Re: squeeze update of fuse?

To: Laszlo Boszormenyi <gcs@debian.org>
Cc: debian-lts@lists.debian.org, 786439@bugs.debian.org
Subject: Re: squeeze update of fuse?
From: Santiago Ruano Rincón <santiagorr@riseup.net>
Date: Tue, 26 May 2015 18:42:58 +0200
Message-id: <[🔎] 20150526164258.GA1491@nomada>
In-reply-to: <[🔎] 20150522090650.GA12614@home.ouaza.com>
References: <[🔎] 20150522090650.GA12614@home.ouaza.com>

Hi Laszlo,

Please find the attached dpatch to prevent CVE-2015-3202 in squeeze. It
makes lib/mount_util.c use execle instead of execl to run external
helpers.

Please, let me know if you want me to upload a patched package, or if
you want to do it by yourself.

Cheers,

Santiago

#! /bin/sh /usr/share/dpatch/dpatch-run
## 004-CVE-2015-3202.dpatch by  <santiagorr@riseup.net>
##
## DP: Fixes CVE-2015-3202.
## DP: Backported from fuse_2.9.0-2+deb7u2

@DPATCH@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' fuse-2.8.4~/lib/mount_util.c fuse-2.8.4/lib/mount_util.c
--- fuse-2.8.4~/lib/mount_util.c	2010-03-08 16:18:43.000000000 +0100
+++ fuse-2.8.4/lib/mount_util.c	2015-05-26 18:15:10.571012189 +0200
@@ -78,6 +78,7 @@
 	if (res == 0) {
 		char templ[] = "/tmp/fusermountXXXXXX";
 		char *tmp;
+        char *env = NULL;
 
 		sigprocmask(SIG_SETMASK, &oldmask, NULL);
 		setuid(geteuid());
@@ -99,8 +100,8 @@
 			exit(1);
 		}
 		rmdir(tmp);
-		execl("/bin/mount", "/bin/mount", "-i", "-f", "-t", type,
-		      "-o", opts, fsname, mnt, NULL);
+		execle("/bin/mount", "/bin/mount", "-i", "-f", "-t", type,
+                "-o", opts, fsname, mnt, NULL, &env);
 		fprintf(stderr, "%s: failed to execute /bin/mount: %s\n",
 			progname, strerror(errno));
 		exit(1);
@@ -148,10 +149,12 @@
 		dup2(fd, 1);
 		dup2(fd, 2);
 
+		char *env = NULL;
+
 		sigprocmask(SIG_SETMASK, &oldmask, NULL);
 		setuid(geteuid());
-		execl("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
-		      "-f", "-t", type, "-o", opts, fsname, mnt, NULL);
+		execle("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
+		      "-f", "-t", type, "-o", opts, fsname, mnt, NULL, &env);
 		fprintf(stderr, "%s: failed to execute /bin/mount: %s\n",
 			progname, strerror(errno));
 		exit(1);
@@ -205,10 +208,17 @@
 		goto out_restore;
 	}
 	if (res == 0) {
+		char *env = NULL;
+
 		sigprocmask(SIG_SETMASK, &oldmask, NULL);
 		setuid(geteuid());
-		execl("/bin/umount", "/bin/umount", "-i", rel_mnt,
-		      lazy ? "-l" : NULL, NULL);
+        if (lazy) {
+			execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
+			       "-l", NULL, &env);
+		} else {
+			execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
+			       NULL, &env);
+		}
 		fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
 			progname, strerror(errno));
 		exit(1);

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: squeeze update of fuse?
  - From: László Böszörményi (GCS) <gcs@debian.org>

References:
- squeeze update of fuse?
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: About the security issues affecting librestclient-ruby in Squeeze
Next by Date: Re: squeeze update of libapache-mod-jk?
Previous by thread: squeeze update of fuse?
Next by thread: Re: squeeze update of fuse?
Index(es):
- Date
- Thread