Tree - rpms/udisks2 - CentOS Git server

rpms / udisks2

Blame SOURCES/udisks-2.x.x-CVE-2014-0004.patch

Blob History Raw

		5137f5	`From 4cd35a8db2c6a0b94218a89cb183f50e8550de0e Mon Sep 17 00:00:00 2001`
		5137f5	`From: David Zeuthen <zeuthen@gmail.com>`
		5137f5	`Date: Wed, 12 Feb 2014 20:01:41 -0800`
		5137f5	`Subject: [PATCH] CVE-2014-0004: Stack-based buffer overflow when handling long`
		5137f5	`path names`
		5137f5
		5137f5	`Fix this by being more careful when parsing strings.`
		5137f5
		5137f5	`Acknowledgements: This issue was discovered by Florian Weimer of the`
		5137f5	`Red Hat Product Security Team.`
		5137f5
		5137f5	`Signed-off-by: David Zeuthen <zeuthen@gmail.com>`
		5137f5	`---`
		5137f5	`src/udisksmountmonitor.c \| 21 +++++++++++++--------`
		5137f5	`1 file changed, 13 insertions(+), 8 deletions(-)`
		5137f5
		5137f5	`diff --git a/src/udisksmountmonitor.c b/src/udisksmountmonitor.c`
		5137f5	`index 8af1028..77cf94c 100644`
		5137f5	`--- a/src/udisksmountmonitor.c`
		5137f5	`+++ b/src/udisksmountmonitor.c`
		5137f5	`@@ -416,8 +416,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,`
		5137f5	`guint mount_id;`
		5137f5	`guint parent_id;`
		5137f5	`guint major, minor;`
		5137f5	`- gchar encoded_root[PATH_MAX];`
		5137f5	`- gchar encoded_mount_point[PATH_MAX];`
		5137f5	`+ gchar encoded_root[4096];`
		5137f5	`+ gchar encoded_mount_point[4096];`
		5137f5	`gchar *mount_point;`
		5137f5	`dev_t dev;`
		5137f5
		5137f5	`@@ -425,7 +425,7 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,`
		5137f5	`continue;`
		5137f5
		5137f5	`if (sscanf (lines[n],`
		5137f5	`- "%d %d %d:%d %s %s",`
		5137f5	`+ "%d %d %d:%d %4095s %4095s",`
		5137f5	`&mount_id,`
		5137f5	`&parent_id,`
		5137f5	`&major,`
		5137f5	`@@ -436,6 +436,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,`
		5137f5	`udisks_warning ("Error parsing line '%s'", lines[n]);`
		5137f5	`continue;`
		5137f5	`}`
		5137f5	`+ encoded_root[sizeof encoded_root - 1] = '\0';`
		5137f5	`+ encoded_mount_point[sizeof encoded_mount_point - 1] = '\0';`
		5137f5
		5137f5	`/* Temporary work-around for btrfs, see`
		5137f5	`*`
		5137f5	`@@ -450,15 +452,17 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,`
		5137f5	`sep = strstr (lines[n], " - ");`
		5137f5	`if (sep != NULL)`
		5137f5	`{`
		5137f5	`- gchar fstype[PATH_MAX];`
		5137f5	`- gchar mount_source[PATH_MAX];`
		5137f5	`+ gchar fstype[4096];`
		5137f5	`+ gchar mount_source[4096];`
		5137f5	`struct stat statbuf;`
		5137f5
		5137f5	`- if (sscanf (sep + 3, "%s %s", fstype, mount_source) != 2)`
		5137f5	`+ if (sscanf (sep + 3, "%4095s %4095s", fstype, mount_source) != 2)`
		5137f5	`{`
		5137f5	`udisks_warning ("Error parsing things past - for '%s'", lines[n]);`
		5137f5	`continue;`
		5137f5	`}`
		5137f5	`+ fstype[sizeof fstype - 1] = '\0';`
		5137f5	`+ mount_source[sizeof mount_source - 1] = '\0';`
		5137f5
		5137f5	`if (g_strcmp0 (fstype, "btrfs") != 0)`
		5137f5	`continue;`
		5137f5	`@@ -546,7 +550,7 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor *monitor,`
		5137f5	`lines = g_strsplit (contents, "\n", 0);`
		5137f5	`for (n = 0; lines[n] != NULL; n++)`
		5137f5	`{`
		5137f5	`- gchar filename[PATH_MAX];`
		5137f5	`+ gchar filename[4096];`
		5137f5	`struct stat statbuf;`
		5137f5	`dev_t dev;`
		5137f5
		5137f5	`@@ -557,11 +561,12 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor *monitor,`
		5137f5	`if (strlen (lines[n]) == 0)`
		5137f5	`continue;`
		5137f5
		5137f5	`- if (sscanf (lines[n], "%s", filename) != 1)`
		5137f5	`+ if (sscanf (lines[n], "%4095s", filename) != 1)`
		5137f5	`{`
		5137f5	`udisks_warning ("Error parsing line '%s'", lines[n]);`
		5137f5	`continue;`
		5137f5	`}`
		5137f5	`+ filename[sizeof filename - 1] = '\0';`
		5137f5
		5137f5	`if (stat (filename, &statbuf) != 0)`
		5137f5	`{`
		5137f5	`--`
		5137f5	`1.8.5.3`
		5137f5

rpms / udisks2

Source Code

Blame SOURCES/udisks-2.x.x-CVE-2014-0004.patch