main/udisks2: security fix for CVE-2014-0004

author: Bartłomiej Piotrowski <bpiotrowski@alpinelinux.org> 2014-03-11 17:26:58 +0100
committer: Bartłomiej Piotrowski <bpiotrowski@alpinelinux.org> 2014-03-11 17:31:31 +0100
commit: cbff0ff5f94876e87aefd0814189aef4179301fa (patch)
tree: 54a9ecdc663be60093ebcc638ed646a5e41c89bd /main/udisks2
parent: 920eb3a1300411c0f4f595db306a76f0dbd79535 (diff)
download: aports-cbff0ff5f94876e87aefd0814189aef4179301fa.tar.bz2
aports-cbff0ff5f94876e87aefd0814189aef4179301fa.tar.xz
2 files changed, 114 insertions, 4 deletions
diff --git a/main/udisks2/APKBUILD b/main/udisks2/APKBUILD
index 70c9be167e..eb61ed3ce4 100644
--- a/main/udisks2/APKBUILD
+++ b/main/udisks2/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=udisks2
 pkgver=2.1.0
-pkgrel=0
+pkgrel=1
 pkgdesc="Disk Manager"
 url="http://www.freedesktop.org/wiki/Software/udisks"
 arch="all"
@@ -16,6 +16,7 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-lang $pkgname-libs"
 source="http://udisks.freedesktop.org/releases/udisks-$pkgver.tar.bz2
 	O_CLOEXEC.patch
 	sys-wait.patch
+	CVE-2014-0004.patch
 	"
 
