[util-linux/f20] 2.24.2-2: CVE-2014-9114
kzak
kzak at fedoraproject.org
Thu Nov 27 14:00:12 UTC 2014
commit e54434472e6f783e6e127c756e04f0abfecaafc4
Author: Karel Zak <kzak at redhat.com>
Date: Thu Nov 27 15:00:04 2014 +0100
2.24.2-2: CVE-2014-9114
2.26-libblkid-escape.patch | 126 ++++++++++++++++++++++++++++++++++++++++++++
util-linux.spec | 7 ++-
2 files changed, 132 insertions(+), 1 deletions(-)
---
diff --git a/2.26-libblkid-escape.patch b/2.26-libblkid-escape.patch
new file mode 100644
index 0000000..5d9baa9
--- /dev/null
+++ b/2.26-libblkid-escape.patch
@@ -0,0 +1,126 @@
+diff -up util-linux-2.24.2/libblkid/src/read.c.kzak util-linux-2.24.2/libblkid/src/read.c
+--- util-linux-2.24.2/libblkid/src/read.c.kzak 2014-11-27 14:46:24.073912962 +0100
++++ util-linux-2.24.2/libblkid/src/read.c 2014-11-27 14:49:42.718210261 +0100
+@@ -252,15 +252,30 @@ static int parse_token(char **name, char
+ *value = skip_over_blank(*value + 1);
+
+ if (**value == '"') {
+- end = strchr(*value + 1, '"');
+- if (!end) {
++ char *p = end = *value + 1;
++
++ /* convert 'foo\"bar' to 'foo"bar' */
++ while (*p) {
++ if (*p == '\\') {
++ p++;
++ *end = *p;
++ } else {
++ *end = *p;
++ if (*p == '"')
++ break;
++ }
++ p++;
++ end++;
++ }
++
++ if (*end != '"') {
+ DBG(READ, blkid_debug("unbalanced quotes at: %s", *value));
+ *cp = *value;
+ return -BLKID_ERR_CACHE;
+ }
+ (*value)++;
+ *end = '\0';
+- end++;
++ end = ++p;
+ } else {
+ end = skip_over_word(*value);
+ if (*end) {
+diff -up util-linux-2.24.2/libblkid/src/save.c.kzak util-linux-2.24.2/libblkid/src/save.c
+--- util-linux-2.24.2/libblkid/src/save.c.kzak 2014-04-24 09:37:04.356704228 +0200
++++ util-linux-2.24.2/libblkid/src/save.c 2014-11-27 14:46:24.074912973 +0100
+@@ -26,6 +26,21 @@
+
+ #include "blkidP.h"
+
++
++static void save_quoted(const char *data, FILE *file)
++{
++ const char *p;
++
++ fputc('"', file);
++ for (p = data; p && *p; p++) {
++ if ((unsigned char) *p == 0x22 || /* " */
++ (unsigned char) *p == 0x5c) /* \ */
++ fputc('\\', file);
++
++ fputc(*p, file);
++ }
++ fputc('"', file);
++}
+ static int save_dev(blkid_dev dev, FILE *file)
+ {
+ struct list_head *p;
+@@ -43,9 +58,14 @@ static int save_dev(blkid_dev dev, FILE
+
+ if (dev->bid_pri)
+ fprintf(file, " PRI=\"%d\"", dev->bid_pri);
++
+ list_for_each(p, &dev->bid_tags) {
+ blkid_tag tag = list_entry(p, struct blkid_struct_tag, bit_tags);
+- fprintf(file, " %s=\"%s\"", tag->bit_name,tag->bit_val);
++
++ fputc(' ', file); /* space between tags */
++ fputs(tag->bit_name, file); /* tag NAME */
++ fputc('=', file); /* separator between NAME and VALUE */
++ save_quoted(tag->bit_val, file); /* tag "VALUE" */
+ }
+ fprintf(file, ">%s</device>\n", dev->bid_name);
+
+diff -up util-linux-2.24.2/lib/tt.c.kzak util-linux-2.24.2/lib/tt.c
+--- util-linux-2.24.2/lib/tt.c.kzak 2014-11-27 14:55:40.144349070 +0100
++++ util-linux-2.24.2/lib/tt.c 2014-11-27 14:56:02.254605467 +0100
