2.23.2-6: CVE-2014-9114

2.26-libblkid-escape.patch

@@ -0,0 +1,149 @@
+diff -up util-linux-2.23.2/libblkid/src/read.c.kzak util-linux-2.23.2/libblkid/src/read.c
+--- util-linux-2.23.2/libblkid/src/read.c.kzak	2013-06-13 09:46:10.421650630 +0200
++++ util-linux-2.23.2/libblkid/src/read.c	2014-11-27 15:02:18.559969208 +0100
+@@ -252,15 +252,30 @@ static int parse_token(char **name, char
+ 	*value = skip_over_blank(*value + 1);
+ 
+ 	if (**value == '"') {
+-		end = strchr(*value + 1, '"');
+-		if (!end) {
++		char *p = end = *value + 1;
++
++		/* convert 'foo\"bar'  to 'foo"bar' */
++		while (*p) {
++			if (*p == '\\') {
++				p++;
++				*end = *p;
++			} else {
++				*end = *p;
++				if (*p == '"')
++					break;
++			}
++			p++;
++			end++;
++		}
++
++		if (*end != '"') {
+ 			DBG(READ, blkid_debug("unbalanced quotes at: %s", *value));
+ 			*cp = *value;
+ 			return -BLKID_ERR_CACHE;
+ 		}
+ 		(*value)++;
+ 		*end = '\0';
+-		end++;
++		end = ++p;
+ 	} else {
+ 		end = skip_over_word(*value);
+ 		if (*end) {
+diff -up util-linux-2.23.2/libblkid/src/save.c.kzak util-linux-2.23.2/libblkid/src/save.c
+--- util-linux-2.23.2/libblkid/src/save.c.kzak	2013-07-30 10:39:26.209738269 +0200
++++ util-linux-2.23.2/libblkid/src/save.c	2014-11-27 15:02:18.559969208 +0100
+@@ -23,6 +23,21 @@
+ #endif
+ #include "blkidP.h"
+ 
++
++static void save_quoted(const char *data, FILE *file)
++{
++	const char *p;
++
++	fputc('"', file);
++	for (p = data; p && *p; p++) {
++		if ((unsigned char) *p == 0x22 ||		/* " */
++		    (unsigned char) *p == 0x5c)			/* \ */
++			fputc('\\', file);
++
++		fputc(*p, file);
++	}
++	fputc('"', file);
++}
+ static int save_dev(blkid_dev dev, FILE *file)
+ {
+ 	struct list_head *p;
+@@ -40,9 +55,14 @@ static int save_dev(blkid_dev dev, FILE
+ 
+ 	if (dev->bid_pri)
+ 		fprintf(file, " PRI=\"%d\"", dev->bid_pri);
++
+ 	list_for_each(p, &dev->bid_tags) {
+ 		blkid_tag tag = list_entry(p, struct blkid_struct_tag, bit_tags);
+-		fprintf(file, " %s=\"%s\"", tag->bit_name,tag->bit_val);
++
++		fputc(' ', file);			/* space between tags */
++		fputs(tag->bit_name, file);		/* tag NAME */
++		fputc('=', file);			/* separator between NAME and VALUE */
++		save_quoted(tag->bit_val, file);	/* tag "VALUE" */
+ 	}
+ 	fprintf(file, ">%s</device>\n", dev->bid_name);
+ 
+diff -up util-linux-2.23.2/lib/tt.c.kzak util-linux-2.23.2/lib/tt.c
+--- util-linux-2.23.2/lib/tt.c.kzak	2013-07-15 10:25:46.280049032 +0200
++++ util-linux-2.23.2/lib/tt.c	2014-11-27 15:02:18.560969219 +0100
+@@ -672,6 +672,8 @@ void tt_fputs_quoted(const char *data, F
+ 	for (p = data; p && *p; p++) {
+ 		if ((unsigned char) *p == 0x22 ||		/* " */
+ 		    (unsigned char) *p == 0x5c ||		/* \ */
++		    (unsigned char) *p == 0x60 ||		/* ` */
++		    (unsigned char) *p == 0x24 ||		/* $ */
+ 		    !isprint((unsigned char) *p) ||
+ 		    iscntrl((unsigned char) *p)) {
+ 
+diff -up util-linux-2.23.2/misc-utils/blkid.8.kzak util-linux-2.23.2/misc-utils/blkid.8
+--- util-linux-2.23.2/misc-utils/blkid.8.kzak	2013-06-13 09:46:10.446650844 +0200
++++ util-linux-2.23.2/misc-utils/blkid.8	2014-11-27 15:02:18.560969219 +0100
+@@ -193,7 +193,10 @@ partitions.  This output format is \fBDE
+ .TP
+ .B export
+ print key=value pairs for easy import into the environment; this output format
+-is automatically enabled when I/O Limits (\fB-i\fR option) are requested
++is automatically enabled when I/O Limits (\fB-i\fR option) are requested.
++
++The non-printing characters are encoded by ^ and M- notation and all
++potentially unsafe characters are escaped.
+ .RE
+ .TP
+ .BI \-O " offset"
+diff -up util-linux-2.23.2/misc-utils/blkid.c.kzak util-linux-2.23.2/misc-utils/blkid.c
+--- util-linux-2.23.2/misc-utils/blkid.c.kzak	2014-11-27 15:02:18.560969219 +0100
++++ util-linux-2.23.2/misc-utils/blkid.c	2014-11-27 15:05:34.770244516 +0100
+@@ -106,8 +106,10 @@ static void usage(int error)
+ /*
+  * This function does "safe" printing.  It will convert non-printable
+  * ASCII characters using '^' and M- notation.
++ *
++ * If 'esc' is defined then escape all chars from esc by \.
+  */
+-static void safe_print(const char *cp, int len)
++static void safe_print(const char *cp, int len, const char *esc)
+ {
+ 	unsigned char	ch;
+ 
+@@ -124,7 +126,9 @@ static void safe_print(const char *cp, i
+ 			if ((ch < 32) || (ch == 0x7f)) {
+ 				fputc('^', stdout);
+ 				ch ^= 0x40; /* ^@, ^A, ^B; ^? for DEL */
+-			}
++
++			} else if (esc && strchr(esc, ch))
++				fputc('\\', stdout);
+ 		}
+ 		fputc(ch, stdout);
+ 	}
+@@ -301,7 +305,7 @@ static void print_value(int output, int
+ 			printf("DEVNAME=%s\n", devname);
+ 		fputs(name, stdout);
+ 		fputs("=", stdout);
+-		safe_print(value, valsz);
++		safe_print(value, valsz, " \\\"'$`<>");
+ 		fputs("\n", stdout);
+ 
+ 	} else {
+@@ -309,7 +313,7 @@ static void print_value(int output, int
+ 			printf("%s: ", devname);
+ 		fputs(name, stdout);
+ 		fputs("=\"", stdout);
+-		safe_print(value, valsz);
++		safe_print(value, valsz, "\"\\");
+ 		fputs("\" ", stdout);
+ 	}
+ }

