main/udisks2: security fix for CVE-2014-0004

2 files changed, 110 insertions, 2 deletions

diff --git a/main/udisks2/APKBUILD b/main/udisks2/APKBUILD
index 8c460cc75c..1f7e728234 100644
--- a/main/udisks2/APKBUILD
+++ b/main/udisks2/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=udisks2
 pkgver=2.0.0
-pkgrel=0
+pkgrel=1
 pkgdesc="Disk Manager"
 url="http://www.freedesktop.org/wiki/Software/udisks"
 arch="all"
@@ -16,6 +16,7 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-lang $pkgname-libs"
 source="http://udisks.freedesktop.org/releases/udisks-$pkgver.tar.bz2
 	O_CLOEXEC.patch
 	sys-wait.patch
+	CVE-2014-0004.patch
 	"
 
 _builddir="$srcdir"/udisks-$pkgver
@@ -56,4 +57,5 @@ libs() {
 
 md5sums="79fb343fbec6ed6b9e76fbe828622d38  udisks-2.0.0.tar.bz2
 fd70ee4163c5bfd9bd474c28a2548c46  O_CLOEXEC.patch
-4c7aa82c180c809f565c55325ce9eb20  sys-wait.patch"
+4c7aa82c180c809f565c55325ce9eb20  sys-wait.patch
+04f75c4bebf1a82af8e0f6a63ae6fcbf  CVE-2014-0004.patch"
diff --git a/main/udisks2/CVE-2014-0004.patch b/main/udisks2/CVE-2014-0004.patch
new file mode 100644
index 0000000000..0c81d16ad2
--- /dev/null
+++ b/main/udisks2/CVE-2014-0004.patch
@@ -0,0 +1,106 @@
+From 24496747b648d1a7bd0d6da1ef3759f035ba1cd6 Mon Sep 17 00:00:00 2001
+From: Martin Pitt <martin.pitt@ubuntu.com>
+Date: Wed, 05 Mar 2014 12:47:15 +0000
+Subject: Fix buffer overflow in mount path parsing
+
+In the mount monitor we parse mount points from /proc/self/mountinfo and
+/proc/swaps. Ensure that we don't overflow the buffers on platforms where mount
+paths could be longer than PATH_MAX (unknown if that can actually happen), as
+at least the mount paths for hotpluggable devices are somewhat user-controlled.
+
+Thanks to Florian Weimer for discovering this bug, and to David Zeuthen
+for his initial patch!
+
+CVE-2014-0004
+---
+diff --git a/src/udisksmountmonitor.c b/src/udisksmountmonitor.c
+index 8af1028..e7097fa 100644
+--- a/src/udisksmountmonitor.c
++++ b/src/udisksmountmonitor.c
+@@ -38,6 +38,11 @@
+ #include "udisksmount.h"
+ #include "udisksprivate.h"
+ 
++/* build a %Ns format string macro with N == PATH_MAX */
++#define xstr(s) str(s)
++#define str(s) #s
++#define PATH_MAX_FMT "%" xstr(PATH_MAX) "s"
++
+ /**
+  * SECTION:udisksmountmonitor
+  * @title: UDisksMountMonitor
+@@ -416,8 +421,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
+       guint mount_id;
+       guint parent_id;
+       guint major, minor;
+-      gchar encoded_root[PATH_MAX];
+-      gchar encoded_mount_point[PATH_MAX];
++      gchar encoded_root[PATH_MAX + 1];
++      gchar encoded_mount_point[PATH_MAX + 1];
+       gchar *mount_point;
+       dev_t dev;
+ 
+@@ -425,7 +430,7 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
+         continue;
+ 
+       if (sscanf (lines[n],
+-                  "%d %d %d:%d %s %s",
++                  "%d %d %d:%d " PATH_MAX_FMT " " PATH_MAX_FMT,
+                   &mount_id,
+                   &parent_id,
+                   &major,
+@@ -436,6 +441,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
+           udisks_warning ("Error parsing line '%s'", lines[n]);
+           continue;
+         }
++      encoded_root[sizeof encoded_root - 1] = '\0';
++      encoded_mount_point[sizeof encoded_mount_point - 1] = '\0';
+ 
+       /* Temporary work-around for btrfs, see
+        *
+@@ -450,15 +457,17 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
+           sep = strstr (lines[n], " - ");
+           if (sep != NULL)
+             {
+-              gchar fstype[PATH_MAX];
+-              gchar mount_source[PATH_MAX];
++              gchar fstype[PATH_MAX + 1];
++              gchar mount_source[PATH_MAX + 1];
+               struct stat statbuf;
+ 
+-              if (sscanf (sep + 3, "%s %s", fstype, mount_source) != 2)
++              if (sscanf (sep + 3, PATH_MAX_FMT " " PATH_MAX_FMT, fstype, mount_source) != 2)
+                 {
+                   udisks_warning ("Error parsing things past - for '%s'", lines[n]);
+                   continue;
+                 }
++              fstype[sizeof fstype - 1] = '\0';
++              mount_source[sizeof mount_source - 1] = '\0';
+ 
+               if (g_strcmp0 (fstype, "btrfs") != 0)
+                 continue;
+@@ -546,7 +555,7 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor  *monitor,
+   lines = g_strsplit (contents, "\n", 0);
+   for (n = 0; lines[n] != NULL; n++)
+     {
+-      gchar filename[PATH_MAX];
++      gchar filename[PATH_MAX + 1];
+       struct stat statbuf;
+       dev_t dev;
+ 
+@@ -557,11 +566,12 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor  *monitor,
+       if (strlen (lines[n]) == 0)
+         continue;
+ 
+-      if (sscanf (lines[n], "%s", filename) != 1)
++      if (sscanf (lines[n], PATH_MAX_FMT, filename) != 1)
+         {
+           udisks_warning ("Error parsing line '%s'", lines[n]);
+           continue;
+         }
++      filename[sizeof filename - 1] = '\0';
+ 
+       if (stat (filename, &statbuf) != 0)
+         {
+--
+cgit v0.9.0.2-2-gbebe