diff --git a/2.26-libblkid-escape.patch b/2.26-libblkid-escape.patch new file mode 100644 index 0000000..ea1c576 --- /dev/null +++ b/2.26-libblkid-escape.patch @@ -0,0 +1,149 @@ +diff -up util-linux-2.23.2/libblkid/src/read.c.kzak util-linux-2.23.2/libblkid/src/read.c +--- util-linux-2.23.2/libblkid/src/read.c.kzak 2013-06-13 09:46:10.421650630 +0200 ++++ util-linux-2.23.2/libblkid/src/read.c 2014-11-27 15:02:18.559969208 +0100 +@@ -252,15 +252,30 @@ static int parse_token(char **name, char + *value = skip_over_blank(*value + 1); + + if (**value == '"') { +- end = strchr(*value + 1, '"'); +- if (!end) { ++ char *p = end = *value + 1; ++ ++ /* convert 'foo\"bar' to 'foo"bar' */ ++ while (*p) { ++ if (*p == '\\') { ++ p++; ++ *end = *p; ++ } else { ++ *end = *p; ++ if (*p == '"') ++ break; ++ } ++ p++; ++ end++; ++ } ++ ++ if (*end != '"') { + DBG(READ, blkid_debug("unbalanced quotes at: %s", *value)); + *cp = *value; + return -BLKID_ERR_CACHE; + } + (*value)++; + *end = '\0'; +- end++; ++ end = ++p; + } else { + end = skip_over_word(*value); + if (*end) { +diff -up util-linux-2.23.2/libblkid/src/save.c.kzak util-linux-2.23.2/libblkid/src/save.c +--- util-linux-2.23.2/libblkid/src/save.c.kzak 2013-07-30 10:39:26.209738269 +0200 ++++ util-linux-2.23.2/libblkid/src/save.c 2014-11-27 15:02:18.559969208 +0100 +@@ -23,6 +23,21 @@ + #endif + #include "blkidP.h" + ++ ++static void save_quoted(const char *data, FILE *file) ++{ ++ const char *p; ++ ++ fputc('"', file); ++ for (p = data; p && *p; p++) { ++ if ((unsigned char) *p == 0x22 || /* " */ ++ (unsigned char) *p == 0x5c) /* \ */ ++ fputc('\\', file); ++ ++ fputc(*p, file); ++ } ++ fputc('"', file); ++} + static int save_dev(blkid_dev dev, FILE *file) + { + struct list_head *p; +@@ -40,9 +55,14 @@ static int save_dev(blkid_dev dev, FILE + + if (dev->bid_pri) + fprintf(file, " PRI=\"%d\"", dev->bid_pri); ++ + list_for_each(p, &dev->bid_tags) { + blkid_tag tag = list_entry(p, struct blkid_struct_tag, bit_tags); +- fprintf(file, " %s=\"%s\"", tag->bit_name,tag->bit_val); ++ ++ fputc(' ', file); /* space between tags */ ++ fputs(tag->bit_name, file); /* tag NAME */ ++ fputc('=', file); /* separator between NAME and VALUE */ ++ save_quoted(tag->bit_val, file); /* tag "VALUE" */ + } + fprintf(file, ">%s\n", dev->bid_name); + +diff -up util-linux-2.23.2/lib/tt.c.kzak util-linux-2.23.2/lib/tt.c +--- util-linux-2.23.2/lib/tt.c.kzak 2013-07-15 10:25:46.280049032 +0200 ++++ util-linux-2.23.2/lib/tt.c 2014-11-27 15:02:18.560969219 +0100 +@@ -672,6 +672,8 @@ void tt_fputs_quoted(const char *data, F + for (p = data; p && *p; p++) { + if ((unsigned char) *p == 0x22 || /* " */ + (unsigned char) *p == 0x5c || /* \ */ ++ (unsigned char) *p == 0x60 || /* ` */ ++ (unsigned char) *p == 0x24 || /* $ */ + !isprint((unsigned char) *p) || + iscntrl((unsigned char) *p)) { + +diff -up util-linux-2.23.2/misc-utils/blkid.8.kzak util-linux-2.23.2/misc-utils/blkid.8 +--- util-linux-2.23.2/misc-utils/blkid.8.kzak 2013-06-13 