Hello community, here is the log from the commit of package util-linux for openSUSE:Factory checked in at 2015-02-16 15:02:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/util-linux (Old) and /work/SRC/openSUSE:Factory/.util-linux.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "util-linux" Changes: -------- --- /work/SRC/openSUSE:Factory/util-linux/python-libmount.changes 2015-01-30 06:01:01.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.util-linux.new/python-libmount.changes 2015-02-16 17:48:59.000000000 +0100 @@ -1,0 +2,27 @@ +Fri Feb 6 17:01:02 UTC 2015 - [email protected] + +- Do not try to unregister an info file (ipc.info.gz) which we do + not own. Already in May 2011, we stopped registering it: "do not + register ipc.info.gz (not provided by this package)". + +------------------------------------------------------------------- +Wed Feb 4 19:08:43 CET 2015 - [email protected] + +- libblkid: care about unsafe chars and possible buffer overflow + in cache (CVE-2014-9114, util-linux-libblkid-unsafe-chars.patch, + util-linux-libblkid-overflow.patch, bsc#907434) + +------------------------------------------------------------------- +Thu Jan 29 14:13:41 UTC 2015 - [email protected] + +- Update to version 2.25.2: mostly minor fixes + (including boo#908742) +- re-enable utmpdump and ipcs tests for all archs + +------------------------------------------------------------------- +Thu Jan 15 17:15:47 UTC 2015 - [email protected] + +- Use util-linux:/bin/logger as split-provide, + /usr/lib/systemd/system/fstrim.service didn't exist in 13.1 + +------------------------------------------------------------------- util-linux-systemd.changes: same change util-linux.changes: same change Old: ---- util-linux-2.25.1.tar.sign util-linux-2.25.1.tar.xz New: ---- util-linux-2.25.2.tar.sign util-linux-2.25.2.tar.xz util-linux-libblkid-overflow.patch util-linux-libblkid-unsafe-chars.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-libmount.spec ++++++ --- /var/tmp/diff_new_pack.RGTX4C/_old 2015-02-16 17:49:00.000000000 +0100 +++ /var/tmp/diff_new_pack.RGTX4C/_new 2015-02-16 17:49:00.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package python-libmount # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -120,7 +120,7 @@ %endif %endif #END SECOND STAGE DEPENDENCIES -Version: 2.25.1 +Version: 2.25.2 Release: 0 # util-linux is a base package and uuidd pre-requiring pwdutils pulls # that into the core build cycle. pwdutils also pulls in the whole @@ -160,6 +160,10 @@ Patch4: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff # PATCH-FEATURE-SUSE -- Report about disabled encryption to stderr. Patch12: util-linux-noenc-suse.patch +# PATCH-FIX-SECURITY util-linux-libblkid-unsafe-chars.patch bsc907434 CVE-2014-9114 [email protected] -- libblkid: care about unsafe chars in cache +Patch13: util-linux-libblkid-unsafe-chars.patch +# PATCH-FIX-SECURITY util-linux-libblkid-overflow.patch bsc907434 CVE-2014-9114 [email protected] -- libblkid: fix possible buffer overflow +Patch14: util-linux-libblkid-overflow.patch ## ## klogconsole ## @@ -215,7 +219,7 @@ %if %build_util_linux_systemd Supplements: packageand(util-linux:systemd) # Split-provides for upgrade from SLE < 12 and openSUSE <= 13.1 -Provides: util-linux:/usr/lib/systemd/system/fstrim.service +Provides: util-linux:/bin/logger # Service files are being migrated during the update from SLE < 12 and openSUSE <= 13.1 Conflicts: util-linux < 2.25 %systemd_requires @@ -384,6 +388,8 @@ %setup -q -n %{_name}-%{version} -b 40 %patch4 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 # # setctsid cp -p %{S:22} %{S:23} . @@ -610,13 +616,8 @@ export TS_OPT_kill_print_pid_known_fail="yes" export TS_OPT_kill_queue_known_fail="yes" %endif -%ifarch aarch64 s390 s390x -export TS_OPT_utmpdump_known_fail="yes" -%endif # FIXME: These sometimes fails: export TS_OPT_libmount_lock_known_fail="yes" -# FIXME: It still fails with 3a9ec12: -export TS_OPT_ipcs_limits2_known_fail="yes" # # hacks export PATH="$PATH:/sbin:/usr/sbin" @@ -826,7 +827,6 @@ fi %postun -%install_info_delete --info-dir=%{_infodir} %{_infodir}/ipc.info.gz %{insserv_cleanup} %verifyscript @@ -902,14 +902,12 @@ %doc Documentation/cal.txt %doc Documentation/col.txt %doc Documentation/deprecated.txt -%doc Documentation/fdisk.txt %doc Documentation/getopt.txt %doc Documentation/howto-debug.txt %doc Documentation/hwclock.txt %doc Documentation/modems-with-agetty.txt %doc Documentation/mount.txt %doc Documentation/pg.txt -%doc Documentation/sfdisk.txt %config %attr(744,root,root) %{_sysconfdir}/init.d/raw %config(noreplace) %attr(644,root,root) %{_sysconfdir}/raw %config(noreplace) %{_sysconfdir}/filesystems util-linux-systemd.spec: same change ++++++ util-linux.spec ++++++ --- /var/tmp/diff_new_pack.RGTX4C/_old 2015-02-16 17:49:00.000000000 +0100 +++ /var/tmp/diff_new_pack.RGTX4C/_new 2015-02-16 17:49:00.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package util-linux # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -120,7 +120,7 @@ %endif %endif #END SECOND STAGE DEPENDENCIES -Version: 2.25.1 +Version: 2.25.2 Release: 0 # util-linux is a base package and uuidd pre-requiring pwdutils pulls # that into the core build cycle. pwdutils also pulls in the whole @@ -160,6 +160,10 @@ Patch4: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff # PATCH-FEATURE-SUSE -- Report about disabled encryption to stderr. Patch12: util-linux-noenc-suse.patch +# PATCH-FIX-SECURITY util-linux-libblkid-unsafe-chars.patch bsc907434 CVE-2014-9114 [email protected] -- libblkid: care about unsafe chars in cache +Patch13: util-linux-libblkid-unsafe-chars.patch +# PATCH-FIX-SECURITY util-linux-libblkid-overflow.patch bsc907434 CVE-2014-9114 [email protected] -- libblkid: fix possible buffer overflow +Patch14: util-linux-libblkid-overflow.patch ## ## klogconsole ## @@ -215,7 +219,7 @@ %if %build_util_linux_systemd Supplements: packageand(util-linux:systemd) # Split-provides for upgrade from SLE < 12 and openSUSE <= 13.1 -Provides: util-linux:/usr/lib/systemd/system/fstrim.service +Provides: util-linux:/bin/logger # Service files are being migrated during the update from SLE < 12 and openSUSE <= 13.1 Conflicts: util-linux < 2.25 %systemd_requires @@ -383,6 +387,8 @@ %setup -q -n %{_name}-%{version} -b 40 %patch4 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 # # setctsid cp -p %{S:22} %{S:23} . @@ -609,13 +615,8 @@ export TS_OPT_kill_print_pid_known_fail="yes" export TS_OPT_kill_queue_known_fail="yes" %endif -%ifarch aarch64 s390 s390x -export TS_OPT_utmpdump_known_fail="yes" -%endif # FIXME: These sometimes fails: export TS_OPT_libmount_lock_known_fail="yes" -# FIXME: It still fails with 3a9ec12: -export TS_OPT_ipcs_limits2_known_fail="yes" # # hacks export PATH="$PATH:/sbin:/usr/sbin" @@ -825,7 +826,6 @@ fi %postun -%install_info_delete --info-dir=%{_infodir} %{_infodir}/ipc.info.gz %{insserv_cleanup} %verifyscript @@ -901,14 +901,12 @@ %doc Documentation/cal.txt %doc Documentation/col.txt %doc Documentation/deprecated.txt -%doc Documentation/fdisk.txt %doc Documentation/getopt.txt %doc Documentation/howto-debug.txt %doc Documentation/hwclock.txt %doc Documentation/modems-with-agetty.txt %doc Documentation/mount.txt %doc Documentation/pg.txt -%doc Documentation/sfdisk.txt %config %attr(744,root,root) %{_sysconfdir}/init.d/raw %config(noreplace) %attr(644,root,root) %{_sysconfdir}/raw %config(noreplace) %{_sysconfdir}/filesystems ++++++ util-linux-2.25.1.tar.xz -> util-linux-2.25.2.tar.xz ++++++ ++++ 110735 lines of diff (skipped) ++++++ util-linux-libblkid-overflow.patch ++++++ >From 109df14fad4e9570e26950913ebace6c79289400 Mon Sep 17 00:00:00 2001 From: Sebastian Krahmer <[email protected]> Date: Fri, 5 Dec 2014 10:06:42 +0100 Subject: [PATCH] libblkid: fix potential bufer overflows While digging deeper into libblk probing, I found that some computations might wrap and allocate too few buffer space which then overflows. In particular on 32bit systems (chromebook) where size_t is 32bit, this is problematic (for 64bit the result fits into the calloc size_t). Signed-off-by: Karel Zak <[email protected]> --- libblkid/src/partitions/gpt.c | 12 ++++++++---- libblkid/src/probe.c | 7 +++++++ libblkid/src/superblocks/zfs.c | 3 +++ 