[udisks2] Stack-based buffer overflow when handling long path names
Debarshi Ray
rishi at fedoraproject.org
Mon Mar 10 13:00:24 UTC 2014
commit 204f08495a09d4b7615cdca07849f536b98ebc47
Author: Jan Safranek <jsafrane at redhat.com>
Date: Mon Mar 10 13:55:51 2014 +0100
Stack-based buffer overflow when handling long path names
Resolves: #1074459, CVE-2014-0004
udisks-2.x.x-CVE-2014-0004.patch | 96 ++++++++++++++++++++++++++++++++++++++
udisks2.spec | 9 +++-
2 files changed, 104 insertions(+), 1 deletions(-)
---
diff --git a/udisks-2.x.x-CVE-2014-0004.patch b/udisks-2.x.x-CVE-2014-0004.patch
new file mode 100644
index 0000000..5794dfd
--- /dev/null
+++ b/udisks-2.x.x-CVE-2014-0004.patch
@@ -0,0 +1,96 @@
+From 4cd35a8db2c6a0b94218a89cb183f50e8550de0e Mon Sep 17 00:00:00 2001
+From: David Zeuthen <zeuthen at gmail.com>
+Date: Wed, 12 Feb 2014 20:01:41 -0800
+Subject: [PATCH] CVE-2014-0004: Stack-based buffer overflow when handling long
+ path names
+
+Fix this by being more careful when parsing strings.
+
+Acknowledgements: This issue was discovered by Florian Weimer of the
+Red Hat Product Security Team.
+
+Signed-off-by: David Zeuthen <zeuthen at gmail.com>
+---
+ src/udisksmountmonitor.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/src/udisksmountmonitor.c b/src/udisksmountmonitor.c
+index 8af1028..77cf94c 100644
+--- a/src/udisksmountmonitor.c
++++ b/src/udisksmountmonitor.c
+@@ -416,8 +416,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
+ guint mount_id;
+ guint parent_id;
+ guint major, minor;
+- gchar encoded_root[PATH_MAX];
+- gchar encoded_mount_point[PATH_MAX];
++ gchar encoded_root[4096];
++ gchar encoded_mount_point[4096];
+ gchar *mount_point;
+ dev_t dev;
+
+@@ -425,7 +425,7 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
+ continue;
+
+ if (sscanf (lines[n],
+- "%d %d %d:%d %s %s",
++ "%d %d %d:%d %4095s %4095s",
+ &mount_id,
+ &parent_id,
+ &major,
+@@ -436,6 +436,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
+ udisks_warning ("Error parsing line '%s'", lines[n]);
+ continue;
+ }
++ encoded_root[sizeof encoded_root - 1] = '\0';
++ encoded_mount_point[sizeof encoded_mount_point - 1] = '\0';
+
+ /* Temporary work-around for btrfs, see
+ *
+@@ -450,15 +452,17 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
+ sep = strstr (lines[n], " - ");
+ if (sep != NULL)
+ {
+- gchar fstype[PATH_MAX];
+- gchar mount_source[PATH_MAX];
++ gchar fstype[4096];
++ gchar mount_source[4096];
+ struct stat statbuf;
+
+- if (sscanf (sep + 3, "%s %s", fstype, mount_source) != 2)
++ if (sscanf (sep + 3, "%4095s %4095s", fstype, mount_source) != 2)
+ {
+ udisks_warning ("Error parsing things past - for '%s'", lines[n]);
+ continue;
+ }
++ fstype[sizeof fstype - 1] = '\0';
++ mount_source[sizeof mount_source - 1] = '\0';
+
+ if (g_strcmp0 (fstype, "btrfs") != 0)
+ continue;
+@@ -546,7 +550,7 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor *monitor,
+ lines = g_strsplit (contents, "\n", 0);
+ for (n = 0; lines[n] != NULL; n++)
+ {
+- gchar filename[PATH_MAX];
++ gchar filename[4096];
+ struct stat statbuf;
+ dev_t dev;
+
+@@ -557,11 +561,12 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor *monitor,
+ if (strlen (lines[n]) == 0)
+ continue;
+
+- if (sscanf (lines[n], "%s", filename) != 1)
++ if (sscanf (lines[n], "%4095s", filename) != 1)
+ {
+ udisks_warning ("Error parsing line '%s'", lines[n]);
+ continue;
+ }
++ filename[sizeof filename - 1] = '\0';
+
+ if (stat (filename, &statbuf) != 0)
+ {
+--
+1.8.5.3
+
diff --git a/udisks2.spec b/udisks2.spec
index 77147db..4b6470c 100644
--- a/udisks2.spec
+++ b/udisks2.spec
@@ -8,11 +8,13 @@
Summary: Disk Manager
Name: udisks2
Version: 2.1.2
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Libraries
URL: http://www.freedesktop.org/wiki/Software/udisks
Source0: http://udisks.freedesktop.org/releases/udisks-%{version}.tar.bz2
+# https://bugzilla.redhat.com/show_bug.cgi?id=1074459
+Patch1: udisks-2.x.x-CVE-2014-0004.patch
BuildRequires: glib2-devel >= %{glib2_version}
BuildRequires: gobject-introspection-devel >= %{gobject_introspection_version}
@@ -91,6 +93,7 @@ daemon. This package is for the udisks 2.x series.
%prep
%setup -q -n udisks-%{version}
+%patch1 -p1
%build
# we can't use _hardened_build here, see
@@ -154,6 +157,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.a
# Note: please don't forget the %{?dist} in the changelog. Thanks
%changelog
+* Mon Mar 10 2014 Jan Safranek <jsafrane at redhat.com>- 2.1.2-2%{?dist}
+- Fix CVE-2014-0004: stack-based buffer overflow when handling long path names
+ (#1074459)
+
* Wed Jan 15 2014 Tomas Bzatek <tbzatek at redhat.com> - 2.1.2-1%{?dist}
- Update to 2.1.2
More information about the scm-commits
mailing list