2.23.2-6: CVE-2014-9114

This commit is contained in:
Karel Zak 2014-11-27 15:09:04 +01:00
parent 518942f76e
commit fa2d6a7fff
2 changed files with 155 additions and 1 deletions

149
2.26-libblkid-escape.patch Normal file
View File

@ -0,0 +1,149 @@
diff -up util-linux-2.23.2/libblkid/src/read.c.kzak util-linux-2.23.2/libblkid/src/read.c
--- util-linux-2.23.2/libblkid/src/read.c.kzak 2013-06-13 09:46:10.421650630 +0200
+++ util-linux-2.23.2/libblkid/src/read.c 2014-11-27 15:02:18.559969208 +0100
@@ -252,15 +252,30 @@ static int parse_token(char **name, char
*value = skip_over_blank(*value + 1);
if (**value == '"') {
- end = strchr(*value + 1, '"');
- if (!end) {
+ char *p = end = *value + 1;
+
+ /* convert 'foo\"bar' to 'foo"bar' */
+ while (*p) {
+ if (*p == '\\') {
+ p++;
+ *end = *p;
+ } else {
+ *end = *p;
+ if (*p == '"')
+ break;
+ }
+ p++;
+ end++;
+ }
+
+ if (*end != '"') {
DBG(READ, blkid_debug("unbalanced quotes at: %s", *value));
*cp = *value;
return -BLKID_ERR_CACHE;
}
(*value)++;
*end = '\0';
- end++;
+ end = ++p;
} else {
end = skip_over_word(*value);
if (*end) {
diff -up util-linux-2.23.2/libblkid/src/save.c.kzak util-linux-2.23.2/libblkid/src/save.c
--- util-linux-2.23.2/libblkid/src/save.c.kzak 2013-07-30 10:39:26.209738269 +0200
+++ util-linux-2.23.2/libblkid/src/save.c 2014-11-27 15:02:18.559969208 +0100
@@ -23,6 +23,21 @@
#endif
#include "blkidP.h"
+
+static void save_quoted(const char *data, FILE *file)
+{
+ const char *p;
+
+ fputc('"', file);
+ for (p = data; p && *p; p++) {
+ if ((unsigned char) *p == 0x22 || /* " */
+ (unsigned char) *p == 0x5c) /* \ */
+ fputc('\\', file);
+
+ fputc(*p, file);
+ }
+ fputc('"', file);
+}
static int save_dev(blkid_dev dev, FILE *file)
{
struct list_head *p;
@@ -40,9 +55,14 @@ static int save_dev(blkid_dev dev, FILE
if (dev->bid_pri)
fprintf(file, " PRI=\"%d\"", dev->bid_pri);
+
list_for_each(p, &dev->bid_tags) {
blkid_tag tag = list_entry(p, struct blkid_struct_tag, bit_tags);
- fprintf(file, " %s=\"%s\"", tag->bit_name,tag->bit_val);
+
+ fputc(' ', file); /* space between tags */
+ fputs(tag->bit_name, file); /* tag NAME */
+ fputc('=', file); /* separator between NAME and VALUE */
+ save_quoted(tag->bit_val, file); /* tag "VALUE" */
}
fprintf(file, ">%s</device>\n", dev->bid_name);
diff -up util-linux-2.23.2/lib/tt.c.kzak util-linux-2.23.2/lib/tt.c
--- util-linux-2.23.2/lib/tt.c.kzak 2013-07-15 10:25:46.280049032 +0200
+++ util-linux-2.23.2/lib/tt.c 2014-11-27 15:02:18.560969219 +0100
@@ -672,6 +672,8 @@ void tt_fputs_quoted(const char *data, F
for (p = data; p && *p; p++) {
if ((unsigned char) *p == 0x22 || /* " */
(unsigned char) *p == 0x5c || /* \ */
+ (unsigned char) *p == 0x60 || /* ` */
+ (unsigned char) *p == 0x24 || /* $ */
!isprint((unsigned char) *p) ||
iscntrl((unsigned char) *p)) {
diff -up util-linux-2.23.2/misc-utils/blkid.8.kzak util-linux-2.23.2/misc-utils/blkid.8
--- util-linux-2.23.2/misc-utils/blkid.8.kzak 2013-06-13 09:46:10.446650844 +0200
+++ util-linux-2.23.2/misc-utils/blkid.8 2014-11-27 15:02:18.560969219 +0100
@@ -193,7 +193,10 @@ partitions. This output format is \fBDE
.TP
.B export
print key=value pairs for easy import into the environment; this output format
-is automatically enabled when I/O Limits (\fB-i\fR option) are requested
+is automatically enabled when I/O Limits (\fB-i\fR option) are requested.
+
+The non-printing characters are encoded by ^ and M- notation and all
+potentially unsafe characters are escaped.
.RE
.TP
.BI \-O " offset"
diff -up util-linux-2.23.2/misc-utils/blkid.c.kzak util-linux-2.23.2/misc-utils/blkid.c
--- util-linux-2.23.2/misc-utils/blkid.c.kzak 2014-11-27 15:02:18.560969219 +0100
+++ util-linux-2.23.2/misc-utils/blkid.c 2014-11-27 15:05:34.770244516 +0100
@@ -106,8 +106,10 @@ static void usage(int error)
/*
* This function does "safe" printing. It will convert non-printable
* ASCII characters using '^' and M- notation.
+ *
+ * If 'esc' is defined then escape all chars from esc by \.
*/
-static void safe_print(const char *cp, int len)
+static void safe_print(const char *cp, int len, const char *esc)
{
unsigned char ch;
@@ -124,7 +126,9 @@ static void safe_print(const char *cp, i
if ((ch < 32) || (ch == 0x7f)) {
fputc('^', stdout);
ch ^= 0x40; /* ^@, ^A, ^B; ^? for DEL */
- }
+
+ } else if (esc && strchr(esc, ch))
+ fputc('\\', stdout);
}
fputc(ch, stdout);
}
@@ -301,7 +305,7 @@ static void print_value(int output, int
printf("DEVNAME=%s\n", devname);
fputs(name, stdout);
fputs("=", stdout);
- safe_print(value, valsz);
+ safe_print(value, valsz, " \\\"'$`<>");
fputs("\n", stdout);
} else {
@@ -309,7 +313,7 @@ static void print_value(int output, int
printf("%s: ", devname);
fputs(name, stdout);
fputs("=\"", stdout);
- safe_print(value, valsz);
+ safe_print(value, valsz, "\"\\");
fputs("\" ", stdout);
}
}

