fuse package update

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
2018-12-09 17:47:50 +01:00 · 2018-12-09 17:47:50 +01:00 · 10f7a151d5
parent d9814c3a97
commit 10f7a151d5
2 changed files with 52 additions and 1 deletions
--- a/SOURCES/fusermount-don-t-feed-escaped-commas-into-mount-opti.patch
+++ b/SOURCES/fusermount-don-t-feed-escaped-commas-into-mount-opti.patch
@ -0,0 +1,46 @@
+From 520f09be3c2d351722c33daf7389d6ac4716be98 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 13 Jul 2018 15:15:36 -0700
+Subject: [PATCH] fusermount: don't feed "escaped commas" into mount options
+
+The old code permits the following behavior:
+
+$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount
+mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)
+
+However, backslashes do not have any special meaning for the kernel here.
+
+As it happens, you can't abuse this because there is no FUSE mount option
+that takes a string value that can contain backslashes; but this is very
+brittle. Don't interpret "escape characters" in places where they don't
+work.
+---
+ util/fusermount.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/util/fusermount.c b/util/fusermount.c
+index 26a0b75bbecb..5175c0115a05 100644
+--- a/util/fusermount.c
+++ b/util/fusermount.c
+@@ -29,6 +29,7 @@
+ #include <sys/socket.h>
+ #include <sys/utsname.h>
+ #include <sched.h>
+#include <stdbool.h>
+
+ #define FUSE_COMMFD_ENV		"_FUSE_COMMFD"
+
+@@ -739,8 +740,10 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
+		unsigned len;
+		const char *fsname_str = "fsname=";
+		const char *subtype_str = "subtype=";
+		bool escape_ok = begins_with(s, fsname_str) ||
+				 begins_with(s, subtype_str);
+		for (len = 0; s[len]; len++) {
+-			if (s[len] == '\\' && s[len + 1])
+			if (escape_ok && s[len] == '\\' && s[len + 1])
+				len++;
+			else if (s[len] == ',')
+				break;
+--
+2.14.3
--- a/SPECS/fuse.spec
+++ b/SPECS/fuse.spec
@ -1,6 +1,6 @@
 Name:           fuse
 Version:        2.9.2
-Release:        10%{?dist}
+Release:        11%{?dist}
 Summary:        File System in Userspace (FUSE) utilities

 Group:          System Environment/Base
@ -13,6 +13,7 @@ Patch1:		fuse-0001-More-parentheses.patch
 Patch2:		fuse-aarch64.patch
 Patch3:		buffer_size.patch
 Patch4:		libfuse-fix-crash-in-unlock_path.patch
+Patch5: 	fusermount-don-t-feed-escaped-commas-into-mount-opti.patch

 Requires:       which
 Conflicts:      filesystem < 3
@ -58,6 +59,7 @@ sed -i 's|mknod|echo Disabled: mknod |g' util/Makefile.in
 %patch2 -p1 -b .aarch64
 %patch3 -p1 -b .buffer_size
 %patch4 -p1 -b .unlock_path_crash
+%patch5 -p1 -b .escaped_commas

 %build
 # Can't pass --disable-static here, or else the utils don't build
@ -109,6 +111,9 @@ rm -f %{buildroot}%{_sysconfdir}/udev/rules.d/99-fuse.rules
 %{_includedir}/fuse

 %changelog
+* Tue Jul 24 2018 Miklos Szeredi <mszeredi@redhat.com> - 2.9.2-11
+- Fixed CVE-2018-10906 (rhbz#1605159)
+
 * Fri Jan 05 2018 Miklos Szeredi <mszeredi@redhat.com> - 2.9.2-10
 - Fix crash in unlock_path() (rhbz#1527008)