aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTudor Florea <tudor.florea@enea.com>2015-07-16 16:06:33 +0200
committerMartin Jansa <Martin.Jansa@gmail.com>2015-10-26 21:43:08 +0100
commit6a591c93679a3c73aba232e3f52a46e7c0e03e6a (patch)
treeb9be7c005ceb9e89bce4f955fbd5aec38ce9fb6a
parentdd407add556dcee973477c4544ff1e165f21310f (diff)
downloadmeta-openembedded-6a591c93679a3c73aba232e3f52a46e7c0e03e6a.tar.gz
meta-openembedded-6a591c93679a3c73aba232e3f52a46e7c0e03e6a.tar.bz2
meta-openembedded-6a591c93679a3c73aba232e3f52a46e7c0e03e6a.zip
fuse: fix for CVE-2015-3202 Privilege Escalation
fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3202 http://www.openwall.com/lists/oss-security/2015/05/21/9 Signed-off-by: Tudor Florea <tudor.florea@enea.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta-filesystems/recipes-support/fuse/files/001-fix_exec_environment_for_mount_and_umount.patch63
-rw-r--r--meta-filesystems/recipes-support/fuse/fuse_2.9.3.bb1
2 files changed, 64 insertions, 0 deletions
diff --git a/meta-filesystems/recipes-support/fuse/files/001-fix_exec_environment_for_mount_and_umount.patch b/meta-filesystems/recipes-support/fuse/files/001-fix_exec_environment_for_mount_and_umount.patch
new file mode 100644
index 000000000..8332bfbb7
--- /dev/null
+++ b/meta-filesystems/recipes-support/fuse/files/001-fix_exec_environment_for_mount_and_umount.patch
@@ -0,0 +1,63 @@
+From cfe13b7a217075ae741c018da50cd600e5330de2 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@suse.cz>
+Date: Fri, 22 May 2015 10:58:43 +0200
+Subject: [PATCH] libfuse: fix exec environment for mount and umount
+
+Found by Tavis Ormandy (CVE-2015-3202).
+
+Upstream-Status: Submitted
+Signed-off-by: Tudor Florea <tudor.florea@enea.com>
+
+---
+--- a/lib/mount_util.c
++++ b/lib/mount_util.c
+@@ -95,10 +95,12 @@ static int add_mount(const char *prognam
+ goto out_restore;
+ }
+ if (res == 0) {
++ char *env = NULL;
++
+ sigprocmask(SIG_SETMASK, &oldmask, NULL);
+ setuid(geteuid());
+- execl("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
+- "-f", "-t", type, "-o", opts, fsname, mnt, NULL);
++ execle("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
++ "-f", "-t", type, "-o", opts, fsname, mnt, NULL, &env);
+ fprintf(stderr, "%s: failed to execute /bin/mount: %s\n",
+ progname, strerror(errno));
+ exit(1);
+@@ -146,10 +148,17 @@ static int exec_umount(const char *progn
+ goto out_restore;
+ }
+ if (res == 0) {
++ char *env = NULL;
++
+ sigprocmask(SIG_SETMASK, &oldmask, NULL);
+ setuid(geteuid());
+- execl("/bin/umount", "/bin/umount", "-i", rel_mnt,
+- lazy ? "-l" : NULL, NULL);
++ if (lazy) {
++ execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
++ "-l", NULL, &env);
++ } else {
++ execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
++ NULL, &env);
++ }
+ fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
+ progname, strerror(errno));
+ exit(1);
+@@ -205,10 +214,12 @@ static int remove_mount(const char *prog
+ goto out_restore;
+ }
+ if (res == 0) {
++ char *env = NULL;
++
+ sigprocmask(SIG_SETMASK, &oldmask, NULL);
+ setuid(geteuid());
+- execl("/bin/umount", "/bin/umount", "--no-canonicalize", "-i",
+- "--fake", mnt, NULL);
++ execle("/bin/umount", "/bin/umount", "--no-canonicalize", "-i",
++ "--fake", mnt, NULL, &env);
+ fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
+ progname, strerror(errno));
+ exit(1);
diff --git a/meta-filesystems/recipes-support/fuse/fuse_2.9.3.bb b/meta-filesystems/recipes-support/fuse/fuse_2.9.3.bb
index 60fea873b..2e2f7a198 100644
--- a/meta-filesystems/recipes-support/fuse/fuse_2.9.3.bb
+++ b/meta-filesystems/recipes-support/fuse/fuse_2.9.3.bb
@@ -13,6 +13,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
SRC_URI = "${SOURCEFORGE_MIRROR}/fuse/fuse-${PV}.tar.gz \
file://gold-unversioned-symbol.patch \
file://aarch64.patch \
+ file://001-fix_exec_environment_for_mount_and_umount.patch \
"
SRC_URI[md5sum] = "33cae22ca50311446400daf8a6255c6a"
SRC_URI[sha256sum] = "0beb83eaf2c5e50730fc553406ef124d77bc02c64854631bdfc86bfd6437391c"