fuse: fix for CVE-2015-3202 Privilege Escalation

fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3202 http://www.openwall.com/lists/oss-security/2015/05/21/9 Signed-off-by: Tudor Florea <tudor.florea@enea.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: Tudor Florea <tudor.florea@enea.com> 2015-07-16 16:06:33 +0200
committer: Martin Jansa <Martin.Jansa@gmail.com> 2015-07-30 21:03:26 +0200
commit: 96a4d9ad7b0150133340105f7ca84243398b11a9 (patch)
tree: d9fe4a175114b471716cee563468dfcb722ad77b /meta-filesystems/recipes-support
parent: 81d8056d4b9bddd002e05c893af70ec58df2ee21 (diff)
download: meta-openembedded-96a4d9ad7b0150133340105f7ca84243398b11a9.tar.gz
2 files changed, 64 insertions, 0 deletions
diff --git a/meta-filesystems/recipes-support/fuse/files/001-fix_exec_environment_for_mount_and_umount.patch b/meta-filesystems/recipes-support/fuse/files/001-fix_exec_environment_for_mount_and_umount.patch
new file mode 100644
index 000000000..8332bfbb7
--- /dev/null
+++ b/meta-filesystems/recipes-support/fuse/files/001-fix_exec_environment_for_mount_and_umount.patch
@@ -0,0 +1,63 @@
+From cfe13b7a217075ae741c018da50cd600e5330de2 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@suse.cz>
+Date: Fri, 22 May 2015 10:58:43 +0200
+Subject: [PATCH] libfuse: fix exec environment for mount and umount
+Found by Tavis Ormandy (CVE-2015-3202).
+Upstream-Status: Submitted
+Signed-off-by: Tudor Florea <tudor.florea@enea.com>
+---
+--- a/lib/mount_util.c
+++ b/lib/mount_util.c
+@@ -95,10 +95,12 @@ static int add_mount(const char *prognam
+                goto out_restore;
+        }
+        if (res == 0) {
+               char *env = NULL;
+
+                sigprocmask(SIG_SETMASK, &oldmask, NULL);
+                setuid(geteuid());
+-               execl("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
+-                     "-f", "-t", type, "-o", opts, fsname, mnt, NULL);
+               execle("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
+                      "-f", "-t", type, "-o", opts, fsname, mnt, NULL, &env);
+                fprintf(stderr, "%s: failed to execute /bin/mount: %s\n",
+                        progname, strerror(errno));
+                exit(1);
+@@ -146,10 +148,17 @@ static int exec_umount(const char *progn
+                goto out_restore;
+        }
+        if (res == 0) {
+               char *env = NULL;
+
+                sigprocmask(SIG_SETMASK, &oldmask, NULL);
+                setuid(geteuid());
+-               execl("/bin/umount", "/bin/umount", "-i", rel_mnt,
+-                     lazy ? "-l" : NULL, NULL);
+               if (lazy) {
+                       execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
+                              "-l", NULL, &env);
+               } else {
+                       execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
+                              NULL, &env);
+               }
+                fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
+                        progname, strerror(errno));
+                exit(1);
+@@ -205,10 +214,12 @@ static int remove_mount(const char *prog
+                goto out_restore;
+        }
+        if (res == 0) {
+               char *env = NULL;
+
+                sigprocmask(SIG_SETMASK, &oldmask, NULL);
+                setuid(geteuid());
+-               execl("/bin/umount", "/bin/umount", "--no-canonicalize", "-i",
+-                     "--fake", mnt, NULL);
+               execle("/bin/umount", "/bin/umount", "--no-canonicalize", "-i",
+                      "--fake", mnt, NULL, &env);
+                fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
+                        progname, strerror(errno));
+                exit(1);
diff --git a/meta-filesystems/recipes-support/fuse/fuse_2.9.3.bb b/meta-filesystems/recipes-support/fuse/fuse_2.9.3.bb
index 60fea873b..2e2f7a198 100644
--- a/meta-filesystems/recipes-support/fuse/fuse_2.9.3.bb
+++ b/meta-filesystems/recipes-support/fuse/fuse_2.9.3.bb
@@ -13,6 +13,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 SRC_URI = "${SOURCEFORGE_MIRROR}/fuse/fuse-${PV}.tar.gz \
           file://gold-unversioned-symbol.patch \
           file://aarch64.patch \
+           file://001-fix_exec_environment_for_mount_and_umount.patch \
 "
 SRC_URI[md5sum] = "33cae22ca50311446400daf8a6255c6a"
 SRC_URI[sha256sum] = "0beb83eaf2c5e50730fc553406ef124d77bc02c64854631bdfc86bfd6437391c"
author	Tudor Florea <tudor.florea@enea.com>	2015-07-16 16:06:33 +0200
committer	Martin Jansa <Martin.Jansa@gmail.com>	2015-07-30 21:03:26 +0200
commit	96a4d9ad7b0150133340105f7ca84243398b11a9 (patch)
tree	d9fe4a175114b471716cee563468dfcb722ad77b /meta-filesystems/recipes-support
parent	81d8056d4b9bddd002e05c893af70ec58df2ee21 (diff)
download	meta-openembedded-96a4d9ad7b0150133340105f7ca84243398b11a9.tar.gz

