main/util-linux: security fix (CVE-2013-0157)

fixes #1827
author: Natanael Copa <ncopa@alpinelinux.org> 2013-05-20 12:52:04 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2013-05-20 12:52:04 +0000
commit: 4294da66f8d2b7238aebe42dd15fa8a637556675 (patch)
tree: 3e9515ed274d28e5a74e29e8b2ed3daff4d2d7f6
parent: 641df891cfde1d902d1218260e4a0821511b26f2 (diff)
download: alpine_aports-4294da66f8d2b7238aebe42dd15fa8a637556675.tar.bz2
alpine_aports-4294da66f8d2b7238aebe42dd15fa8a637556675.tar.xz
alpine_aports-4294da66f8d2b7238aebe42dd15fa8a637556675.zip
5 files changed, 281 insertions, 2 deletions
diff --git a/main/util-linux/APKBUILD b/main/util-linux/APKBUILD
index 99f3e361c2..c74ba6dfb6 100644
--- a/main/util-linux/APKBUILD
+++ b/main/util-linux/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=util-linux
 pkgver=2.21
-pkgrel=0
+pkgrel=1
 pkgdesc="Random collection of Linux utilities"
 url="http://kernel.org/~kzak/util-linux/"
 arch="all"
@@ -14,6 +14,10 @@ install=
 source="http://www.kernel.org/pub/linux/utils/util-linux/v${pkgver}/util-linux-$pkgver.tar.gz
        program-invocation.patch
        fix_NL_TIME_FIRST_WEEKDAY.patch
+        CVE-2013-0157.1.patch
+        CVE-2013-0157.2.patch
+        CVE-2013-0157.3.patch
+        CVE-2013-0157.4.patch
        "
 subpackages="$pkgname-doc $pkgname-dev libuuid libblkid sfdisk cfdisk mcookie blkid"
 replaces="e2fsprogs util-linux-ng"
@@ -106,4 +110,8 @@ mcookie() {
 md5sums="4222aa8c2a1b78889e959a4722f1881a  util-linux-2.21.tar.gz
 9682a6ddd5abe65434a145ebe512c123  program-invocation.patch
-8c434a785bfaed23d8f222c14d883a82  fix_NL_TIME_FIRST_WEEKDAY.patch"
+8c434a785bfaed23d8f222c14d883a82  fix_NL_TIME_FIRST_WEEKDAY.patch
+4589e841077a5f33eb8b5385f043ff16  CVE-2013-0157.1.patch
+0f0cd3db5eb216d9cedcffbd258b850a  CVE-2013-0157.2.patch
+45104467fc67c5e16d204e1a8e0db6b3  CVE-2013-0157.3.patch
+0fdba0c56ebf1986f5dc4e6c54ee7772  CVE-2013-0157.4.patch"
diff --git a/main/util-linux/CVE-2013-0157.1.patch b/main/util-linux/CVE-2013-0157.1.patch
new file mode 100644
index 0000000000..4cc97fc3a1
--- /dev/null
+++ b/main/util-linux/CVE-2013-0157.1.patch
@@ -0,0 +1,74 @@
+From 33c5fd0c5a774458470c86f9d318d8c48a9c9ccb Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 26 Nov 2012 15:24:28 +0000
+Subject: lib/canonicalize: add canonicalize_path_restricted() to canonicalize without suid permisssions
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+diff --git a/include/canonicalize.h b/include/canonicalize.h
+index f26df18..c149738 100644
+--- a/include/canonicalize.h
+++ b/include/canonicalize.h
+@@ -4,6 +4,7 @@
+ #include "c.h" /* for PATH_MAX */
+ 
+ extern char *canonicalize_path(const char *path);
+extern char *canonicalize_path_restricted(const char *path);
+ extern char *canonicalize_dm_name(const char *ptname);
+ 
+ #endif /* CANONICALIZE_H */
+diff --git a/lib/canonicalize.c b/lib/canonicalize.c
