Bug#772982: unblock: util-linux/2.25.2-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package util-linux
The latest upload fixes 2 RC bugs (one of them being security related)
and includes a whole lot of l10n updates thanks to David Prévot.
I'm attaching a filtered debdiff (excluding the actual language
string changes), plus the patch from upstream for the security
issue so you don't have to read patch-in-patch if you don't want to.
unblock util-linux/2.25.2-4
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
debdiff /var/cache/pbuilder/result/util-linux_2.25.2-[34].dsc | filterdiff -x '*/debian/patches/Update-*.patch' -x '*/debian/patches/Trivial-unfuzzy.patch'
diff -Nru util-linux-2.25.2/debian/changelog util-linux-2.25.2/debian/changelog
--- util-linux-2.25.2/debian/changelog 2014-11-17 11:25:26.000000000 +0100
+++ util-linux-2.25.2/debian/changelog 2014-12-12 18:26:14.000000000 +0100
@@ -1,3 +1,30 @@
+util-linux (2.25.2-4) unstable; urgency=medium
+
+ [ David Prévot ]
+ * Update POT and PO files and clean up .gmo files
+ * Update German translation, thanks to Mario Blättermann
+ * Update Spanish translation, thanks to Antonio Ceballos Roa
+ * Update French translation (Closes: #770506)
+ * Update Ukrainian translation, thanks to Yuri Chornoivan
+ * Update Brazilian Portuguese translation, thanks to Rafael Ferreira
+ * Update Chinese (simplified) translation, thanks to Wylmer Wang
+ * Update Danish translation, thanks to Joe Hansen
+ * Update Finnish translation, thanks to Lauri Nurmi
+ * Update Japanese translation, thanks to Takeshi Hamasaki
+ * Update Russian translation, thanks to Pavel Maryanov
+ * Trivial unfuzzy
+
+ [ Andreas Henriksson ]
+ * Add debian/patches/libblkid-care-about-unsafe-chars-in-cache.patch
+ - from upstream git master commit 89e90ae7
+ "libblkid: care about unsafe chars in cache"
+ - This fixes CVE-2014-9114: blkid command injection
+ see https://security-tracker.debian.org/tracker/CVE-2014-9114
+ Thanks to Salvatore Bonaccorso (Closes: #771274)
+ * libuuid1: add passwd dependency for user migration (Closes: #771092)
+
+ -- Andreas Henriksson <andreas@fatal.se> Fri, 12 Dec 2014 18:23:24 +0100
+
util-linux (2.25.2-3) unstable; urgency=medium
* Ship fstrim timer/service units as examples only (Closes: #767194)
diff -Nru util-linux-2.25.2/debian/clean util-linux-2.25.2/debian/clean
--- util-linux-2.25.2/debian/clean 1970-01-01 01:00:00.000000000 +0100
+++ util-linux-2.25.2/debian/clean 2014-12-12 18:26:14.000000000 +0100
@@ -0,0 +1 @@
+po/*.gmo
diff -Nru util-linux-2.25.2/debian/control util-linux-2.25.2/debian/control
--- util-linux-2.25.2/debian/control 2014-11-17 11:25:26.000000000 +0100
+++ util-linux-2.25.2/debian/control 2014-12-12 18:26:14.000000000 +0100
@@ -208,7 +208,7 @@
Architecture: any
Section: libs
Pre-Depends: ${misc:Pre-Depends}
-Depends: ${misc:Depends}, ${shlibs:Depends}
+Depends: passwd, ${misc:Depends}, ${shlibs:Depends}
Recommends: uuid-runtime
Replaces: e2fsprogs (<< 1.34-1)
Multi-Arch: same
diff -Nru util-linux-2.25.2/debian/patches/libblkid-care-about-unsafe-chars-in-cache.patch util-linux-2.25.2/debian/patches/libblkid-care-about-unsafe-chars-in-cache.patch
--- util-linux-2.25.2/debian/patches/libblkid-care-about-unsafe-chars-in-cache.patch 1970-01-01 01:00:00.000000000 +0100
+++ util-linux-2.25.2/debian/patches/libblkid-care-about-unsafe-chars-in-cache.patch 2014-12-12 18:26:14.000000000 +0100
@@ -0,0 +1,163 @@
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 27 Nov 2014 13:39:35 +0100
+Subject: libblkid: care about unsafe chars in cache
+
+The high-level libblkid API uses /run/blkid/blkid.tab cache to
+store probing results. The cache format is
+
+ <device NAME="value" ...>devname</device>
+
+and unfortunately the cache code does not escape quotation marks:
+
+ # mkfs.ext4 -L 'AAA"BBB'
+
+ # cat /run/blkid/blkid.tab
+ ...
