Stack-based buffer overflow when handling long path names

Resolves: #1074459, CVE-2014-0004
2014-03-10 13:55:51 +01:00 · 2014-03-10 13:55:51 +01:00 · 204f08495a
parent 854aaa5970
commit 204f08495a
2 changed files with 104 additions and 1 deletions
--- a/udisks-2.x.x-CVE-2014-0004.patch
+++ b/udisks-2.x.x-CVE-2014-0004.patch
@ -0,0 +1,96 @@
+From 4cd35a8db2c6a0b94218a89cb183f50e8550de0e Mon Sep 17 00:00:00 2001
+From: David Zeuthen <zeuthen@gmail.com>
+Date: Wed, 12 Feb 2014 20:01:41 -0800
+Subject: [PATCH] CVE-2014-0004: Stack-based buffer overflow when handling long
+ path names
+
+Fix this by being more careful when parsing strings.
+
+Acknowledgements: This issue was discovered by Florian Weimer of the
+Red Hat Product Security Team.
+
+Signed-off-by: David Zeuthen <zeuthen@gmail.com>
+---
+ src/udisksmountmonitor.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/src/udisksmountmonitor.c b/src/udisksmountmonitor.c
+index 8af1028..77cf94c 100644
+--- a/src/udisksmountmonitor.c
+++ b/src/udisksmountmonitor.c
+@@ -416,8 +416,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
+       guint mount_id;
+       guint parent_id;
+       guint major, minor;
+-      gchar encoded_root[PATH_MAX];
+-      gchar encoded_mount_point[PATH_MAX];
+      gchar encoded_root[4096];
+      gchar encoded_mount_point[4096];
+       gchar *mount_point;
+       dev_t dev;
+ 
+@@ -425,7 +425,7 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
+         continue;
+ 
+       if (sscanf (lines[n],
+-                  "%d %d %d:%d %s %s",
+                  "%d %d %d:%d %4095s %4095s",
+                   &mount_id,
+                   &parent_id,
+                   &major,
+@@ -436,6 +436,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
+           udisks_warning ("Error parsing line '%s'", lines[n]);
+           continue;
+         }
+      encoded_root[sizeof encoded_root - 1] = '\0';
+      encoded_mount_point[sizeof encoded_mount_point - 1] = '\0';
+ 
+       /* Temporary work-around for btrfs, see
+        *
+@@ -450,15 +452,17 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
+           sep = strstr (lines[n], " - ");
+           if (sep != NULL)
+             {
+-              gchar fstype[PATH_MAX];
+-              gchar mount_source[PATH_MAX];
+              gchar fstype[4096];
+              gchar mount_source[4096];
+               struct stat statbuf;
+ 
+-              if (sscanf (sep + 3, "%s %s", fstype, mount_source) != 2)
+              if (sscanf (sep + 3, "%4095s %4095s", fstype, mount_source) != 2)
+                 {
+                   udisks_warning ("Error parsing things past - for '%s'", lines[n]);
+                   continue;
+                 }
+              fstype[sizeof fstype - 1] = '\0';
+              mount_source[sizeof mount_source - 1] = '\0';
+ 
+               if (g_strcmp0 (fstype, "btrfs") != 0)
+                 continue;
+@@ -546,7 +550,7 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor  *monitor,
+   lines = g_strsplit (contents, "\n", 0);
+   for (n = 0; lines[n] != NULL; n++)
+     {
+-      gchar filename[PATH_MAX];
+      gchar filename[4096];
+       struct stat statbuf;
+       dev_t dev;
+ 
+@@ -557,11 +561,12 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor  *monitor,
+       if (strlen (lines[n]) == 0)
+         continue;
+ 
+-      if (sscanf (lines[n], "%s", filename) != 1)
+      if (sscanf (lines[n], "%4095s", filename) != 1)
+         {
+           udisks_warning ("Error parsing line '%s'", lines[n]);
+           continue;
+         }
+      filename[sizeof filename - 1] = '\0';
+ 
+       if (stat (filename, &statbuf) != 0)
+         {
+-- 
+1.8.5.3
+
--- a/udisks2.spec
+++ b/udisks2.spec
@ -8,11 +8,13 @@
 Summary: Disk Manager
 Name: udisks2
 Version: 2.1.2
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Libraries
 URL: http://www.freedesktop.org/wiki/Software/udisks
 Source0: http://udisks.freedesktop.org/releases/udisks-%{version}.tar.bz2
+# https://bugzilla.redhat.com/show_bug.cgi?id=1074459
+Patch1: udisks-2.x.x-CVE-2014-0004.patch

 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: gobject-introspection-devel >= %{gobject_introspection_version}
@ -91,6 +93,7 @@ daemon. This package is for the udisks 2.x series.

 %prep
 %setup -q -n udisks-%{version}
+%patch1 -p1

 %build
 # we can't use _hardened_build here, see
@ -154,6 +157,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.a

 # Note: please don't forget the %{?dist} in the changelog. Thanks
 %changelog
+* Mon Mar 10 2014 Jan Safranek <jsafrane@redhat.com>- 2.1.2-2%{?dist}
+- Fix CVE-2014-0004: stack-based buffer overflow when handling long path names
+  (#1074459)
+
 * Wed Jan 15 2014 Tomas Bzatek <tbzatek@redhat.com> - 2.1.2-1%{?dist}
 - Update to 2.1.2