+index ab32c10..1e8aff4 100644
+--- a/lib/canonicalize.c
+++ b/lib/canonicalize.c
+@@ -188,6 +188,48 @@ canonicalize_path(const char *path)
+        return strdup(canonical);
+ }
+ 
+char *
+canonicalize_path_restricted(const char *path)
+{
+       char canonical[PATH_MAX+2];
+       char *p = NULL;
+       int errsv;
+       uid_t euid;
+       gid_t egid;
+
+       if (path == NULL)
+               return NULL;
+
+       euid = geteuid();
+       egid = getegid();
+
+       /* drop permissions */
+       if (setegid(getgid()) < 0 || seteuid(getuid()) < 0)
+               return NULL;
+
+       errsv = errno = 0;
+
+       if (myrealpath(path, canonical, PATH_MAX+1)) {
+               p = strrchr(canonical, '/');
+               if (p && strncmp(p, "/dm-", 4) == 0 && isdigit(*(p + 4)))
+                       p = canonicalize_dm_name(p+1);
+               else
+                       p = NULL;
+               if (!p)
+                       p = strdup(canonical);
+       } else
+               errsv = errno;
+
+       /* restore */
+       if (setegid(egid) < 0 || seteuid(euid) < 0) {
+               free(p);
+               return NULL;
+       }
+
+       errno = errsv;
+       return p;
+}
+
+ 
+ #ifdef TEST_PROGRAM_CANONICALIZE
+ int main(int argc, char **argv)
+--
+cgit v0.9.1
diff --git a/main/util-linux/CVE-2013-0157.2.patch b/main/util-linux/CVE-2013-0157.2.patch
new file mode 100644
index 0000000000..1fe4f52c56
--- /dev/null
+++ b/main/util-linux/CVE-2013-0157.2.patch
@@ -0,0 +1,87 @@
+From 5ebbc3865d1e53ef42e5f121c41faab23dd59075 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 26 Nov 2012 13:30:22 +0000
+Subject: mount: sanitize paths from non-root users
+ $ mount /root/.ssh/../../dev/sda2
+ mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot
+this is too promiscuous. It seems better to ignore on command line
+specified paths which are not resolve-able for non-root users.
+Fixed version:
+  $ mount /root/.ssh/../../dev/sda2
+  mount: /root/.ssh/../../dev/sda2: Permission denied
+  $ mount /dev/sda2
+  mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot
+Note that this bug has no relation to mount(2) permissions evaluation
+in suid mode. The way how non-root user specifies paths on command
+line is completely irrelevant for comparison with fstab entries.
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+diff --git a/sys-utils/mount.c b/sys-utils/mount.c
+index ed74177..e29e34c 100644
+--- a/sys-utils/mount.c
+++ b/sys-utils/mount.c
+@@ -38,6 +38,7 @@
+ #include "strutils.h"
+ #include "xgetpass.h"
+ #include "exitcodes.h"
+#include "canonicalize.h"
+ 
+ /*** TODO: DOCS:
+  *
+@@ -603,6 +604,37 @@ static struct libmnt_table *append_fstab(struct libmnt_context *cxt,
+        return fstab;
+ }
+ 
+/*
+ * Check source and target paths -- non-root user should not be able to
+ * resolve paths which are unreadable for him.