+ <device ... LABEL="AAA"BBB" ...>/dev/sdb1</device>
+
+such string is later incorrectly parsed and blkid(8) returns
+nonsenses. And for use-cases like
+
+ # eval $(blkid -o export /dev/sdb1)
+
+it's also insecure.
+
+Note that mount, udevd and blkid -p are based on low-level libblkid
+API, it bypass the cache and directly read data from the devices.
+
+The current udevd upstream does not depend on blkid(8) output at all,
+it's directly linked with the library and all unsafe chars are encoded by
+\x<hex> notation.
+
+ # mkfs.ext4 -L 'X"`/tmp/foo` "' /dev/sdb1
+ # udevadm info --export-db | grep LABEL
+ ...
+ E: ID_FS_LABEL=X__/tmp/foo___
+ E: ID_FS_LABEL_ENC=X\x22\x60\x2ftmp\x2ffoo\x60\x20\x22
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ libblkid/src/read.c | 21 ++++++++++++++++++---
+ libblkid/src/save.c | 22 +++++++++++++++++++++-
+ misc-utils/blkid.8 | 5 ++++-
+ misc-utils/blkid.c | 4 ++--
+ 4 files changed, 45 insertions(+), 7 deletions(-)
+
+diff --git a/libblkid/src/read.c b/libblkid/src/read.c
+index 0e91c9c..81ab0df 100644
+--- a/libblkid/src/read.c
++++ b/libblkid/src/read.c
+@@ -252,15 +252,30 @@ static int parse_token(char **name, char **value, char **cp)
+ *value = skip_over_blank(*value + 1);
+
+ if (**value == '"') {
+- end = strchr(*value + 1, '"');
+- if (!end) {
++ char *p = end = *value + 1;
++
++ /* convert 'foo\"bar' to 'foo"bar' */
++ while (*p) {
++ if (*p == '\\') {
++ p++;
++ *end = *p;
++ } else {
++ *end = *p;
++ if (*p == '"')
++ break;
++ }
++ p++;
++ end++;
++ }
++
++ if (*end != '"') {
+ DBG(READ, ul_debug("unbalanced quotes at: %s", *value));
+ *cp = *value;
+ return -BLKID_ERR_CACHE;
+ }
+ (*value)++;
+ *end = '\0';
+- end++;
++ end = ++p;
+ } else {
+ end = skip_over_word(*value);
+ if (*end) {
+diff --git a/libblkid/src/save.c b/libblkid/src/save.c
+index 8216f09..5e8bbee 100644
+--- a/libblkid/src/save.c
++++ b/libblkid/src/save.c
+@@ -26,6 +26,21 @@
+
+ #include "blkidP.h"
+
++
++static void save_quoted(const char *data, FILE *file)
++{
++ const char *p;
++
++ fputc('"', file);
++ for (p = data; p && *p; p++) {
++ if ((unsigned char) *p == 0x22 || /* " */
++ (unsigned char) *p == 0x5c) /* \ */
++ fputc('\\', file);
++
++ fputc(*p, file);
++ }
++ fputc('"', file);
++}
+ static int save_dev(blkid_dev dev, FILE *file)
+ {
+ struct list_head *p;
+@@ -43,9 +58,14 @@ static int save_dev(blkid_dev dev, FILE *file)
+
+ if (dev->bid_pri)
+ fprintf(file, " PRI=\"%d\"", dev->bid_pri);
++
+ list_for_each(p, &dev->bid_tags) {
+ blkid_tag tag = list_entry(p, struct blkid_struct_tag, bit_tags);
+- fprintf(file, " %s=\"%s\"", tag->bit_name,tag->bit_val);
