diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-20 12:52:04 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-20 12:52:04 +0000 |
commit | 4294da66f8d2b7238aebe42dd15fa8a637556675 (patch) | |
tree | 3e9515ed274d28e5a74e29e8b2ed3daff4d2d7f6 /main/util-linux | |
parent | 641df891cfde1d902d1218260e4a0821511b26f2 (diff) | |
download | aports-4294da66f8d2b7238aebe42dd15fa8a637556675.tar.bz2 aports-4294da66f8d2b7238aebe42dd15fa8a637556675.tar.xz |
main/util-linux: security fix (CVE-2013-0157)
fixes #1827
Diffstat (limited to 'main/util-linux')
-rw-r--r-- | main/util-linux/APKBUILD | 12 | ||||
-rw-r--r-- | main/util-linux/CVE-2013-0157.1.patch | 74 | ||||
-rw-r--r-- | main/util-linux/CVE-2013-0157.2.patch | 87 | ||||
-rw-r--r-- | main/util-linux/CVE-2013-0157.3.patch | 68 | ||||
-rw-r--r-- | main/util-linux/CVE-2013-0157.4.patch | 42 |
5 files changed, 281 insertions, 2 deletions
diff --git a/main/util-linux/APKBUILD b/main/util-linux/APKBUILD index 99f3e361c..c74ba6dfb 100644 --- a/main/util-linux/APKBUILD +++ b/main/util-linux/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=util-linux pkgver=2.21 -pkgrel=0 +pkgrel=1 pkgdesc="Random collection of Linux utilities" url="http://kernel.org/~kzak/util-linux/" arch="all" @@ -14,6 +14,10 @@ install= source="http://www.kernel.org/pub/linux/utils/util-linux/v${pkgver}/util-linux-$pkgver.tar.gz program-invocation.patch fix_NL_TIME_FIRST_WEEKDAY.patch + CVE-2013-0157.1.patch + CVE-2013-0157.2.patch + CVE-2013-0157.3.patch + CVE-2013-0157.4.patch " subpackages="$pkgname-doc $pkgname-dev libuuid libblkid sfdisk cfdisk mcookie blkid" replaces="e2fsprogs util-linux-ng" @@ -106,4 +110,8 @@ mcookie() { md5sums="4222aa8c2a1b78889e959a4722f1881a util-linux-2.21.tar.gz 9682a6ddd5abe65434a145ebe512c123 program-invocation.patch -8c434a785bfaed23d8f222c14d883a82 fix_NL_TIME_FIRST_WEEKDAY.patch" +8c434a785bfaed23d8f222c14d883a82 fix_NL_TIME_FIRST_WEEKDAY.patch +4589e841077a5f33eb8b5385f043ff16 CVE-2013-0157.1.patch +0f0cd3db5eb216d9cedcffbd258b850a CVE-2013-0157.2.patch +45104467fc67c5e16d204e1a8e0db6b3 CVE-2013-0157.3.patch +0fdba0c56ebf1986f5dc4e6c54ee7772 CVE-2013-0157.4.patch" diff --git a/main/util-linux/CVE-2013-0157.1.patch b/main/util-linux/CVE-2013-0157.1.patch new file mode 100644 index 000000000..4cc97fc3a --- /dev/null +++ b/main/util-linux/CVE-2013-0157.1.patch @@ -0,0 +1,74 @@ +From 33c5fd0c5a774458470c86f9d318d8c48a9c9ccb Mon Sep 17 00:00:00 2001 +From: Karel Zak <kzak@redhat.com> +Date: Mon, 26 Nov 2012 15:24:28 +0000 +Subject: lib/canonicalize: add canonicalize_path_restricted() to canonicalize without suid permisssions + +Signed-off-by: Karel Zak <kzak@redhat.com> +--- +diff --git a/include/canonicalize.h b/include/canonicalize.h +index f26df18..c149738 100644 +--- a/include/canonicalize.h ++++ b/include/canonicalize.h +@@ -4,6 +4,7 @@ + #include "c.h" /* for PATH_MAX */ + + extern char *canonicalize_path(const char *path); ++extern char *canonicalize_path_restricted(const char *path); + extern char *canonicalize_dm_name(const char *ptname); + + #endif /* CANONICALIZE_H */ +diff --git a/lib/canonicalize.c b/lib/canonicalize.c +index ab32c10..1e8aff4 100644 +--- a/lib/canonicalize.c ++++ b/lib/canonicalize.c +@@ -188,6 +188,48 @@ canonicalize_path(const