+ */
+static void sanitize_paths(struct libmnt_context *cxt)
+{
+       const char *p;
+       struct libmnt_fs *fs = mnt_context_get_fs(cxt);
+
+       if (!fs)
+               return;
+
+       p = mnt_fs_get_target(fs);
+       if (p) {
+               char *np = canonicalize_path_restricted(p);
+               if (!np)
+                       err(MOUNT_EX_USAGE, "%s", p);
+               mnt_fs_set_target(fs, np);
+               free(np);
+       }
+
+       p = mnt_fs_get_srcpath(fs);
+       if (p) {
+               char *np = canonicalize_path_restricted(p);
+               if (!np)
+                       err(MOUNT_EX_USAGE, "%s", p);
+               mnt_fs_set_source(fs, np);
+               free(np);
+       }
+}
+
+ static void __attribute__((__noreturn__)) usage(FILE *out)
+ {
+        fputs(USAGE_HEADER, out);
+@@ -970,6 +1002,9 @@ int main(int argc, char **argv)
+        } else
+                usage(stderr);
+ 
+       if (mnt_context_is_restricted(cxt))
+               sanitize_paths(cxt);
+
+        if (oper) {
+                /* MS_PROPAGATION operations, let's set the mount flags */
+                mnt_context_set_mflags(cxt, oper);
+--
+cgit v0.9.1
diff --git a/main/util-linux/CVE-2013-0157.3.patch b/main/util-linux/CVE-2013-0157.3.patch
new file mode 100644
index 0000000000..23cf830c4f
--- /dev/null
+++ b/main/util-linux/CVE-2013-0157.3.patch
@@ -0,0 +1,68 @@
+From cc8cc8f32c863f3ae6a8a88e97b47bcd6a21825f Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 26 Nov 2012 15:25:46 +0000
+Subject: umount: sanitize paths from non-root users
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+diff --git a/sys-utils/umount.c b/sys-utils/umount.c
+index 06d33de..396052c 100644
+--- a/sys-utils/umount.c
+++ b/sys-utils/umount.c
+@@ -38,6 +38,7 @@
+ #include "strutils.h"
+ #include "xgetpass.h"
+ #include "exitcodes.h"
+#include "canonicalize.h"
+ 
+ /*** TODO: DOCS:
+  *
+@@ -401,6 +402,24 @@ static int umount_recursive(struct libmnt_context *cxt, const char *spec)
+        return rc;
+ }
+ 
+/*
+ * Check path -- non-root user should not be able to resolve path which is
+ * unreadable for him.
+ */
+static char *sanitize_path(const char *path)
+{
+       char *p;
+
+       if (!path)
+               return NULL;
+
+       p = canonicalize_path_restricted(path);
+       if (!p)
+               err(MOUNT_EX_USAGE, "%s", path);
+
+       return p;
+}
+
+ int main(int argc, char **argv)
+ {
+        int c, rc = 0, all = 0, recursive = 0;
+@@ -388,9 +407,19 @@ int main(int argc, char **argv)
+        } else if (argc < 1) {
+                usage(stderr);
+ 
+-       } else while (argc--)
+-               rc += umount_one(cxt, *argv++);
+       } else {
+              while (argc--) {
+                      char *path = *argv++;
+ 
+                      if (mnt_context_is_restricted(cxt))
+                              path = sanitize_path(path);
+
+                      rc += umount_one(cxt, path);
+
+                      if (mnt_context_is_restricted(cxt))
+                              free(path);
+              }
+       }
+        mnt_free_context(cxt);
+        return rc;
+ }
+--
+cgit v0.9.1
diff --git a/main/util-linux/CVE-2013-0157.4.patch b/main/util-linux/CVE-2013-0157.4.patch
new file mode 100644
index 0000000000..bbec2225fc
--- /dev/null
+++ b/main/util-linux/CVE-2013-0157.4.patch
@@ -0,0 +1,42 @@
+From 0377ef91270d06592a0d4dd009c29e7b1ff9c9b8 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 26 Nov 2012 10:57:26 +0000
+Subject: mount: (deprecated) drop --guess-fstype
+The option is undocumented and unnecessary.