diff --git a/meta-filesystems/recipes-support/fuse/files/001-fix_exec_environment_for_mount_and_umount.patch b/meta-filesystems/recipes-support/fuse/files/001-fix_exec_environment_for_mount_and_umount.patch new file mode 100644 index 000000000..8332bfbb7 --- /dev/null +++ b/meta-filesystems/recipes-support/fuse/files/001-fix_exec_environment_for_mount_and_umount.patch
@@ -0,0 +1,63 @@
		1	From cfe13b7a217075ae741c018da50cd600e5330de2 Mon Sep 17 00:00:00 2001
		2	From: Miklos Szeredi <mszeredi@suse.cz>
		3	Date: Fri, 22 May 2015 10:58:43 +0200
		4	Subject: [PATCH] libfuse: fix exec environment for mount and umount
		5
		6	Found by Tavis Ormandy (CVE-2015-3202).
		7
		8	Upstream-Status: Submitted
		9	Signed-off-by: Tudor Florea <tudor.florea@enea.com>
		10
		11	---
		12	--- a/lib/mount_util.c
		13	+++ b/lib/mount_util.c
		14	@@ -95,10 +95,12 @@ static int add_mount(const char *prognam
		15	goto out_restore;
		16	}
		17	if (res == 0) {
		18	+ char *env = NULL;
		19	+
		20	sigprocmask(SIG_SETMASK, &oldmask, NULL);
		21	setuid(geteuid());
		22	- execl("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
		23	- "-f", "-t", type, "-o", opts, fsname, mnt, NULL);
		24	+ execle("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
		25	+ "-f", "-t", type, "-o", opts, fsname, mnt, NULL, &env);
		26	fprintf(stderr, "%s: failed to execute /bin/mount: %s\n",
		27	progname, strerror(errno));
		28	exit(1);
		29	@@ -146,10 +148,17 @@ static int exec_umount(const char *progn
		30	goto out_restore;
		31	}
		32	if (res == 0) {
		33	+ char *env = NULL;
		34	+
		35	sigprocmask(SIG_SETMASK, &oldmask, NULL);
		36	setuid(geteuid());
		37	- execl("/bin/umount", "/bin/umount", "-i", rel_mnt,
		38	- lazy ? "-l" : NULL, NULL);
		39	+ if (lazy) {
		40	+ execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
		41	+ "-l", NULL, &env);
		42	+ } else {
		43	+ execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
		44	+ NULL, &env);
		45	+ }
		46	fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
		47	progname, strerror(errno));
		48	exit(1);
		49	@@ -205,10 +214,12 @@ static int remove_mount(const char *prog
		50	goto out_restore;
		51	}
		52	if (res == 0) {
		53	+ char *env = NULL;
		54	+
		55	sigprocmask(SIG_SETMASK, &oldmask, NULL);
		56	setuid(geteuid());
		57	- execl("/bin/umount", "/bin/umount", "--no-canonicalize", "-i",
		58	- "--fake", mnt, NULL);
		59	+ execle("/bin/umount", "/bin/umount", "--no-canonicalize", "-i",
		60	+ "--fake", mnt, NULL, &env);
		61	fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
		62	progname, strerror(errno));
		63	exit(1);


diff --git a/meta-filesystems/recipes-support/fuse/fuse_2.9.3.bb b/meta-filesystems/recipes-support/fuse/fuse_2.9.3.bb index 60fea873b..2e2f7a198 100644 --- a/meta-filesystems/recipes-support/fuse/fuse_2.9.3.bb +++ b/meta-filesystems/recipes-support/fuse/fuse_2.9.3.bb
@@ -13,6 +13,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
13	SRC_URI = "${SOURCEFORGE_MIRROR}/fuse/fuse-${PV}.tar.gz \	13	SRC_URI = "${SOURCEFORGE_MIRROR}/fuse/fuse-${PV}.tar.gz \
14	file://gold-unversioned-symbol.patch \	14	file://gold-unversioned-symbol.patch \
15	file://aarch64.patch \	15	file://aarch64.patch \
		16	file://001-fix_exec_environment_for_mount_and_umount.patch \
16	"	17	"
17	SRC_URI[md5sum] = "33cae22ca50311446400daf8a6255c6a"	18	SRC_URI[md5sum] = "33cae22ca50311446400daf8a6255c6a"
18	SRC_URI[sha256sum] = "0beb83eaf2c5e50730fc553406ef124d77bc02c64854631bdfc86bfd6437391c"	19	SRC_URI[sha256sum] = "0beb83eaf2c5e50730fc553406ef124d77bc02c64854631bdfc86bfd6437391c"