diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-20 12:52:04 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-20 12:52:04 +0000 |
commit | 4294da66f8d2b7238aebe42dd15fa8a637556675 (patch) | |
tree | 3e9515ed274d28e5a74e29e8b2ed3daff4d2d7f6 | |
parent | 641df891cfde1d902d1218260e4a0821511b26f2 (diff) | |
download | alpine_aports-4294da66f8d2b7238aebe42dd15fa8a637556675.tar.bz2 alpine_aports-4294da66f8d2b7238aebe42dd15fa8a637556675.tar.xz alpine_aports-4294da66f8d2b7238aebe42dd15fa8a637556675.zip |
main/util-linux: security fix (CVE-2013-0157)
fixes #1827
-rw-r--r-- | main/util-linux/APKBUILD | 12 | ||||
-rw-r--r-- | main/util-linux/CVE-2013-0157.1.patch | 74 | ||||
-rw-r--r-- | main/util-linux/CVE-2013-0157.2.patch | 87 | ||||
-rw-r--r-- | main/util-linux/CVE-2013-0157.3.patch | 68 | ||||
-rw-r--r-- | main/util-linux/CVE-2013-0157.4.patch | 42 |
5 files changed, 281 insertions, 2 deletions
diff --git a/main/util-linux/APKBUILD b/main/util-linux/APKBUILD index 99f3e361c2..c74ba6dfb6 100644 --- a/main/util-linux/APKBUILD +++ b/main/util-linux/APKBUILD | |||
@@ -2,7 +2,7 @@ | |||
2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
3 | pkgname=util-linux | 3 | pkgname=util-linux |
4 | pkgver=2.21 | 4 | pkgver=2.21 |
5 | pkgrel=0 | 5 | pkgrel=1 |
6 | pkgdesc="Random collection of Linux utilities" | 6 | pkgdesc="Random collection of Linux utilities" |
7 | url="http://kernel.org/~kzak/util-linux/" | 7 | url="http://kernel.org/~kzak/util-linux/" |
8 | arch="all" | 8 | arch="all" |
@@ -14,6 +14,10 @@ install= | |||
14 | source="http://www.kernel.org/pub/linux/utils/util-linux/v${pkgver}/util-linux-$pkgver.tar.gz | 14 | source="http://www.kernel.org/pub/linux/utils/util-linux/v${pkgver}/util-linux-$pkgver.tar.gz |
15 | program-invocation.patch | 15 | program-invocation.patch |
16 | fix_NL_TIME_FIRST_WEEKDAY.patch | 16 | fix_NL_TIME_FIRST_WEEKDAY.patch |
17 | CVE-2013-0157.1.patch | ||
18 | CVE-2013-0157.2.patch | ||
19 | CVE-2013-0157.3.patch | ||
20 | CVE-2013-0157.4.patch | ||
17 | " | 21 | " |
18 | subpackages="$pkgname-doc $pkgname-dev libuuid libblkid sfdisk cfdisk mcookie blkid" | 22 | subpackages="$pkgname-doc $pkgname-dev libuuid libblkid sfdisk cfdisk mcookie blkid" |
19 | replaces="e2fsprogs util-linux-ng" | 23 | replaces="e2fsprogs util-linux-ng" |
@@ -106,4 +110,8 @@ mcookie() { | |||
106 | 110 | ||
107 | md5sums="4222aa8c2a1b78889e959a4722f1881a util-linux-2.21.tar.gz | 111 | md5sums="4222aa8c2a1b78889e959a4722f1881a util-linux-2.21.tar.gz |
108 | 9682a6ddd5abe65434a145ebe512c123 program-invocation.patch | 112 | 9682a6ddd5abe65434a145ebe512c123 program-invocation.patch |
109 | 8c434a785bfaed23d8f222c14d883a82 fix_NL_TIME_FIRST_WEEKDAY.patch" | 113 | 8c434a785bfaed23d8f222c14d883a82 fix_NL_TIME_FIRST_WEEKDAY.patch |
114 | 4589e841077a5f33eb8b5385f043ff16 CVE-2013-0157.1.patch | ||
115 | 0f0cd3db5eb216d9cedcffbd258b850a CVE-2013-0157.2.patch | ||
116 | 45104467fc67c5e16d204e1a8e0db6b3 CVE-2013-0157.3.patch | ||
117 | 0fdba0c56ebf1986f5dc4e6c54ee7772 CVE-2013-0157.4.patch" | ||
diff --git a/main/util-linux/CVE-2013-0157.1.patch b/main/util-linux/CVE-2013-0157.1.patch new file mode 100644 index 0000000000..4cc97fc3a1 --- /dev/null +++ b/main/util-linux/CVE-2013-0157.1.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | From 33c5fd0c5a774458470c86f9d318d8c48a9c9ccb Mon Sep 17 00:00:00 2001 | ||