++
++ fputc(' ', file); /* space between tags */
++ fputs(tag->bit_name, file); /* tag NAME */
++ fputc('=', file); /* separator between NAME and VALUE */
++ save_quoted(tag->bit_val, file); /* tag "VALUE" */
+ }
+ fprintf(file, ">%s</device>\n", dev->bid_name);
+
+diff --git a/misc-utils/blkid.8 b/misc-utils/blkid.8
+index a974b8e..7c0e176 100644
+--- a/misc-utils/blkid.8
++++ b/misc-utils/blkid.8
+@@ -193,7 +193,10 @@ partitions. This output format is \fBDEPRECATED\fR.
+ .TP
+ .B export
+ print key=value pairs for easy import into the environment; this output format
+-is automatically enabled when I/O Limits (\fB-i\fR option) are requested
++is automatically enabled when I/O Limits (\fB-i\fR option) are requested.
++
++The non-printing characters are encoded by ^ and M- notation and all
++potentially unsafe characters are escaped.
+ .RE
+ .TP
+ .BI \-O " offset"
+diff --git a/misc-utils/blkid.c b/misc-utils/blkid.c
+index a6ca660..1bd8646 100644
+--- a/misc-utils/blkid.c
++++ b/misc-utils/blkid.c
+@@ -306,7 +306,7 @@ static void print_value(int output, int num, const char *devname,
+ printf("DEVNAME=%s\n", devname);
+ fputs(name, stdout);
+ fputs("=", stdout);
+- safe_print(value, valsz, NULL);
++ safe_print(value, valsz, " \\\"'$`<>");
+ fputs("\n", stdout);
+
+ } else {
+@@ -315,7 +315,7 @@ static void print_value(int output, int num, const char *devname,
+ fputs(" ", stdout);
+ fputs(name, stdout);
+ fputs("=\"", stdout);
+- safe_print(value, valsz, "\"");
++ safe_print(value, valsz, "\"\\");
+ fputs("\"", stdout);
+ }
+ }
diff -Nru util-linux-2.25.2/debian/patches/series util-linux-2.25.2/debian/patches/series
--- util-linux-2.25.2/debian/patches/series 2014-11-17 11:25:26.000000000 +0100
+++ util-linux-2.25.2/debian/patches/series 2014-12-12 18:26:14.000000000 +0100
@@ -3,3 +3,17 @@
man-page-tweaks-cleanup-my_dev_t.h-ancient-stuff.patch
Disable-the-fallback-clause-in-hwclock-when-dev-rtc-.patch
verbose-tests.patch
+Update-POT-file.patch
+Update-PO-files.patch
+Update-German-translation.patch
+Update-Spanish-translation.patch
+Update-French-translation.patch
+Update-Ukrainian-translation.patch
+Update-Brazilian-Portuguese-translation.patch
+Update-Chinese-simplified-translation.patch
+Update-Danish-translation.patch
+Update-Finnish-translation.patch
+Update-Japanese-translation.patch
+Update-Russian-translation.patch
+Trivial-unfuzzy.patch
+libblkid-care-about-unsafe-chars-in-cache.patch
diff -Nru util-linux-2.25.2/debian/patches/Trivial-unfuzzy.patch util-linux-2.25.2/debian/patches/Trivial-unfuzzy.patch
