main/util-linux: security fix (CVE-2013-0157)

fixes #1827

5 files changed, 281 insertions, 2 deletions

diff --git a/main/util-linux/APKBUILD b/main/util-linux/APKBUILD
index 99f3e361c..c74ba6dfb 100644
--- a/main/util-linux/APKBUILD
+++ b/main/util-linux/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=util-linux
 pkgver=2.21
-pkgrel=0
+pkgrel=1
 pkgdesc="Random collection of Linux utilities"
 url="http://kernel.org/~kzak/util-linux/"
 arch="all"
@@ -14,6 +14,10 @@ install=
 source="http://www.kernel.org/pub/linux/utils/util-linux/v${pkgver}/util-linux-$pkgver.tar.gz
 	program-invocation.patch
 	fix_NL_TIME_FIRST_WEEKDAY.patch
+	CVE-2013-0157.1.patch
+	CVE-2013-0157.2.patch
+	CVE-2013-0157.3.patch
+	CVE-2013-0157.4.patch
 	"
 subpackages="$pkgname-doc $pkgname-dev libuuid libblkid sfdisk cfdisk mcookie blkid"
 replaces="e2fsprogs util-linux-ng"
@@ -106,4 +110,8 @@ mcookie() {
 
 md5sums="4222aa8c2a1b78889e959a4722f1881a  util-linux-2.21.tar.gz
 9682a6ddd5abe65434a145ebe512c123  program-invocation.patch
-8c434a785bfaed23d8f222c14d883a82  fix_NL_TIME_FIRST_WEEKDAY.patch"
+8c434a785bfaed23d8f222c14d883a82  fix_NL_TIME_FIRST_WEEKDAY.patch
+4589e841077a5f33eb8b5385f043ff16  CVE-2013-0157.1.patch
+0f0cd3db5eb216d9cedcffbd258b850a  CVE-2013-0157.2.patch
+45104467fc67c5e16d204e1a8e0db6b3  CVE-2013-0157.3.patch
+0fdba0c56ebf1986f5dc4e6c54ee7772  CVE-2013-0157.4.patch"
diff --git a/main/util-linux/CVE-2013-0157.1.patch b/main/util-linux/CVE-2013-0157.1.patch
new file mode 100644
index 000000000..4cc97fc3a
--- /dev/null
+++ b/main/util-linux/CVE-2013-0157.1.patch
@@ -0,0 +1,74 @@
+From 33c5fd0c5a774458470c86f9d318d8c48a9c9ccb Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 26 Nov 2012 15:24:28 +0000
+Subject: lib/canonicalize: add canonicalize_path_restricted() to canonicalize without suid permisssions
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+diff --git a/include/canonicalize.h b/include/canonicalize.h
+index f26df18..c149738 100644
+--- a/include/canonicalize.h
++++ b/include/canonicalize.h
+@@ -4,6 +4,7 @@
+ #include "c.h"	/* for PATH_MAX */
+ 
+ extern char *canonicalize_path(const char *path);
++extern char *canonicalize_path_restricted(const char *path);
+ extern char *canonicalize_dm_name(const char *ptname);
+ 
+ #endif /* CANONICALIZE_H */
+diff --git a/lib/canonicalize.c b/lib/canonicalize.c
+index ab32c10..1e8aff4 100644
+--- a/lib/canonicalize.c
++++ b/lib/canonicalize.c
+@@ -188,6 +188,48 @@ canonicalize_path(const char *path)
+ 	return strdup(canonical);
+ }
+ 
++char *
++canonicalize_path_restricted(const char *path)
++{
++	char canonical[PATH_MAX+2];
++	char *p = NULL;
++	int errsv;
++	uid_t euid;
++	gid_t egid;
++
++	if (path == NULL)
++		return NULL;
++
++	euid = geteuid();
++	egid = getegid();
++
++	/* drop permissions */
++	if (setegid(getgid()) < 0 || seteuid(getuid()) < 0)
++		return NULL;
++
++	errsv = errno = 0;
++
++	if (myrealpath(path, canonical, PATH_MAX+1)) {
++		p = strrchr(canonical, '/');
++		if (p && strncmp(p, "/dm-", 4) == 0 && isdigit(*(p + 4)))
++			p = canonicalize_dm_name(p+1);
++		else
++			p = NULL;
++		if (!p)
++			p = strdup(canonical);
++	} else
++		errsv = errno;
++
++	/* restore */
++	if (setegid(egid) < 0 || seteuid(euid) < 0) {
++		free(p);
++		return NULL;
++	}
++
++	errno = errsv;
++	return p;
++}
++
+ 
+ #ifdef TEST_PROGRAM_CANONICALIZE
+ int main(int argc, char **argv)
+--
+cgit v0.9.1