2 | From: Karel Zak <kzak@redhat.com> | ||
3 | Date: Mon, 26 Nov 2012 15:24:28 +0000 | ||
4 | Subject: lib/canonicalize: add canonicalize_path_restricted() to canonicalize without suid permisssions | ||
5 | |||
6 | Signed-off-by: Karel Zak <kzak@redhat.com> | ||
7 | --- | ||
8 | diff --git a/include/canonicalize.h b/include/canonicalize.h | ||
9 | index f26df18..c149738 100644 | ||
10 | --- a/include/canonicalize.h | ||
11 | +++ b/include/canonicalize.h | ||
12 | @@ -4,6 +4,7 @@ | ||
13 | #include "c.h" /* for PATH_MAX */ | ||
14 | |||
15 | extern char *canonicalize_path(const char *path); | ||
16 | +extern char *canonicalize_path_restricted(const char *path); | ||
17 | extern char *canonicalize_dm_name(const char *ptname); | ||
18 | |||
19 | #endif /* CANONICALIZE_H */ | ||
20 | diff --git a/lib/canonicalize.c b/lib/canonicalize.c | ||
21 | index ab32c10..1e8aff4 100644 | ||
22 | --- a/lib/canonicalize.c | ||
23 | +++ b/lib/canonicalize.c | ||
24 | @@ -188,6 +188,48 @@ canonicalize_path(const char *path) | ||
25 | return strdup(canonical); | ||
26 | } | ||
27 | |||
28 | +char * | ||
29 | +canonicalize_path_restricted(const char *path) | ||
30 | +{ | ||
31 | + char canonical[PATH_MAX+2]; | ||
32 | + char *p = NULL; | ||
33 | + int errsv; | ||
34 | + uid_t euid; | ||
35 | + gid_t egid; | ||
36 | + | ||
37 | + if (path == NULL) | ||
38 | + return NULL; | ||
39 | + | ||
40 | + euid = geteuid(); | ||
41 | + egid = getegid(); | ||
42 | + | ||
43 | + /* drop permissions */ | ||
44 | + if (setegid(getgid()) < 0 || seteuid(getuid()) < 0) | ||
45 | + return NULL; | ||
46 | + | ||
47 | + errsv = errno = 0; | ||
48 | + | ||
49 | + if (myrealpath(path, canonical, PATH_MAX+1)) { | ||
50 | + p = strrchr(canonical, '/'); | ||
51 | + if (p && strncmp(p, "/dm-", 4) == 0 && isdigit(*(p + 4))) | ||
52 | + p = canonicalize_dm_name(p+1); | ||
53 | + else | ||
54 | + p = NULL; | ||
55 | + if (!p) | ||
56 | + p = strdup(canonical); | ||
57 | + } else | ||
58 | + errsv = errno; | ||
59 | + | ||
60 | + /* restore */ | ||
61 | + if (setegid(egid) < 0 || seteuid(euid) < 0) { | ||
62 | + free(p); | ||
63 | + return NULL; | ||
64 | + } | ||
65 | + | ||
66 | + errno = errsv; | ||
67 | + return p; | ||
68 | +} | ||
69 | + | ||
70 | |||
71 | #ifdef TEST_PROGRAM_CANONICALIZE | ||
72 | int main(int argc, char **argv) | ||
73 | -- | ||
74 | cgit v0.9.1 | ||
diff --git a/main/util-linux/CVE-2013-0157.2.patch b/main/util-linux/CVE-2013-0157.2.patch new file mode 100644 index 0000000000..1fe4f52c56 --- /dev/null +++ b/main/util-linux/CVE-2013-0157.2.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From 5ebbc3865d1e53ef42e5f121c41faab23dd59075 Mon Sep 17 00:00:00 2001 | ||
2 | From: Karel Zak <kzak@redhat.com> | ||
3 | Date: Mon, 26 Nov 2012 13:30:22 +0000 | ||
4 | Subject: mount: sanitize paths from non-root users | ||
5 | |||
6 | $ mount /root/.ssh/../../dev/sda2 | ||
7 | mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot | ||
8 | |||
9 | this is too promiscuous. It seems better to ignore on command line | ||
10 | specified paths which are not resolve-able for non-root users. | ||
11 | |||
12 | Fixed version: | ||
13 | |||
14 | $ mount /root/.ssh/../../dev/sda2 | ||