diff -Nru util-linux-2.25.2/debian/patches/Update-Brazilian-Portuguese-translation.patch util-linux-2.25.2/debian/patches/Update-Brazilian-Portuguese-translation.patch
diff -Nru util-linux-2.25.2/debian/patches/Update-Chinese-simplified-translation.patch util-linux-2.25.2/debian/patches/Update-Chinese-simplified-translation.patch
diff -Nru util-linux-2.25.2/debian/patches/Update-Danish-translation.patch util-linux-2.25.2/debian/patches/Update-Danish-translation.patch
diff -Nru util-linux-2.25.2/debian/patches/Update-Finnish-translation.patch util-linux-2.25.2/debian/patches/Update-Finnish-translation.patch
diff -Nru util-linux-2.25.2/debian/patches/Update-French-translation.patch util-linux-2.25.2/debian/patches/Update-French-translation.patch
diff -Nru util-linux-2.25.2/debian/patches/Update-German-translation.patch util-linux-2.25.2/debian/patches/Update-German-translation.patch
diff -Nru util-linux-2.25.2/debian/patches/Update-Japanese-translation.patch util-linux-2.25.2/debian/patches/Update-Japanese-translation.patch
diff -Nru util-linux-2.25.2/debian/patches/Update-PO-files.patch util-linux-2.25.2/debian/patches/Update-PO-files.patch
diff -Nru util-linux-2.25.2/debian/patches/Update-POT-file.patch util-linux-2.25.2/debian/patches/Update-POT-file.patch
diff -Nru util-linux-2.25.2/debian/patches/Update-Russian-translation.patch util-linux-2.25.2/debian/patches/Update-Russian-translation.patch
diff -Nru util-linux-2.25.2/debian/patches/Update-Spanish-translation.patch util-linux-2.25.2/debian/patches/Update-Spanish-translation.patch
diff -Nru util-linux-2.25.2/debian/patches/Update-Ukrainian-translation.patch util-linux-2.25.2/debian/patches/Update-Ukrainian-translation.patch
From: Karel Zak <kzak@redhat.com>
Date: Thu, 27 Nov 2014 13:39:35 +0100
Subject: libblkid: care about unsafe chars in cache
The high-level libblkid API uses /run/blkid/blkid.tab cache to
store probing results. The cache format is
<device NAME="value" ...>devname</device>
and unfortunately the cache code does not escape quotation marks:
# mkfs.ext4 -L 'AAA"BBB'
# cat /run/blkid/blkid.tab
...
<device ... LABEL="AAA"BBB" ...>/dev/sdb1</device>
such string is later incorrectly parsed and blkid(8) returns
nonsenses. And for use-cases like
# eval $(blkid -o export /dev/sdb1)
it's also insecure.
Note that mount, udevd and blkid -p are based on low-level libblkid
API, it bypass the cache and directly read data from the devices.
The current udevd upstream does not depend on blkid(8) output at all,
it's directly linked with the library and all unsafe chars are encoded by
\x<hex> notation.
# mkfs.ext4 -L 'X"`/tmp/foo` "' /dev/sdb1
# udevadm info --export-db | grep LABEL
...