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+diff --git a/mount-deprecated/mount.c b/mount-deprecated/mount.c
+index ad80218..3190d2f 100644
+--- a/mount/mount.c
+++ b/mount/mount.c
+@@ -2208,7 +2208,6 @@ static struct option longopts[] = {
+        { "types", 1, 0, 't' },
+        { "bind", 0, 0, 'B' },
+        { "move", 0, 0, 'M' },
+-       { "guess-fstype", 1, 0, 134 },
+        { "rbind", 0, 0, 'R' },
+        { "make-shared", 0, 0, 136 },
+        { "make-slave", 0, 0, 137 },
+@@ -2470,18 +2469,6 @@ main(int argc, char *argv[]) {
+                case 0:
+                        break;
+ 
+-               case 134:
+-                       /* undocumented, may go away again:
+-                          call: mount --guess-fstype device
+-                          use only for testing purposes -
+-                          the guessing is not reliable at all */
+-                   {
+-                       const char *fstype;
+-                       fstype = fsprobe_get_fstype_by_devname(optarg);
+-                       printf("%s\n", fstype ? fstype : "unknown");
+-                       exit(fstype ? 0 : EX_FAIL);
+-                   }
+-
+                case 136:
+                        mounttype = MS_SHARED;
+                        break;
+--
+cgit v0.9.1
author	Natanael Copa <ncopa@alpinelinux.org>	2013-05-20 12:52:04 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2013-05-20 12:52:04 +0000
commit	4294da66f8d2b7238aebe42dd15fa8a637556675 (patch)
tree	3e9515ed274d28e5a74e29e8b2ed3daff4d2d7f6
parent	641df891cfde1d902d1218260e4a0821511b26f2 (diff)
download	alpine_aports-4294da66f8d2b7238aebe42dd15fa8a637556675.tar.bz2 alpine_aports-4294da66f8d2b7238aebe42dd15fa8a637556675.tar.xz alpine_aports-4294da66f8d2b7238aebe42dd15fa8a637556675.zip

diff --git a/main/util-linux/APKBUILD b/main/util-linux/APKBUILD index 99f3e361c2..c74ba6dfb6 100644 --- a/main/util-linux/APKBUILD +++ b/main/util-linux/APKBUILD
@@ -2,7 +2,7 @@
2	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>	2	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
3	pkgname=util-linux	3	pkgname=util-linux
4	pkgver=2.21	4	pkgver=2.21
5	pkgrel=0	5	pkgrel=1
6	pkgdesc="Random collection of Linux utilities"	6	pkgdesc="Random collection of Linux utilities"
7	url="http://kernel.org/~kzak/util-linux/"	7	url="http://kernel.org/~kzak/util-linux/"
8	arch="all"	8	arch="all"
@@ -14,6 +14,10 @@ install=
14	source="http://www.kernel.org/pub/linux/utils/util-linux/v${pkgver}/util-linux-$pkgver.tar.gz	14	source="http://www.kernel.org/pub/linux/utils/util-linux/v${pkgver}/util-linux-$pkgver.tar.gz
15	program-invocation.patch	15	program-invocation.patch
16	fix_NL_TIME_FIRST_WEEKDAY.patch	16	fix_NL_TIME_FIRST_WEEKDAY.patch
		17	CVE-2013-0157.1.patch
		18	CVE-2013-0157.2.patch
		19	CVE-2013-0157.3.patch
		20	CVE-2013-0157.4.patch
17	"	21	"
18	subpackages="$pkgname-doc $pkgname-dev libuuid libblkid sfdisk cfdisk mcookie blkid"	22	subpackages="$pkgname-doc $pkgname-dev libuuid libblkid sfdisk cfdisk mcookie blkid"
19	replaces="e2fsprogs util-linux-ng"	23	replaces="e2fsprogs util-linux-ng"
@@ -106,4 +110,8 @@ mcookie() {
106		110
107	md5sums="4222aa8c2a1b78889e959a4722f1881a util-linux-2.21.tar.gz	111	md5sums="4222aa8c2a1b78889e959a4722f1881a util-linux-2.21.tar.gz
108	9682a6ddd5abe65434a145ebe512c123 program-invocation.patch	112	9682a6ddd5abe65434a145ebe512c123 program-invocation.patch