char *path) + return strdup(canonical); + } + ++char * ++canonicalize_path_restricted(const char *path) ++{ ++ char canonical[PATH_MAX+2]; ++ char *p = NULL; ++ int errsv; ++ uid_t euid; ++ gid_t egid; ++ ++ if (path == NULL) ++ return NULL; ++ ++ euid = geteuid(); ++ egid = getegid(); ++ ++ /* drop permissions */ ++ if (setegid(getgid()) < 0 || seteuid(getuid()) < 0) ++ return NULL; ++ ++ errsv = errno = 0; ++ ++ if (myrealpath(path, canonical, PATH_MAX+1)) { ++ p = strrchr(canonical, '/'); ++ if (p && strncmp(p, "/dm-", 4) == 0 && isdigit(*(p + 4))) ++ p = canonicalize_dm_name(p+1); ++ else ++ p = NULL; ++ if (!p) ++ p = strdup(canonical); ++ } else ++ errsv = errno; ++ ++ /* restore */ ++ if (setegid(egid) < 0 || seteuid(euid) < 0) { ++ free(p); ++ return NULL; ++ } ++ ++ errno = errsv; ++ return p; ++} ++ + + #ifdef TEST_PROGRAM_CANONICALIZE + int main(int argc, char **argv) +-- +cgit v0.9.1 diff --git a/main/util-linux/CVE-2013-0157.2.patch b/main/util-linux/CVE-2013-0157.2.patch new file mode 100644 index 000000000..1fe4f52c5 --- /dev/null +++ b/main/util-linux/CVE-2013-0157.2.patch @@ -0,0 +1,87 @@ +From 5ebbc3865d1e53ef42e5f121c41faab23dd59075 Mon Sep 17 00:00:00 2001 +From: Karel Zak <kzak@redhat.com> +Date: Mon, 26 Nov 2012 13:30:22 +0000 +Subject: mount: sanitize paths from non-root users + + $ mount /root/.ssh/../../dev/sda2 + mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot + +this is too promiscuous. It seems better to ignore on command line +specified paths which are not resolve-able for non-root users. + +Fixed version: + + $ mount /root/.ssh/../../dev/sda2 + mount: /root/.ssh/../../dev/sda2: Permission denied + + $ mount /dev/sda2 + mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot + +Note that this bug has no relation to mount(2) permissions evaluation +in suid mode. The way how non-root user specifies paths on command +line is completely irrelevant for comparison with fstab entries. + +Signed-off-by: Karel Zak <kzak@redhat.com> +--- +diff --git a/sys-utils/mount.c b/sys-utils/mount.c +index ed74177..e29e34c 100644 +--- a/sys-utils/mount.c ++++ b/sys-utils/mount.c +@@ -38,6 +38,7 @@ + #include "strutils.h" + #include "xgetpass.h" + #include "exitcodes.h" ++#include "canonicalize.h" + + /*** TODO: DOCS: + * +@@ -603,6 +604,37 @@ static struct libmnt_table *append_fstab(struct libmnt_context *cxt, + return fstab; + } + ++/* ++ * Check source and target paths -- non-root user should not be able to ++ * resolve paths which are unreadable for him. ++ */ ++static void sanitize_paths(struct libmnt_context *cxt) ++{ ++ const char *p; ++ struct libmnt_fs *fs = mnt_context_get_fs(cxt); ++ ++ if (!fs) ++ return; ++ ++ p = mnt_fs_get_target(fs); ++ if (p) { ++ char *np = canonicalize_path_restricted(p); ++ if (!np) ++ err(MOUNT_EX_USAGE, "%s", p); ++ mnt_fs_set_target(fs, np); ++ free(np); ++ } ++ ++ p = mnt_fs_get_srcpath(fs); ++ if (p) { ++ char *np = canonicalize_path_restricted(p); ++ if (!np) ++ err(MOUNT_EX_USAGE, "%s", p); ++ mnt_fs_set_source(fs, np); ++ free(np); ++ } ++} ++ + static void __attribute__((__noreturn__)) usage(FILE *out) + { + fputs(USAGE_HEADER, out); +@@ -970,6 +1002,9 @@ int main(int argc, char **argv) + } else + usage(stderr); + ++ if (mnt_context_is_restricted(cxt)) ++ sanitize_paths(cxt); ++ + if (oper) { + /* MS_PROPAGATION operations, let's set the mount flags */ + mnt_context_set_mflags(cxt, oper); +-- +cgit v0.9.1 diff --git a/main/util-linux/CVE-2013-0157.3.patch b/main/util-linux/CVE-2013-0157.3.patch new file mode 100644 index 000000000..23cf830c4 --- /dev/null +++ b/main/util-linux/CVE-2013-0157.3.patch @@ -0,0 +1,68 @@ +From cc8cc8f32c863f3ae6a8a88e97b47bcd6a21825f Mon Sep 17 00:00:00 2001 +From: Karel Zak <kzak@redhat.com> +Date: Mon, 26 Nov 2012 15:25:46 +0000 +Subject: umount: sanitize paths from non-root users + +Signed-off-by: Karel Zak <kzak@redhat.com> +--- +diff --git a/sys-utils/umount.c b/sys-utils/umount.c +index 06d33de..396052c 100644 +--- a/sys-utils/umount.c ++++ b/sys-utils/umount.c +@@ -38,6 +38,7 @@ + #include "strutils.h" + #include "xgetpass.h" + #include "exitcodes.h" ++#include "canonicalize.h" + + /*** TODO: DOCS: + * +@@ -401,6 +402,24 @@ static int umount_recursive(struct libmnt_context *cxt, const char *spec) + return rc; + } + ++/* ++ * Check path -- non-root user should not be able to resolve path which is ++ * unreadable for him. ++ */ ++static char *sanitize_path(const char *path) ++{ ++ char *p; ++ ++ if (!path) ++ return NULL; ++ ++ p = canonicalize_path_restricted(path); ++ if (!p) ++ err(MOUNT_EX_USAGE, "%s", path); ++ ++ return p; ++} ++ + int main(int argc, char **argv) + { + int c, rc = 0, all = 0, recursive = 0; +@@ -388,9 +407,19 @@ int main(int argc, char **argv) + } else if (argc < 1) { + usage(stderr); + +- } else while (argc--) +- rc += umount_one(cxt, *argv++); ++ } else { ++ while (argc--) { ++ char *path = *argv++; + ++ if (mnt_context_is_restricted(cxt)) ++ path = sanitize_path(path); ++ ++ rc += umount_one(cxt, path); ++ ++ if (mnt_context_is_restricted(cxt)) ++ free(path); ++ } ++ } + mnt_free_context(cxt); + return rc; + } +-- +cgit v0.9.1 diff --git a/main/util-linux/CVE-2013-0157.4.patch b/main/util-linux/CVE-2013-0157.4.patch new file mode 100644 index 000000000..bbec2225f --- /dev/null +++ b/main/util-linux/CVE-2013-0157.4.patch @@ -0,0 +1,42 @@ +From 0377ef91270d06592a0d4dd009c29e7b1ff9c9b8 Mon Sep 17 00:00:00 2001 +From: Karel Zak <kzak@redhat.com> +Date: Mon, 26 Nov 2012 10:57:26 +0000 +Subject: mount: (deprecated) drop --guess-fstype + +The option is undocumented and unnecessary. + +Signed-off-by: Karel Zak <kzak@redhat.com> +--- +diff --git a/mount-deprecated/mount.c b/mount-deprecated/mount.c +index ad80218..3190d2f 100644 +--- a/mount/mount.c ++++ b/mount/mount.c +@@ -2208,7 +2208,6 @@ static struct option longopts[] = { + { "types", 1, 0, 't' }, + { "bind", 0, 0, 'B' }, + { "move", 0, 0, 'M' }, +- { "guess-fstype", 1, 0, 134 }, + { "rbind", 0, 0, 'R' }, + { "make-shared", 0, 0, 136 }, + { "make-slave", 0, 0, 137 }, +@@ -2470,18 +2469,6 @@ main(int argc, char *argv[]) { + case 0: + break; + +- case 134: +- /* undocumented, may go away again: +- call: mount --guess-fstype device +- use only for testing purposes - +- the guessing is not reliable at all */ +- { +- const char *fstype; +- fstype = fsprobe_get_fstype_by_devname(optarg); +- printf("%s\n", fstype ? fstype : "unknown"); +- exit(fstype ? 0 : EX_FAIL); +- } +- + case 136: + mounttype = MS_SHARED; + break; +-- +cgit v0.9.1 |