09:46:10.446650844 +0200 ++++ util-linux-2.23.2/misc-utils/blkid.8 2014-11-27 15:02:18.560969219 +0100 +@@ -193,7 +193,10 @@ partitions. This output format is \fBDE + .TP + .B export + print key=value pairs for easy import into the environment; this output format +-is automatically enabled when I/O Limits (\fB-i\fR option) are requested ++is automatically enabled when I/O Limits (\fB-i\fR option) are requested. ++ ++The non-printing characters are encoded by ^ and M- notation and all ++potentially unsafe characters are escaped. + .RE + .TP + .BI \-O " offset" +diff -up util-linux-2.23.2/misc-utils/blkid.c.kzak util-linux-2.23.2/misc-utils/blkid.c +--- util-linux-2.23.2/misc-utils/blkid.c.kzak 2014-11-27 15:02:18.560969219 +0100 ++++ util-linux-2.23.2/misc-utils/blkid.c 2014-11-27 15:05:34.770244516 +0100 +@@ -106,8 +106,10 @@ static void usage(int error) + /* + * This function does "safe" printing. It will convert non-printable + * ASCII characters using '^' and M- notation. ++ * ++ * If 'esc' is defined then escape all chars from esc by \. + */ +-static void safe_print(const char *cp, int len) ++static void safe_print(const char *cp, int len, const char *esc) + { + unsigned char ch; + +@@ -124,7 +126,9 @@ static void safe_print(const char *cp, i + if ((ch < 32) || (ch == 0x7f)) { + fputc('^', stdout); + ch ^= 0x40; /* ^@, ^A, ^B; ^? for DEL */ +- } ++ ++ } else if (esc && strchr(esc, ch)) ++ fputc('\\', stdout); + } + fputc(ch, stdout); + } +@@ -301,7 +305,7 @@ static void print_value(int output, int + printf("DEVNAME=%s\n", devname); + fputs(name, stdout); + fputs("=", stdout); +- safe_print(value, valsz); ++ safe_print(value, valsz, " \\\"'$`<>"); + fputs("\n", stdout); + + } else { +@@ -309,7 +313,7 @@ static void print_value(int output, int + printf("%s: ", devname); + fputs(name, stdout); + fputs("=\"", stdout); +- safe_print(value, valsz); ++ safe_print(value, valsz, "\"\\"); + fputs("\" ", stdout); + } + } diff --git a/util-linux.spec b/util-linux.spec index ca1ebc2..9f22473 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -2,7 +2,7 @@ Summary: A collection of basic system utilities Name: util-linux Version: 2.23.2 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain Group: System Environment/Base URL: http://en.wikipedia.org/wiki/Util-linux @@ -93,6 +93,8 @@ Patch6: 2.24-su-fix-lastlog-and-btmp-logging.patch Patch7: 2.24-sfdisk-fix-y-n-mismatch.patch # v2.24 backport: #1024424 - Fix bash completion for more Patch8: 2.24-bash-completion-IFS.patch +# 1168490 - CVE-2014-9114 util-linux: command injection flaw in blkid +Patch9: 2.26-libblkid-escape.patch %description The util-linux package contains a large variety of low-level system @@ -809,6 +811,9 @@ fi %{_libdir}/pkgconfig/uuid.pc %changelog +* Thu Nov 27 2014 Karel Zak 2.23.2-6 +- fix #1168490 - CVE-2014-9114 util-linux: command injection flaw in blkid + * Mon Jan 13 2014 Karel Zak 2.23.2-5 - fix #1009345 - Joking sfdisk rewriting PT after "n" - fix #1024424 - Fix bash completion for more