109	8c434a785bfaed23d8f222c14d883a82 fix_NL_TIME_FIRST_WEEKDAY.patch"	113	8c434a785bfaed23d8f222c14d883a82 fix_NL_TIME_FIRST_WEEKDAY.patch
		114	4589e841077a5f33eb8b5385f043ff16 CVE-2013-0157.1.patch
		115	0f0cd3db5eb216d9cedcffbd258b850a CVE-2013-0157.2.patch
		116	45104467fc67c5e16d204e1a8e0db6b3 CVE-2013-0157.3.patch
		117	0fdba0c56ebf1986f5dc4e6c54ee7772 CVE-2013-0157.4.patch"


diff --git a/main/util-linux/CVE-2013-0157.1.patch b/main/util-linux/CVE-2013-0157.1.patch new file mode 100644 index 0000000000..4cc97fc3a1 --- /dev/null +++ b/main/util-linux/CVE-2013-0157.1.patch
@@ -0,0 +1,74 @@
		1	From 33c5fd0c5a774458470c86f9d318d8c48a9c9ccb Mon Sep 17 00:00:00 2001
		2	From: Karel Zak <kzak@redhat.com>
		3	Date: Mon, 26 Nov 2012 15:24:28 +0000
		4	Subject: lib/canonicalize: add canonicalize_path_restricted() to canonicalize without suid permisssions
		5
		6	Signed-off-by: Karel Zak <kzak@redhat.com>
		7	---
		8	diff --git a/include/canonicalize.h b/include/canonicalize.h
		9	index f26df18..c149738 100644
		10	--- a/include/canonicalize.h
		11	+++ b/include/canonicalize.h
		12	@@ -4,6 +4,7 @@
		13	#include "c.h" /* for PATH_MAX */
		14
		15	extern char canonicalize_path(const char path);
		16	+extern char canonicalize_path_restricted(const char path);
		17	extern char canonicalize_dm_name(const char ptname);
		18
		19	#endif /* CANONICALIZE_H */
		20	diff --git a/lib/canonicalize.c b/lib/canonicalize.c
		21	index ab32c10..1e8aff4 100644
		22	--- a/lib/canonicalize.c
		23	+++ b/lib/canonicalize.c
		24	@@ -188,6 +188,48 @@ canonicalize_path(const char *path)
		25	return strdup(canonical);
		26	}
		27
		28	+char *
		29	+canonicalize_path_restricted(const char *path)
		30	+{
		31	+ char canonical[PATH_MAX+2];
		32	+ char *p = NULL;
		33	+ int errsv;
		34	+ uid_t euid;
		35	+ gid_t egid;
		36	+
		37	+ if (path == NULL)
		38	+ return NULL;
		39	+
		40	+ euid = geteuid();
		41	+ egid = getegid();
		42	+
		43	+ /* drop permissions */
		44	+ if (setegid(getgid()) < 0 \|\| seteuid(getuid()) < 0)
		45	+ return NULL;
		46	+
		47	+ errsv = errno = 0;
		48	+
		49	+ if (myrealpath(path, canonical, PATH_MAX+1)) {
		50	+ p = strrchr(canonical, '/');
		51	+ if (p && strncmp(p, "/dm-", 4) == 0 && isdigit(*(p + 4)))
		52	+ p = canonicalize_dm_name(p+1);
		53	+ else
		54	+ p = NULL;
		55	+ if (!p)
		56	+ p = strdup(canonical);
		57	+ } else
		58	+ errsv = errno;
		59	+
		60	+ /* restore */
		61	+ if (setegid(egid) < 0 \|\| seteuid(euid) < 0) {
		62	+ free(p);
		63	+ return NULL;
		64	+ }
		65	+
		66	+ errno = errsv;
		67	+ return p;
		68	+}
		69	+
		70
		71	#ifdef TEST_PROGRAM_CANONICALIZE
		72	int main(int argc, char **argv)
		73	--
		74	cgit v0.9.1


diff --git a/main/util-linux/CVE-2013-0157.2.patch b/main/util-linux/CVE-2013-0157.2.patch new file mode 100644 index 0000000000..1fe4f52c56 --- /dev/null +++ b/main/util-linux/CVE-2013-0157.2.patch
@@ -0,0 +1,87 @@
		1	From 5ebbc3865d1e53ef42e5f121c41faab23dd59075 Mon Sep 17 00:00:00 2001
		2	From: Karel Zak <kzak@redhat.com>
		3	Date: Mon, 26 Nov 2012 13:30:22 +0000
		4	Subject: mount: sanitize paths from non-root users
		5
		6	$ mount /root/.ssh/../../dev/sda2
		7	mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot
		8
		9	this is too promiscuous. It seems better to ignore on command line
		10	specified paths which are not resolve-able for non-root users.
