)
|
||||
{
|
||||
udisks_warning ("Error parsing things past - for '%s'", lines[n]);
|
||||
continue;
|
||||
}
|
||||
+ fstype[sizeof fstype - 1] = '\0';
|
||||
+ mount_source[sizeof mount_source - 1] = '\0';
|
||||
|
||||
if (g_strcmp0 (fstype, "btrfs") != 0)
|
||||
continue;
|
||||
@@ -546,7 +550,7 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor *monitor,
|
||||
lines = g_strsplit (contents, "\n", 0);
|
||||
for (n = 0; lines[n] != NULL; n++)
|
||||
{
|
||||
- gchar filename[PATH_MAX];
|
||||
+ gchar filename[4096];
|
||||
struct stat statbuf;
|
||||
dev_t dev;
|
||||
|
||||
@@ -557,11 +561,12 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor *monitor,
|
||||
if (strlen (lines[n]) == 0)
|
||||
continue;
|
||||
|
||||
- if (sscanf (lines[n], "%s", filename) != 1)
|
||||
+ if (sscanf (lines[n], "%4095s", filename) != 1)
|
||||
{
|
||||
udisks_warning ("Error parsing line '%s'", lines[n]);
|
||||
continue;
|
||||
}
|
||||
+ filename[sizeof filename - 1] = '\0';
|
||||
|
||||
if (stat (filename, &statbuf) != 0)
|
||||
{
|
||||
--
|
||||
1.8.5.3
|
||||
|
@ -8,11 +8,13 @@
|
||||
Summary: Disk Manager
|
||||
Name: udisks2
|
||||
Version: 2.1.2
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Libraries
|
||||
URL: http://www.freedesktop.org/wiki/Software/udisks
|
||||
Source0: http://udisks.freedesktop.org/releases/udisks-%{version}.tar.bz2
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1074459
|
||||
Patch1: udisks-2.x.x-CVE-2014-0004.patch
|
||||
|
||||
BuildRequires: glib2-devel >= %{glib2_version}
|
||||
BuildRequires: gobject-introspection-devel >= %{gobject_introspection_version}
|
||||
@ -91,6 +93,7 @@ daemon. This package is for the udisks 2.x series.
|
||||
|
||||
%prep
|
||||
%setup -q -n udisks-%{version}
|
||||
%patch1 -p1
|
||||
|
||||
%build
|
||||
# we can't use _hardened_build here, see
|
||||
@ -154,6 +157,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.a
|
||||
|
||||
# Note: please don't forget the %{?dist} in the changelog. Thanks
|
||||
%changelog
|
||||
* Mon Mar 10 2014 Jan Safranek <jsafrane@redhat.com>- 2.1.2-2%{?dist}
|
||||
- Fix CVE-2014-0004: stack-based buffer overflow when handling long path names
|
||||
(#1074459)
|
||||
|
||||
* Wed Jan 15 2014 Tomas Bzatek <tbzatek@redhat.com> - 2.1.2-1%{?dist}
|
||||
- Update to 2.1.2
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user