15 | mount: /root/.ssh/../../dev/sda2: Permission denied | ||
16 | |||
17 | $ mount /dev/sda2 | ||
18 | mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot | ||
19 | |||
20 | Note that this bug has no relation to mount(2) permissions evaluation | ||
21 | in suid mode. The way how non-root user specifies paths on command | ||
22 | line is completely irrelevant for comparison with fstab entries. | ||
23 | |||
24 | Signed-off-by: Karel Zak <kzak@redhat.com> | ||
25 | --- | ||
26 | diff --git a/sys-utils/mount.c b/sys-utils/mount.c | ||
27 | index ed74177..e29e34c 100644 | ||
28 | --- a/sys-utils/mount.c | ||
29 | +++ b/sys-utils/mount.c | ||
30 | @@ -38,6 +38,7 @@ | ||
31 | #include "strutils.h" | ||
32 | #include "xgetpass.h" | ||
33 | #include "exitcodes.h" | ||
34 | +#include "canonicalize.h" | ||
35 | |||
36 | /*** TODO: DOCS: | ||
37 | * | ||
38 | @@ -603,6 +604,37 @@ static struct libmnt_table *append_fstab(struct libmnt_context *cxt, | ||
39 | return fstab; | ||
40 | } | ||
41 | |||
42 | +/* | ||
43 | + * Check source and target paths -- non-root user should not be able to | ||
44 | + * resolve paths which are unreadable for him. | ||
45 | + */ | ||
46 | +static void sanitize_paths(struct libmnt_context *cxt) | ||
47 | +{ | ||
48 | + const char *p; | ||
49 | + struct libmnt_fs *fs = mnt_context_get_fs(cxt); | ||
50 | + | ||
51 | + if (!fs) | ||
52 | + return; | ||
53 | + | ||
54 | + p = mnt_fs_get_target(fs); | ||
55 | + if (p) { | ||
56 | + char *np = canonicalize_path_restricted(p); | ||
57 | + if (!np) | ||
58 | + err(MOUNT_EX_USAGE, "%s", p); | ||
59 | + mnt_fs_set_target(fs, np); | ||
60 | + free(np); | ||
61 | + } | ||
62 | + | ||
63 | + p = mnt_fs_get_srcpath(fs); | ||
64 | + if (p) { | ||
65 | + char *np = canonicalize_path_restricted(p); | ||
66 | + if (!np) | ||
67 | + err(MOUNT_EX_USAGE, "%s", p); | ||
68 | + mnt_fs_set_source(fs, np); | ||
69 | + free(np); | ||
70 | + } | ||
71 | +} | ||
72 | + | ||
73 | static void __attribute__((__noreturn__)) usage(FILE *out) | ||
74 | { | ||
75 | fputs(USAGE_HEADER, out); | ||
76 | @@ -970,6 +1002,9 @@ int main(int argc, char **argv) | ||
77 | } else | ||
78 | usage(stderr); | ||
79 | |||
80 | + if (mnt_context_is_restricted(cxt)) | ||
81 | + sanitize_paths(cxt); | ||
82 | + | ||
83 | if (oper) { | ||
84 | /* MS_PROPAGATION operations, let's set the mount flags */ | ||
85 | mnt_context_set_mflags(cxt, oper); | ||
86 | -- | ||
87 | cgit v0.9.1 | ||
diff --git a/main/util-linux/CVE-2013-0157.3.patch b/main/util-linux/CVE-2013-0157.3.patch new file mode 100644 index 0000000000..23cf830c4f --- /dev/null +++ b/main/util-linux/CVE-2013-0157.3.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | From cc8cc8f32c863f3ae6a8a88e97b47bcd6a21825f Mon Sep 17 00:00:00 2001 | ||
2 | From: Karel Zak <kzak@redhat.com> | ||
3 | Date: Mon, 26 Nov 2012 15:25:46 +0000 | ||
4 | Subject: umount: sanitize paths from non-root users | ||
5 | |||
6 | Signed-off-by: Karel Zak <kzak@redhat.com> | ||
7 | --- | ||
8 | diff --git a/sys-utils/umount.c b/sys-utils/umount.c | ||
9 | index 06d33de..396052c 100644 | ||
10 | --- a/sys-utils/umount.c | ||
11 | +++ b/sys-utils/umount.c | ||
12 | @@ -38,6 +38,7 @@ | ||
13 | #include "strutils.h" | ||
14 | #include "xgetpass.h" | ||