		11
		12	Fixed version:
		13
		14	$ mount /root/.ssh/../../dev/sda2
		15	mount: /root/.ssh/../../dev/sda2: Permission denied
		16
		17	$ mount /dev/sda2
		18	mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot
		19
		20	Note that this bug has no relation to mount(2) permissions evaluation
		21	in suid mode. The way how non-root user specifies paths on command
		22	line is completely irrelevant for comparison with fstab entries.
		23
		24	Signed-off-by: Karel Zak <kzak@redhat.com>
		25	---
		26	diff --git a/sys-utils/mount.c b/sys-utils/mount.c
		27	index ed74177..e29e34c 100644
		28	--- a/sys-utils/mount.c
		29	+++ b/sys-utils/mount.c
		30	@@ -38,6 +38,7 @@
		31	#include "strutils.h"
		32	#include "xgetpass.h"
		33	#include "exitcodes.h"
		34	+#include "canonicalize.h"
		35
		36	/*** TODO: DOCS:
		37	*
		38	@@ -603,6 +604,37 @@ static struct libmnt_table append_fstab(struct libmnt_context cxt,
		39	return fstab;
		40	}
		41
		42	+/*
		43	+ * Check source and target paths -- non-root user should not be able to
		44	+ * resolve paths which are unreadable for him.
		45	+ */
		46	+static void sanitize_paths(struct libmnt_context *cxt)
		47	+{
		48	+ const char *p;
		49	+ struct libmnt_fs *fs = mnt_context_get_fs(cxt);
		50	+
		51	+ if (!fs)
		52	+ return;
		53	+
		54	+ p = mnt_fs_get_target(fs);
		55	+ if (p) {
		56	+ char *np = canonicalize_path_restricted(p);
		57	+ if (!np)
		58	+ err(MOUNT_EX_USAGE, "%s", p);
		59	+ mnt_fs_set_target(fs, np);
		60	+ free(np);
		61	+ }
		62	+
		63	+ p = mnt_fs_get_srcpath(fs);
		64	+ if (p) {
		65	+ char *np = canonicalize_path_restricted(p);
		66	+ if (!np)
		67	+ err(MOUNT_EX_USAGE, "%s", p);
		68	+ mnt_fs_set_source(fs, np);
		69	+ free(np);
		70	+ }
		71	+}
		72	+
		73	static void __attribute__((__noreturn__)) usage(FILE *out)
		74	{
		75	fputs(USAGE_HEADER, out);
		76	@@ -970,6 +1002,9 @@ int main(int argc, char **argv)
		77	} else
		78	usage(stderr);
		79
		80	+ if (mnt_context_is_restricted(cxt))
		81	+ sanitize_paths(cxt);
		82	+
		83	if (oper) {
		84	/* MS_PROPAGATION operations, let's set the mount flags */
		85	mnt_context_set_mflags(cxt, oper);
		86	--
		87	cgit v0.9.1


diff --git a/main/util-linux/CVE-2013-0157.3.patch b/main/util-linux/CVE-2013-0157.3.patch new file mode 100644 index 0000000000..23cf830c4f --- /dev/null +++ b/main/util-linux/CVE-2013-0157.3.patch
@@ -0,0 +1,68 @@
		1	From cc8cc8f32c863f3ae6a8a88e97b47bcd6a21825f Mon Sep 17 00:00:00 2001
		2	From: Karel Zak <kzak@redhat.com>
		3	Date: Mon, 26 Nov 2012 15:25:46 +0000
		4	Subject: umount: sanitize paths from non-root users
		5
		6	Signed-off-by: Karel Zak <kzak@redhat.com>
		7	---
		8	diff --git a/sys-utils/umount.c b/sys-utils/umount.c
		9	index 06d33de..396052c 100644
		10	--- a/sys-utils/umount.c
		11	+++ b/sys-utils/umount.c
		12	@@ -38,6 +38,7 @@
		13	#include "strutils.h"
		14	#include "xgetpass.h"
		15	#include "exitcodes.h"
		16	+#include "canonicalize.h"
		17
		18	/*** TODO: DOCS:
		19	*
		20	@@ -401,6 +402,24 @@ static int umount_recursive(struct libmnt_context cxt, const char spec)
		21	return rc;
		22	}
		23
		24	+/*
		25	+ * Check path -- non-root user should not be able to resolve path which is
		26	+ * unreadable for him.