 _builddir="$srcdir"/udisks-$pkgver
@@ -56,10 +57,13 @@ libs() {
 
 md5sums="a8c806034f096a8b10dfae1c4a917d0c  udisks-2.1.0.tar.bz2
 fd70ee4163c5bfd9bd474c28a2548c46  O_CLOEXEC.patch
-4c7aa82c180c809f565c55325ce9eb20  sys-wait.patch"
+4c7aa82c180c809f565c55325ce9eb20  sys-wait.patch
+04f75c4bebf1a82af8e0f6a63ae6fcbf  CVE-2014-0004.patch"
 sha256sums="310208e5a10335dae4b52a0125c24d31cf292cce3d15cf65da4cd308e38d15a8  udisks-2.1.0.tar.bz2
 2c325c131e8d66d09ec3ec4f2c022113822c494da37dd2316d87ac4dc721c82b  O_CLOEXEC.patch
-ed4c6a17a97cc01854c7adde56984cade1da8a58f41c30788f5bcdc428ff26ca  sys-wait.patch"
+ed4c6a17a97cc01854c7adde56984cade1da8a58f41c30788f5bcdc428ff26ca  sys-wait.patch
+8699cfc2daed299cc2e89d41a15946698d0bc001238a272fa3b792c28de937b3  CVE-2014-0004.patch"
 sha512sums="dffbceda998aee62f56819111db7c33fd65b8295d14885f28f8209be332ab319353116d51e2c006e434865ac515db04c7d8f5d2639ab9870247cf49136747811  udisks-2.1.0.tar.bz2
 269ba55cc755e2a484670258bc530790691b66c9fce9479a2a17d78cff5d52dd1be89290979efd44a0ba82be665f52a356a57f2cbb67951d91fe09d4e24c2a6a  O_CLOEXEC.patch
-138593a97a35ba405e65d8f207fb16f4e056c09e3f4a51edd4ee8f8aeb37914663bbf0b016a5a0055ef5ec5191f850a3680f1f47fe0b07e9abe0ce01d2c0af0d  sys-wait.patch"
+138593a97a35ba405e65d8f207fb16f4e056c09e3f4a51edd4ee8f8aeb37914663bbf0b016a5a0055ef5ec5191f850a3680f1f47fe0b07e9abe0ce01d2c0af0d  sys-wait.patch
+f86b6a7248bc9ae896664b8addb99cf5242d16fbd93d1c1d9533eabdd3daf8e5c6d074cf9191d570bda1b0e5f408712484931f5a62b076d4ee5d2ec537c5a944  CVE-2014-0004.patch"
diff --git a/main/udisks2/CVE-2014-0004.patch b/main/udisks2/CVE-2014-0004.patch
new file mode 100644
index 0000000000..0c81d16ad2
--- /dev/null
+++ b/main/udisks2/CVE-2014-0004.patch
@@ -0,0 +1,106 @@
+From 24496747b648d1a7bd0d6da1ef3759f035ba1cd6 Mon Sep 17 00:00:00 2001
+From: Martin Pitt <martin.pitt@ubuntu.com>
+Date: Wed, 05 Mar 2014 12:47:15 +0000
+Subject: Fix buffer overflow in mount path parsing
+
+In the mount monitor we parse mount points from /proc/self/mountinfo and
+/proc/swaps. Ensure that we don't overflow the buffers on platforms where mount
+paths could be longer than PATH_MAX (unknown if that can actually happen), as
+at least the mount paths for hotpluggable devices are somewhat user-controlled.
+
+Thanks to Florian Weimer for discovering this bug, and to David Zeuthen
+for his initial patch!
+
+CVE-2014-0004
+---
+diff --git a/src/udisksmountmonitor.c b/src/udisksmountmonitor.c
+index 8af1028..e7097fa 100644
+--- a/src/udisksmountmonitor.c
++++ b/src/udisksmountmonitor.c
+@@ -38,6 +38,11 @@
+ #include "udisksmount.h"
+ #include "udisksprivate.h"
+ 
++/* build a %Ns format string macro with N == PATH_MAX */
++#define xstr(s) str(s)
++#define str(s) #s
++#define PATH_MAX_FMT "%" xstr(PATH_MAX) "s"
++
+ /**
+  * SECTION:udisksmountmonitor
+  * @title: UDisksMountMonitor
+@@ -416,8 +421,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
+       guint mount_id;
+       guint parent_id;
+       guint major, minor;
+-      gchar encoded_root[PATH_MAX];
+-      gchar encoded_mount_point[PATH_MAX];
++      gchar encoded_root[PATH_MAX + 1];
++      gchar encoded_mount_point[PATH_MAX + 1];
+       gchar *mount_point;
+       dev_t dev;
+ 
+@@ -425,7 +430,7 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
+         continue;
+ 
+       if (sscanf (lines[n],
+-                  "%d %d %d:%d %s %s",
++                  "%d %d %d:%d " PATH_MAX_FMT " " PATH_MAX_FMT,
+                   &mount_id,
+                   &parent_id,
+                   &major,
+@@ -436,6 +441,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
+           udisks_warning ("Error parsing line '%s'", lines[n]);
+           continue;
+         }
++      encoded_root[sizeof encoded_root - 1] = '\0';
++      encoded_mount_point[sizeof encoded_mount_point - 1] = '\0';
+ 
+       /* Temporary work-around for btrfs, see
+        *
+@@ -450,15 +457,17 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
+           sep = strstr (lines[n], " - ");
+           if (sep != NULL)
+             {
+-              gchar fstype[PATH_MAX];
+-              gchar mount_source[PATH_MAX];
++              gchar fstype[PATH_MAX + 1];
++              gchar mount_source[PATH_MAX + 1];
+               struct stat statbuf;
+ 
+-              if (sscanf (sep + 3, "%s %s", fstype, mount_source) != 2)
++              if (sscanf (sep + 3, PATH_MAX_FMT " " PATH_MAX_FMT, fstype, mount_source) != 2)
+                 {
+                   udisks_warning ("Error parsing things past - for '%s'", lines[n]);
+                   continue;
+                 }
++              fstype[sizeof fstype - 1] = '\0';
++              mount_source[sizeof mount_source - 1] = '\0';
+ 
+               if (g_strcmp0 (fstype, "btrfs") != 0)
+                 continue;
+@@ -546,7 +555,7 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor  *monitor,
+   lines = g_strsplit (contents, "\n", 0);
+   for (n = 0; lines[n] != NULL; n++)
+     {
+-      gchar filename[PATH_MAX];
++      gchar filename[PATH_MAX + 1];
+       struct stat statbuf;
+       dev_t dev;
+ 
+@@ -557,11 +566,12 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor  *monitor,
+       if (strlen (lines[n]) == 0)
+         continue;
+ 
+-      if (sscanf (lines[n], "%s", filename) != 1)
++      if (sscanf (lines[n], PATH_MAX_FMT, filename) != 1)
+         {
+           udisks_warning ("Error parsing line '%s'", lines[n]);
+           continue;
+         }
++      filename[sizeof filename - 1] = '\0';
+ 
+       if (stat (filename, &statbuf) != 0)
+         {
+--
+cgit v0.9.0.2-2-gbebe
author	Bartłomiej Piotrowski <bpiotrowski@alpinelinux.org>	2014-03-11 17:26:58 +0100
committer	Bartłomiej Piotrowski <bpiotrowski@alpinelinux.org>	2014-03-11 17:31:31 +0100
commit	cbff0ff5f94876e87aefd0814189aef4179301fa (patch)
tree	54a9ecdc663be60093ebcc638ed646a5e41c89bd /main/udisks2
parent	920eb3a1300411c0f4f595db306a76f0dbd79535 (diff)
download	aports-cbff0ff5f94876e87aefd0814189aef4179301fa.tar.bz2 aports-cbff0ff5f94876e87aefd0814189aef4179301fa.tar.xz