15 | #include "exitcodes.h" | ||
16 | +#include "canonicalize.h" | ||
17 | |||
18 | /*** TODO: DOCS: | ||
19 | * | ||
20 | @@ -401,6 +402,24 @@ static int umount_recursive(struct libmnt_context *cxt, const char *spec) | ||
21 | return rc; | ||
22 | } | ||
23 | |||
24 | +/* | ||
25 | + * Check path -- non-root user should not be able to resolve path which is | ||
26 | + * unreadable for him. | ||
27 | + */ | ||
28 | +static char *sanitize_path(const char *path) | ||
29 | +{ | ||
30 | + char *p; | ||
31 | + | ||
32 | + if (!path) | ||
33 | + return NULL; | ||
34 | + | ||
35 | + p = canonicalize_path_restricted(path); | ||
36 | + if (!p) | ||
37 | + err(MOUNT_EX_USAGE, "%s", path); | ||
38 | + | ||
39 | + return p; | ||
40 | +} | ||
41 | + | ||
42 | int main(int argc, char **argv) | ||
43 | { | ||
44 | int c, rc = 0, all = 0, recursive = 0; | ||
45 | @@ -388,9 +407,19 @@ int main(int argc, char **argv) | ||
46 | } else if (argc < 1) { | ||
47 | usage(stderr); | ||
48 | |||
49 | - } else while (argc--) | ||
50 | - rc += umount_one(cxt, *argv++); | ||
51 | + } else { | ||
52 | + while (argc--) { | ||
53 | + char *path = *argv++; | ||
54 | |||
55 | + if (mnt_context_is_restricted(cxt)) | ||
56 | + path = sanitize_path(path); | ||
57 | + | ||
58 | + rc += umount_one(cxt, path); | ||
59 | + | ||
60 | + if (mnt_context_is_restricted(cxt)) | ||
61 | + free(path); | ||
62 | + } | ||
63 | + } | ||
64 | mnt_free_context(cxt); | ||
65 | return rc; | ||
66 | } | ||
67 | -- | ||
68 | cgit v0.9.1 | ||
diff --git a/main/util-linux/CVE-2013-0157.4.patch b/main/util-linux/CVE-2013-0157.4.patch new file mode 100644 index 0000000000..bbec2225fc --- /dev/null +++ b/main/util-linux/CVE-2013-0157.4.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 0377ef91270d06592a0d4dd009c29e7b1ff9c9b8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Karel Zak <kzak@redhat.com> | ||
3 | Date: Mon, 26 Nov 2012 10:57:26 +0000 | ||
4 | Subject: mount: (deprecated) drop --guess-fstype | ||
5 | |||
6 | The option is undocumented and unnecessary. | ||
7 | |||
8 | Signed-off-by: Karel Zak <kzak@redhat.com> | ||
9 | --- | ||
10 | diff --git a/mount-deprecated/mount.c b/mount-deprecated/mount.c | ||
11 | index ad80218..3190d2f 100644 | ||
12 | --- a/mount/mount.c | ||
13 | +++ b/mount/mount.c | ||
14 | @@ -2208,7 +2208,6 @@ static struct option longopts[] = { | ||
15 | { "types", 1, 0, 't' }, | ||
16 | { "bind", 0, 0, 'B' }, | ||
17 | { "move", 0, 0, 'M' }, | ||
18 | - { "guess-fstype", 1, 0, 134 }, | ||
19 | { "rbind", 0, 0, 'R' }, | ||
20 | { "make-shared", 0, 0, 136 }, | ||
21 | { "make-slave", 0, 0, 137 }, | ||
22 | @@ -2470,18 +2469,6 @@ main(int argc, char *argv[]) { | ||
23 | case 0: | ||
24 | break; | ||
25 | |||
26 | - case 134: | ||
27 | - /* undocumented, may go away again: | ||
28 | - call: mount --guess-fstype device | ||
29 | - use only for testing purposes - | ||
30 | - the guessing is not reliable at all */ | ||
31 | - { | ||
32 | - const char *fstype; | ||
33 | - fstype = fsprobe_get_fstype_by_devname(optarg); | ||
34 | - printf("%s\n", fstype ? fstype : "unknown"); | ||
35 | - exit(fstype ? 0 : EX_FAIL); | ||
36 | - } | ||
37 | - | ||
38 | case 136: | ||
39 | mounttype = MS_SHARED; | ||
40 | break; | ||
41 | -- | ||
42 | cgit v0.9.1 | ||