		27	+ */
		28	+static char sanitize_path(const char path)
		29	+{
		30	+ char *p;
		31	+
		32	+ if (!path)
		33	+ return NULL;
		34	+
		35	+ p = canonicalize_path_restricted(path);
		36	+ if (!p)
		37	+ err(MOUNT_EX_USAGE, "%s", path);
		38	+
		39	+ return p;
		40	+}
		41	+
		42	int main(int argc, char **argv)
		43	{
		44	int c, rc = 0, all = 0, recursive = 0;
		45	@@ -388,9 +407,19 @@ int main(int argc, char **argv)
		46	} else if (argc < 1) {
		47	usage(stderr);
		48
		49	- } else while (argc--)
		50	- rc += umount_one(cxt, *argv++);
		51	+ } else {
		52	+ while (argc--) {
		53	+ char path = argv++;
		54
		55	+ if (mnt_context_is_restricted(cxt))
		56	+ path = sanitize_path(path);
		57	+
		58	+ rc += umount_one(cxt, path);
		59	+
		60	+ if (mnt_context_is_restricted(cxt))
		61	+ free(path);
		62	+ }
		63	+ }
		64	mnt_free_context(cxt);
		65	return rc;
		66	}
		67	--
		68	cgit v0.9.1


diff --git a/main/util-linux/CVE-2013-0157.4.patch b/main/util-linux/CVE-2013-0157.4.patch new file mode 100644 index 0000000000..bbec2225fc --- /dev/null +++ b/main/util-linux/CVE-2013-0157.4.patch
@@ -0,0 +1,42 @@
		1	From 0377ef91270d06592a0d4dd009c29e7b1ff9c9b8 Mon Sep 17 00:00:00 2001
		2	From: Karel Zak <kzak@redhat.com>
		3	Date: Mon, 26 Nov 2012 10:57:26 +0000
		4	Subject: mount: (deprecated) drop --guess-fstype
		5
		6	The option is undocumented and unnecessary.
		7
		8	Signed-off-by: Karel Zak <kzak@redhat.com>
		9	---
		10	diff --git a/mount-deprecated/mount.c b/mount-deprecated/mount.c
		11	index ad80218..3190d2f 100644
		12	--- a/mount/mount.c
		13	+++ b/mount/mount.c
		14	@@ -2208,7 +2208,6 @@ static struct option longopts[] = {
		15	{ "types", 1, 0, 't' },
		16	{ "bind", 0, 0, 'B' },
		17	{ "move", 0, 0, 'M' },
		18	- { "guess-fstype", 1, 0, 134 },
		19	{ "rbind", 0, 0, 'R' },
		20	{ "make-shared", 0, 0, 136 },
		21	{ "make-slave", 0, 0, 137 },
		22	@@ -2470,18 +2469,6 @@ main(int argc, char *argv[]) {
		23	case 0:
		24	break;
		25
		26	- case 134:
		27	- /* undocumented, may go away again:
		28	- call: mount --guess-fstype device
		29	- use only for testing purposes -
		30	- the guessing is not reliable at all */
		31	- {
		32	- const char *fstype;
		33	- fstype = fsprobe_get_fstype_by_devname(optarg);
		34	- printf("%s\n", fstype ? fstype : "unknown");
		35	- exit(fstype ? 0 : EX_FAIL);
		36	- }
		37	-
		38	case 136:
		39	mounttype = MS_SHARED;
		40	break;
		41	--
		42	cgit v0.9.1