View File

@ -2,7 +2,7 @@
Summary: A collection of basic system utilities
Name: util-linux
Version: 2.23.2
Release: 5%{?dist}
Release: 6%{?dist}
License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
Group: System Environment/Base
URL: http://en.wikipedia.org/wiki/Util-linux
@ -93,6 +93,8 @@ Patch6: 2.24-su-fix-lastlog-and-btmp-logging.patch
Patch7: 2.24-sfdisk-fix-y-n-mismatch.patch
# v2.24 backport: #1024424 - Fix bash completion for more
Patch8: 2.24-bash-completion-IFS.patch
# 1168490 - CVE-2014-9114 util-linux: command injection flaw in blkid
Patch9: 2.26-libblkid-escape.patch
%description
The util-linux package contains a large variety of low-level system
@ -809,6 +811,9 @@ fi
%{_libdir}/pkgconfig/uuid.pc
%changelog
* Thu Nov 27 2014 Karel Zak <kzak@redhat.com> 2.23.2-6
- fix #1168490 - CVE-2014-9114 util-linux: command injection flaw in blkid
* Mon Jan 13 2014 Karel Zak <kzak@redhat.com> 2.23.2-5
- fix #1009345 - Joking sfdisk rewriting PT after "n"
- fix #1024424 - Fix bash completion for more