util-linux.spec

@@ -2,7 +2,7 @@
 Summary: A collection of basic system utilities
 Name: util-linux
 Version: 2.23.2
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
 Group: System Environment/Base
 URL: http://en.wikipedia.org/wiki/Util-linux
@@ -93,6 +93,8 @@ Patch6: 2.24-su-fix-lastlog-and-btmp-logging.patch
 Patch7: 2.24-sfdisk-fix-y-n-mismatch.patch
 # v2.24 backport: #1024424 - Fix bash completion for more
 Patch8: 2.24-bash-completion-IFS.patch
+# 1168490 - CVE-2014-9114 util-linux: command injection flaw in blkid
+Patch9: 2.26-libblkid-escape.patch
 
 %description
 The util-linux package contains a large variety of low-level system
@@ -809,6 +811,9 @@ fi
 %{_libdir}/pkgconfig/uuid.pc
 
 %changelog
+* Thu Nov 27 2014 Karel Zak <kzak@redhat.com> 2.23.2-6
+- fix #1168490 - CVE-2014-9114 util-linux: command injection flaw in blkid
+
 * Mon Jan 13 2014 Karel Zak <kzak@redhat.com> 2.23.2-5
 - fix #1009345 - Joking sfdisk rewriting PT after "n"
 - fix #1024424 - Fix bash completion for more