E: ID_FS_LABEL=X__/tmp/foo___
E: ID_FS_LABEL_ENC=X\x22\x60\x2ftmp\x2ffoo\x60\x20\x22
Signed-off-by: Karel Zak <kzak@redhat.com>
---
libblkid/src/read.c | 21 ++++++++++++++++++---
libblkid/src/save.c | 22 +++++++++++++++++++++-
misc-utils/blkid.8 | 5 ++++-
misc-utils/blkid.c | 4 ++--
4 files changed, 45 insertions(+), 7 deletions(-)
diff --git a/libblkid/src/read.c b/libblkid/src/read.c
index 0e91c9c..81ab0df 100644
--- a/libblkid/src/read.c
+++ b/libblkid/src/read.c
@@ -252,15 +252,30 @@ static int parse_token(char **name, char **value, char **cp)
*value = skip_over_blank(*value + 1);
if (**value == '"') {
- end = strchr(*value + 1, '"');
- if (!end) {
+ char *p = end = *value + 1;
+
+ /* convert 'foo\"bar' to 'foo"bar' */
+ while (*p) {
+ if (*p == '\\') {
+ p++;
+ *end = *p;
+ } else {
+ *end = *p;
+ if (*p == '"')
+ break;
+ }
+ p++;
+ end++;
+ }
+
+ if (*end != '"') {
DBG(READ, ul_debug("unbalanced quotes at: %s", *value));
*cp = *value;
return -BLKID_ERR_CACHE;
}
(*value)++;
*end = '\0';
- end++;
+ end = ++p;
} else {
end = skip_over_word(*value);
if (*end) {
diff --git a/libblkid/src/save.c b/libblkid/src/save.c
index 8216f09..5e8bbee 100644
--- a/libblkid/src/save.c
+++ b/libblkid/src/save.c
@@ -26,6 +26,21 @@
#include "blkidP.h"
+
+static void save_quoted(const char *data, FILE *file)
+{
+ const char *p;
+
+ fputc('"', file);
+ for (p = data; p && *p; p++) {
+ if ((unsigned char) *p == 0x22 || /* " */
+ (unsigned char) *p == 0x5c) /* \ */
+ fputc('\\', file);
+
+ fputc(*p, file);
+ }
+ fputc('"', file);
+}
static int save_dev(blkid_dev dev, FILE *file)
{
struct list_head *p;
@@ -43,9 +58,14 @@ static int save_dev(blkid_dev dev, FILE *file)
if (dev->bid_pri)
fprintf(file, " PRI=\"%d\"", dev->bid_pri);
+
list_for_each(p, &dev->bid_tags) {
blkid_tag tag = list_entry(p, struct blkid_struct_tag, bit_tags);
- fprintf(file, " %s=\"%s\"", tag->bit_name,tag->bit_val);
+
+ fputc(' ', file); /* space between tags */
+ fputs(tag->bit_name, file); /* tag NAME */
+ fputc('=', file); /* separator between NAME and VALUE */
+ save_quoted(tag->bit_val, file); /* tag "VALUE" */
}
fprintf(file, ">%s</device>\n", dev->bid_name);
diff --git a/misc-utils/blkid.8 b/misc-utils/blkid.8
index a974b8e..7c0e176 100644
--- a/misc-utils/blkid.8
+++ b/misc-utils/blkid.8
@@ -193,7 +193,10 @@ partitions. This output format is \fBDEPRECATED\fR.
.TP
.B export
print key=value pairs for easy import into the environment; this output format
-is automatically enabled when I/O Limits (\fB-i\fR option) are requested
+is automatically enabled when I/O Limits (\fB-i\fR option) are requested.
+
+The non-printing characters are encoded by ^ and M- notation and all
+potentially unsafe characters are escaped.
.RE
.TP
.BI \-O " offset"
diff --git a/misc-utils/blkid.c b/misc-utils/blkid.c
index a6ca660..1bd8646 100644
--- a/misc-utils/blkid.c
+++ b/misc-utils/blkid.c
@@ -306,7 +306,7 @@ static void print_value(int output, int num, const char *devname,
printf("DEVNAME=%s\n", devname);
fputs(name, stdout);
fputs("=", stdout);
- safe_print(value, valsz, NULL);
+ safe_print(value, valsz, " \\\"'$`<>");
fputs("\n", stdout);
} else {
@@ -315,7 +315,7 @@ static void print_value(int output, int num, const char *devname,
fputs(" ", stdout);
fputs(name, stdout);
fputs("=\"", stdout);
- safe_print(value, valsz, "\"");
+ safe_print(value, valsz, "\"\\");
fputs("\"", stdout);
}
}
Reply to: