CaROS/meta-openembedded
3
1
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-01-01 13:58:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

fuse: fix for CVE-2015-3202 Privilege Escalation

Browse Source 
fusermount in FUSE before 2.9.3-15 does not properly clear the environment before
invoking (1) mount or (2) umount as root, which allows local users to write
to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is
used by mount's debugging feature.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3202
http://www.openwall.com/lists/oss-security/2015/05/21/9

Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Tudor Florea 2015-07-16 16:06:33 +02:00 committed by Martin Jansa
parent dd407add55
commit 6a591c9367
2 changed files with 64 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
meta-filesystems/recipes-support/fuse/files/001-fix_exec_environment_for_mount_and_umount.patch Normal file
View File

@ -0,0 +1,63 @@
From cfe13b7a217075ae741c018da50cd600e5330de2 Mon Sep 17 00:00:00 2001
From: Miklos Szeredi <mszeredi@suse.cz>
Date: Fri, 22 May 2015 10:58:43 +0200
Subject: [PATCH] libfuse: fix exec environment for mount and umount
Found by Tavis Ormandy (CVE-2015-3202).
Upstream-Status: Submitted
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
---
--- a/lib/mount_util.c
+++ b/lib/mount_util.c
@@ -95,10 +95,12 @@ static int add_mount(const char *prognam
goto out_restore;
}
if (res == 0) {
+ char *env = NULL;
+
sigprocmask(SIG_SETMASK, &oldmask, NULL);
setuid(geteuid());
- execl("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
- "-f", "-t", type, "-o", opts, fsname, mnt, NULL);
+ execle("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
+ "-f", "-t", type, "-o", opts, fsname, mnt, NULL, &env);
fprintf(stderr, "%s: failed to execute /bin/mount: %s\n",
progname, strerror(errno));
exit(1);
@@ -146,10 +148,17 @@ static int exec_umount(const char *progn
goto out_restore;
}
if (res == 0) {
+ char *env = NULL;
+
sigprocmask(SIG_SETMASK, &oldmask, NULL);
setuid(geteuid());
- execl("/bin/umount", "/bin/umount", "-i", rel_mnt,
- lazy ? "-l" : NULL, NULL);
+ if (lazy) {
+ execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
+ "-l", NULL, &env);
+ } else {
+ execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
+ NULL, &env);
+ }
fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
progname, strerror(errno));
exit(1);
@@ -205,10 +214,12 @@ static int remove_mount(const char *prog
goto out_restore;
}
if (res == 0) {
+ char *env = NULL;
+
sigprocmask(SIG_SETMASK, &oldmask, NULL);
setuid(geteuid());
- execl("/bin/umount", "/bin/umount", "--no-canonicalize", "-i",
- "--fake", mnt, NULL);
+ execle("/bin/umount", "/bin/umount", "--no-canonicalize", "-i",
+ "--fake", mnt, NULL, &env);
fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
progname, strerror(errno));
exit(1);

1
meta-filesystems/recipes-support/fuse/fuse_2.9.3.bb
View File

@ -13,6 +13,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
SRC_URI = "${SOURCEFORGE_MIRROR}/fuse/fuse-${PV}.tar.gz \ SRC_URI = "${SOURCEFORGE_MIRROR}/fuse/fuse-${PV}.tar.gz \
file://gold-unversioned-symbol.patch \ file://gold-unversioned-symbol.patch \
file://aarch64.patch \ file://aarch64.patch \
file://001-fix_exec_environment_for_mount_and_umount.patch \
" "
SRC_URI[md5sum] = "33cae22ca50311446400daf8a6255c6a" SRC_URI[md5sum] = "33cae22ca50311446400daf8a6255c6a"
SRC_URI[sha256sum] = "0beb83eaf2c5e50730fc553406ef124d77bc02c64854631bdfc86bfd6437391c" SRC_URI[sha256sum] = "0beb83eaf2c5e50730fc553406ef124d77bc02c64854631bdfc86bfd6437391c"