Compare commits

...

2 Commits
rawhide ... f19

Author SHA1 Message Date
Jan Safranek 52224015e6 Stack-based buffer overflow when handling long path names
Resolves: #1074459, CVE-2014-0004
2014-03-10 13:55:51 +01:00
Tomas Bzatek e183f05091 Update to 2.1.2 2014-01-15 16:34:15 +01:00
5 changed files with 109 additions and 34 deletions

1
.gitignore vendored
View File

@ -13,3 +13,4 @@
/udisks-2.0.90.tar.bz2
/udisks-2.0.91.tar.bz2
/udisks-2.1.0.tar.bz2
/udisks-2.1.2.tar.bz2

View File

@ -1 +1 @@
a8c806034f096a8b10dfae1c4a917d0c udisks-2.1.0.tar.bz2
bc5c4dc209f517e15b655302b028e3e6 udisks-2.1.2.tar.bz2

View File

@ -1,26 +0,0 @@
From b841e30a98459816dfc49a735d3db4355a88edcd Mon Sep 17 00:00:00 2001
From: David Zeuthen <zeuthen@gmail.com>
Date: Tue, 19 Mar 2013 04:31:40 +0000
Subject: Properly identify firewire devices as non-system devices
This was reported in bug 62077.
https://bugs.freedesktop.org/show_bug.cgi?id=62077
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
---
diff --git a/src/udiskslinuxblock.c b/src/udiskslinuxblock.c
index a1781cf..d619850 100644
--- a/src/udiskslinuxblock.c
+++ b/src/udiskslinuxblock.c
@@ -354,7 +354,7 @@ update_hints (UDisksLinuxBlock *block,
connection_bus = udisks_drive_get_connection_bus (drive);
removable = udisks_drive_get_media_removable (drive);
if (removable ||
- (g_strcmp0 (connection_bus, "usb") == 0 || g_strcmp0 (connection_bus, "firewire") == 0) ||
+ (g_strcmp0 (connection_bus, "usb") == 0 || g_strcmp0 (connection_bus, "ieee1394") == 0) ||
(g_str_has_prefix (device_file, "/dev/mmcblk") || g_str_has_prefix (device_file, "/dev/mspblk")))
{
hint_system = FALSE;
--
cgit v0.9.0.2-2-gbebe

View File

@ -0,0 +1,96 @@
From 4cd35a8db2c6a0b94218a89cb183f50e8550de0e Mon Sep 17 00:00:00 2001
From: David Zeuthen <zeuthen@gmail.com>
Date: Wed, 12 Feb 2014 20:01:41 -0800
Subject: [PATCH] CVE-2014-0004: Stack-based buffer overflow when handling long
path names
Fix this by being more careful when parsing strings.
Acknowledgements: This issue was discovered by Florian Weimer of the
Red Hat Product Security Team.
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
---
src/udisksmountmonitor.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/src/udisksmountmonitor.c b/src/udisksmountmonitor.c
index 8af1028..77cf94c 100644
--- a/src/udisksmountmonitor.c
+++ b/src/udisksmountmonitor.c
@@ -416,8 +416,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
guint mount_id;
guint parent_id;
guint major, minor;
- gchar encoded_root[PATH_MAX];
- gchar encoded_mount_point[PATH_MAX];
+ gchar encoded_root[4096];
+ gchar encoded_mount_point[4096];
gchar *mount_point;
dev_t dev;
@@ -425,7 +425,7 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
continue;
if (sscanf (lines[n],
- "%d %d %d:%d %s %s",
+ "%d %d %d:%d %4095s %4095s",
&mount_id,
&parent_id,
&major,
@@ -436,6 +436,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
udisks_warning ("Error parsing line '%s'", lines[n]);
continue;
}
+ encoded_root[sizeof encoded_root - 1] = '\0';
+ encoded_mount_point[sizeof encoded_mount_point - 1] = '\0';
/* Temporary work-around for btrfs, see
*
@@ -450,15 +452,17 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
sep = strstr (lines[n], " - ");
if (sep != NULL)
{
- gchar fstype[PATH_MAX];
- gchar mount_source[PATH_MAX];
+ gchar fstype[4096];
+ gchar mount_source[4096];
struct stat statbuf;
- if (sscanf (sep + 3, "%s %s", fstype, mount_source) != 2)
+ if (sscanf (sep + 3, "%4095s %4095s", fstype, mount_source) != 2)
{
udisks_warning ("Error parsing things past - for '%s'", lines[n]);
continue;
}
+ fstype[sizeof fstype - 1] = '\0';
+ mount_source[sizeof mount_source - 1] = '\0';
if (g_strcmp0 (fstype, "btrfs") != 0)
continue;
@@ -546,7 +550,7 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor *monitor,
lines = g_strsplit (contents, "\n", 0);
for (n = 0; lines[n] != NULL; n++)
{
- gchar filename[PATH_MAX];
+ gchar filename[4096];
struct stat statbuf;
dev_t dev;
@@ -557,11 +561,12 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor *monitor,
if (strlen (lines[n]) == 0)
continue;
- if (sscanf (lines[n], "%s", filename) != 1)
+ if (sscanf (lines[n], "%4095s", filename) != 1)
{
udisks_warning ("Error parsing line '%s'", lines[n]);
continue;
}
+ filename[sizeof filename - 1] = '\0';
if (stat (filename, &statbuf) != 0)
{
--
1.8.5.3

View File

@ -7,12 +7,14 @@
Summary: Disk Manager
Name: udisks2
Version: 2.1.0
Version: 2.1.2
Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Libraries
URL: http://www.freedesktop.org/wiki/Software/udisks
Source0: http://udisks.freedesktop.org/releases/udisks-%{version}.tar.bz2
# https://bugzilla.redhat.com/show_bug.cgi?id=1074459
Patch1: udisks-2.x.x-CVE-2014-0004.patch
BuildRequires: glib2-devel >= %{glib2_version}
BuildRequires: gobject-introspection-devel >= %{gobject_introspection_version}
@ -64,11 +66,6 @@ Requires: ntfsprogs
Conflicts: kernel < 2.6.26
# Cannot mount external firewire hard drive or usb thumb drive as normal user, root required
# https://bugzilla.redhat.com/show_bug.cgi?id=909010
Patch0: udisks-2.1.1-firewire-ident.patch
%description
udisks provides a daemon, D-Bus API and command line tools for
managing disks and storage devices. This package is for the udisks 2.x
@ -98,7 +95,7 @@ daemon. This package is for the udisks 2.x series.
%prep
%setup -q -n udisks-%{version}
%patch0 -p1 -b .firewire-ident
%patch1 -p1
%build
# we can't use _hardened_build here, see
@ -162,6 +159,13 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.a
# Note: please don't forget the %{?dist} in the changelog. Thanks
%changelog
* Mon Mar 10 2014 Jan Safranek <jsafrane@redhat.com>- 2.1.2-2%{?dist}
- Fix CVE-2014-0004: stack-based buffer overflow when handling long path names
(#1074459)
* Wed Jan 15 2014 Tomas Bzatek <tbzatek@redhat.com> - 2.1.2-1%{?dist}
- Update to 2.1.2
* Thu Mar 28 2013 Tomas Bzatek <tbzatek@redhat.com> - 2.1.0-2%{?dist}
- Fix firewire drives identification (#909010)