diff --git a/main/util-linux/CVE-2013-0157.2.patch b/main/util-linux/CVE-2013-0157.2.patch
new file mode 100644
index 000000000..1fe4f52c5
--- /dev/null
+++ b/main/util-linux/CVE-2013-0157.2.patch
@@ -0,0 +1,87 @@
+From 5ebbc3865d1e53ef42e5f121c41faab23dd59075 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 26 Nov 2012 13:30:22 +0000
+Subject: mount: sanitize paths from non-root users
+
+ $ mount /root/.ssh/../../dev/sda2
+ mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot
+
+this is too promiscuous. It seems better to ignore on command line
+specified paths which are not resolve-able for non-root users.
+
+Fixed version:
+
+  $ mount /root/.ssh/../../dev/sda2
+  mount: /root/.ssh/../../dev/sda2: Permission denied
+
+  $ mount /dev/sda2
+  mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot
+
+Note that this bug has no relation to mount(2) permissions evaluation
+in suid mode. The way how non-root user specifies paths on command
+line is completely irrelevant for comparison with fstab entries.
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+diff --git a/sys-utils/mount.c b/sys-utils/mount.c
+index ed74177..e29e34c 100644
+--- a/sys-utils/mount.c
++++ b/sys-utils/mount.c
+@@ -38,6 +38,7 @@
+ #include "strutils.h"
+ #include "xgetpass.h"
+ #include "exitcodes.h"
++#include "canonicalize.h"
+ 
+ /*** TODO: DOCS:
+  *
+@@ -603,6 +604,37 @@ static struct libmnt_table *append_fstab(struct libmnt_context *cxt,
+ 	return fstab;
+ }
+ 
++/*
++ * Check source and target paths -- non-root user should not be able to
++ * resolve paths which are unreadable for him.
++ */
++static void sanitize_paths(struct libmnt_context *cxt)
++{
++	const char *p;
++	struct libmnt_fs *fs = mnt_context_get_fs(cxt);
++
++	if (!fs)
++		return;
++
++	p = mnt_fs_get_target(fs);
++	if (p) {
++		char *np = canonicalize_path_restricted(p);
++		if (!np)
++			err(MOUNT_EX_USAGE, "%s", p);
++		mnt_fs_set_target(fs, np);
++		free(np);
++	}
++
++	p = mnt_fs_get_srcpath(fs);
++	if (p) {
++		char *np = canonicalize_path_restricted(p);
++		if (!np)
++			err(MOUNT_EX_USAGE, "%s", p);
++		mnt_fs_set_source(fs, np);
++		free(np);
++	}
++}
++
+ static void __attribute__((__noreturn__)) usage(FILE *out)
+ {
+ 	fputs(USAGE_HEADER, out);
+@@ -970,6 +1002,9 @@ int main(int argc, char **argv)
+ 	} else
+ 		usage(stderr);
+ 
++	if (mnt_context_is_restricted(cxt))
++		sanitize_paths(cxt);
++
+ 	if (oper) {
+ 		/* MS_PROPAGATION operations, let's set the mount flags */
+ 		mnt_context_set_mflags(cxt, oper);
+--
+cgit v0.9.1
diff --git a/main/util-linux/CVE-2013-0157.3.patch b/main/util-linux/CVE-2013-0157.3.patch
new file mode 100644
index 000000000..23cf830c4
--- /dev/null
+++ b/main/util-linux/CVE-2013-0157.3.patch
@@ -0,0 +1,68 @@
+From cc8cc8f32c863f3ae6a8a88e97b47bcd6a21825f Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 26 Nov 2012 15:25:46 +0000
+Subject: umount: sanitize paths from non-root users
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+diff --git a/sys-utils/umount.c b/sys-utils/umount.c
+index 06d33de..396052c 100644
+--- a/sys-utils/umount.c
++++ b/sys-utils/umount.c
+@@ -38,6 +38,7 @@
+ #include "strutils.h"
+ #include "xgetpass.h"
+ #include "exitcodes.h"
++#include "canonicalize.h"
+ 
+ /*** TODO: DOCS:
+  *
+@@ -401,6 +402,24 @@ static int umount_recursive(struct libmnt_context *cxt, const char *spec)
+ 	return rc;
+ }
+ 
++/*
++ * Check path -- non-root user should not be able to resolve path which is
++ * unreadable for him.
++ */
++static char *sanitize_path(const char *path)
++{
++	char *p;
++
++	if (!path)
++		return NULL;
++
++	p = canonicalize_path_restricted(path);
++	if (!p)
++		err(MOUNT_EX_USAGE, "%s", path);
++
++	return p;
++}
++
+ int main(int argc, char **argv)
+ {
+ 	int c, rc = 0, all = 0, recursive = 0;
+@@ -388,9 +407,19 @@ int main(int argc, char **argv)
+ 	} else if (argc < 1) {
+ 		usage(stderr);
+ 
+-	} else while (argc--)
+-		rc += umount_one(cxt, *argv++);
++	} else {
++	       while (argc--) {
++		       char *path = *argv++;
+ 
++		       if (mnt_context_is_restricted(cxt))
++			       path = sanitize_path(path);
++
++		       rc += umount_one(cxt, path);
++
++		       if (mnt_context_is_restricted(cxt))
++			       free(path);
++	       }
++	}
+ 	mnt_free_context(cxt);
+ 	return rc;
+ }
+--
+cgit v0.9.1
diff --git a/main/util-linux/CVE-2013-0157.4.patch b/main/util-linux/CVE-2013-0157.4.patch
new file mode 100644
index 000000000..bbec2225f
--- /dev/null
+++ b/main/util-linux/CVE-2013-0157.4.patch
@@ -0,0 +1,42 @@
+From 0377ef91270d06592a0d4dd009c29e7b1ff9c9b8 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 26 Nov 2012 10:57:26 +0000
+Subject: mount: (deprecated) drop --guess-fstype
+
+The option is undocumented and unnecessary.
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+diff --git a/mount-deprecated/mount.c b/mount-deprecated/mount.c
+index ad80218..3190d2f 100644
+--- a/mount/mount.c
++++ b/mount/mount.c
+@@ -2208,7 +2208,6 @@ static struct option longopts[] = {
+ 	{ "types", 1, 0, 't' },
+ 	{ "bind", 0, 0, 'B' },
+ 	{ "move", 0, 0, 'M' },
+-	{ "guess-fstype", 1, 0, 134 },
+ 	{ "rbind", 0, 0, 'R' },
+ 	{ "make-shared", 0, 0, 136 },
+ 	{ "make-slave", 0, 0, 137 },
+@@ -2470,18 +2469,6 @@ main(int argc, char *argv[]) {
+ 		case 0:
+ 			break;
+ 
+-		case 134:
+-			/* undocumented, may go away again:
+-			   call: mount --guess-fstype device
+-			   use only for testing purposes -
+-			   the guessing is not reliable at all */
+-		    {
+-			const char *fstype;
+-			fstype = fsprobe_get_fstype_by_devname(optarg);
+-			printf("%s\n", fstype ? fstype : "unknown");
+-			exit(fstype ? 0 : EX_FAIL);
+-		    }
+-
+ 		case 136:
+ 			mounttype = MS_SHARED;
+ 			break;
+--
+cgit v0.9.1