Browse Source

fuse package update

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
master
basebuilder_pel7x64builder0 6 years ago
parent
commit
10f7a151d5
  1. 46
      SOURCES/fusermount-don-t-feed-escaped-commas-into-mount-opti.patch
  2. 7
      SPECS/fuse.spec

46
SOURCES/fusermount-don-t-feed-escaped-commas-into-mount-opti.patch

@ -0,0 +1,46 @@ @@ -0,0 +1,46 @@
From 520f09be3c2d351722c33daf7389d6ac4716be98 Mon Sep 17 00:00:00 2001
From: Jann Horn <jannh@google.com>
Date: Fri, 13 Jul 2018 15:15:36 -0700
Subject: [PATCH] fusermount: don't feed "escaped commas" into mount options

The old code permits the following behavior:

$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount
mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)

However, backslashes do not have any special meaning for the kernel here.

As it happens, you can't abuse this because there is no FUSE mount option
that takes a string value that can contain backslashes; but this is very
brittle. Don't interpret "escape characters" in places where they don't
work.
---
util/fusermount.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/util/fusermount.c b/util/fusermount.c
index 26a0b75bbecb..5175c0115a05 100644
--- a/util/fusermount.c
+++ b/util/fusermount.c
@@ -29,6 +29,7 @@
#include <sys/socket.h>
#include <sys/utsname.h>
#include <sched.h>
+#include <stdbool.h>

#define FUSE_COMMFD_ENV "_FUSE_COMMFD"

@@ -739,8 +740,10 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
unsigned len;
const char *fsname_str = "fsname=";
const char *subtype_str = "subtype=";
+ bool escape_ok = begins_with(s, fsname_str) ||
+ begins_with(s, subtype_str);
for (len = 0; s[len]; len++) {
- if (s[len] == '\\' && s[len + 1])
+ if (escape_ok && s[len] == '\\' && s[len + 1])
len++;
else if (s[len] == ',')
break;
--
2.14.3

7
SPECS/fuse.spec

@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
Name: fuse
Version: 2.9.2
Release: 10%{?dist}
Release: 11%{?dist}
Summary: File System in Userspace (FUSE) utilities

Group: System Environment/Base
@ -13,6 +13,7 @@ Patch1: fuse-0001-More-parentheses.patch @@ -13,6 +13,7 @@ Patch1: fuse-0001-More-parentheses.patch
Patch2: fuse-aarch64.patch
Patch3: buffer_size.patch
Patch4: libfuse-fix-crash-in-unlock_path.patch
Patch5: fusermount-don-t-feed-escaped-commas-into-mount-opti.patch

Requires: which
Conflicts: filesystem < 3
@ -58,6 +59,7 @@ sed -i 's|mknod|echo Disabled: mknod |g' util/Makefile.in @@ -58,6 +59,7 @@ sed -i 's|mknod|echo Disabled: mknod |g' util/Makefile.in
%patch2 -p1 -b .aarch64
%patch3 -p1 -b .buffer_size
%patch4 -p1 -b .unlock_path_crash
%patch5 -p1 -b .escaped_commas

%build
# Can't pass --disable-static here, or else the utils don't build
@ -109,6 +111,9 @@ rm -f %{buildroot}%{_sysconfdir}/udev/rules.d/99-fuse.rules @@ -109,6 +111,9 @@ rm -f %{buildroot}%{_sysconfdir}/udev/rules.d/99-fuse.rules
%{_includedir}/fuse

%changelog
* Tue Jul 24 2018 Miklos Szeredi <mszeredi@redhat.com> - 2.9.2-11
- Fixed CVE-2018-10906 (rhbz#1605159)

* Fri Jan 05 2018 Miklos Szeredi <mszeredi@redhat.com> - 2.9.2-10
- Fix crash in unlock_path() (rhbz#1527008)


Loading…
Cancel
Save