+@@ -680,6 +680,8 @@ void tt_fputs_quoted(const char *data, F
+ for (p = data; p && *p; p++) {
+ if ((unsigned char) *p == 0x22 || /* " */
+ (unsigned char) *p == 0x5c || /* \ */
++ (unsigned char) *p == 0x60 || /* ` */
++ (unsigned char) *p == 0x24 || /* $ */
+ !isprint((unsigned char) *p) ||
+ iscntrl((unsigned char) *p)) {
+
+diff -up util-linux-2.24.2/misc-utils/blkid.8.kzak util-linux-2.24.2/misc-utils/blkid.8
+--- util-linux-2.24.2/misc-utils/blkid.8.kzak 2013-09-18 15:50:12.690263681 +0200
++++ util-linux-2.24.2/misc-utils/blkid.8 2014-11-27 14:46:24.074912973 +0100
+@@ -193,7 +193,10 @@ partitions. This output format is \fBDE
+ .TP
+ .B export
+ print key=value pairs for easy import into the environment; this output format
+-is automatically enabled when I/O Limits (\fB-i\fR option) are requested
++is automatically enabled when I/O Limits (\fB-i\fR option) are requested.
++
++The non-printing characters are encoded by ^ and M- notation and all
++potentially unsafe characters are escaped.
+ .RE
+ .TP
+ .BI \-O " offset"
+diff -up util-linux-2.24.2/misc-utils/blkid.c.kzak util-linux-2.24.2/misc-utils/blkid.c
+--- util-linux-2.24.2/misc-utils/blkid.c.kzak 2014-04-24 09:37:04.369704437 +0200
++++ util-linux-2.24.2/misc-utils/blkid.c 2014-11-27 14:52:03.869842664 +0100
+@@ -306,7 +306,7 @@ static void print_value(int output, int
+ printf("DEVNAME=%s\n", devname);
+ fputs(name, stdout);
+ fputs("=", stdout);
+- safe_print(value, valsz, NULL);
++ safe_print(value, valsz, " \\\"'$`<>");
+ fputs("\n", stdout);
+
+ } else {
+@@ -314,7 +314,7 @@ static void print_value(int output, int
+ printf("%s: ", devname);
+ fputs(name, stdout);
+ fputs("=\"", stdout);
+- safe_print(value, valsz, "\"");
++ safe_print(value, valsz, "\"\\");
+ fputs("\" ", stdout);
+ }
+ }
diff --git a/util-linux.spec b/util-linux.spec
index 9c32fa3..8152e31 100644
--- a/util-linux.spec
+++ b/util-linux.spec
@@ -2,7 +2,7 @@
Summary: A collection of basic system utilities
Name: util-linux
Version: 2.24.2
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
Group: System Environment/Base
URL: http://en.wikipedia.org/wiki/Util-linux
@@ -76,6 +76,8 @@ Requires: libmount = %{version}-%{release}
###
# 151635 - makeing /var/log/lastlog
Patch0: 2.23-login-lastlog-create.patch
+# 1168490 - CVE-2014-9114 util-linux: command injection flaw in blkid
+Patch1: 2.26-libblkid-escape.patch
%description
The util-linux package contains a large variety of low-level system
@@ -807,6 +809,9 @@ fi
%{_libdir}/python*/site-packages/libmount/*
%changelog
+* Thu Nov 27 2014 Karel Zak <kzak at redhat.com> 2.24.2-2
+- fix #1168490 - CVE-2014-9114 util-linux: command injection flaw in blkid
+
* Thu Apr 24 2014 Karel Zak <kzak at redhat.com> 2.24.2-1
- upgrade to stable release 2.24.2
ftp://ftp.kernel.org/pub/linux/utils/util-linux/v2.24/v2.24.2-ReleaseNotes
More information about the scm-commits
mailing list