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/libblkid/src/partitions/gpt.c b/libblkid/src/partitions/gpt.c index 6ab4f71..665577f 100644 --- a/libblkid/src/partitions/gpt.c +++ b/libblkid/src/partitions/gpt.c @@ -17,6 +17,7 @@ #include <stdlib.h> #include <stdint.h> #include <stddef.h> +#include <limits.h> #include "partitions.h" #include "crc32.h" @@ -263,14 +264,17 @@ static struct gpt_header *get_gpt_header( return NULL; } - /* Size of blocks with GPT entries */ - esz = le32_to_cpu(h->num_partition_entries) * - le32_to_cpu(h->sizeof_partition_entry); - if (!esz) { + if (le32_to_cpu(h->num_partition_entries) == 0 || + le32_to_cpu(h->sizeof_partition_entry) == 0 || + ULONG_MAX / le32_to_cpu(h->num_partition_entries) < le32_to_cpu(h->sizeof_partition_entry)) { DBG(LOWPROBE, ul_debug("GPT entries undefined")); return NULL; } + /* Size of blocks with GPT entries */ + esz = le32_to_cpu(h->num_partition_entries) * + le32_to_cpu(h->sizeof_partition_entry); + /* The header seems valid, save it * (we don't care about zeros in hdr->reserved2 area) */ memcpy(hdr, h, sizeof(*h)); diff --git a/libblkid/src/probe.c b/libblkid/src/probe.c index 3f7e43b..70e882a 100644 --- a/libblkid/src/probe.c +++ b/libblkid/src/probe.c @@ -103,6 +103,7 @@ #include <inttypes.h> #include <stdint.h> #include <stdarg.h> +#include <limits.h> #ifdef HAVE_LIBUUID # include <uuid.h> @@ -578,6 +579,12 @@ unsigned char *blkid_probe_get_buffer(blkid_probe pr, return NULL; } + /* someone trying to overflow some buffers? */ + if (len > ULONG_MAX - sizeof(struct blkid_bufinfo)) { + errno = ENOMEM; + return NULL; + } + /* allocate info and space for data by why call */ bf = calloc(1, sizeof(struct blkid_bufinfo) + len); if (!bf) { diff --git a/libblkid/src/superblocks/zfs.c b/libblkid/src/superblocks/zfs.c index 6ffa24d..86da59d 100644 --- a/libblkid/src/superblocks/zfs.c +++ b/libblkid/src/superblocks/zfs.c @@ -12,6 +12,7 @@ #include <errno.h> #include <ctype.h> #include <inttypes.h> +#include <limits.h> #include "superblocks.h" @@ -108,6 +109,8 @@ static void zfs_extract_guid_name(blkid_probe pr, loff_t offset) nvs->nvs_type = be32_to_cpu(nvs->nvs_type); nvs->nvs_strlen = be32_to_cpu(nvs->nvs_strlen); + if (nvs->nvs_strlen > UINT_MAX - sizeof(*nvs)) + break; avail -= nvs->nvs_strlen + sizeof(*nvs); nvdebug("nvstring: type %u string %*s\n", nvs->nvs_type, nvs->nvs_strlen, nvs->nvs_string); -- 2.2.2 ++++++ util-linux-libblkid-unsafe-chars.patch ++++++ >From 89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc Mon Sep 17 00:00:00 2001 From: Karel Zak <[email protected]> Date: Thu, 27 Nov 2014 13:39:35 +0100 Subject: [PATCH] libblkid: care about unsafe chars in cache The high-level libblkid API uses /run/blkid/blkid.tab cache to store probing results. The cache format is <device NAME="value" ...>devname</device> and unfortunately the cache code does not escape quotation marks: # mkfs.ext4 -L 'AAA"BBB' # cat /run/blkid/blkid.tab ... <device ... LABEL="AAA"BBB" ...>/dev/sdb1</device> such string is later incorrectly parsed and blkid(8) returns nonsenses. And for use-cases like # eval $(blkid -o export /dev/sdb1) it's also insecure. Note that mount, udevd and blkid -p are based on low-level libblkid API, it bypass the cache and directly read data from the devices. The current udevd upstream does not depend on blkid(8) output at all, it's directly linked with the library and all unsafe chars are encoded by \x<hex> notation. # mkfs.ext4 -L 'X"`/tmp/foo` "' /dev/sdb1 # udevadm info --export-db | grep LABEL ... E: ID_FS_LABEL=X__/tmp/foo___ E: ID_FS_LABEL_ENC=X\x22\x60\x2ftmp\x2ffoo\x60\x20\x22 Signed-off-by: Karel Zak <[email protected]> --- libblkid/src/read.c | 21 ++++++++++++++++++--- libblkid/src/save.c | 22 +++++++++++++++++++++- misc-utils/blkid.8 | 5 ++++- misc-utils/blkid.c | 4 ++-- 4 files changed, 45 insertions(+), 7 deletions(-) diff --git a/libblkid/src/read.c b/libblkid/src/read.c index 0e91c9c..81ab0df 100644 --- a/libblkid/src/read.c +++ b/libblkid/src/read.c @@ -252,15 +252,30 @@ static int parse_token(char **name, char **value, char **cp) *value = skip_over_blank(*value + 1); if (**value == '"') { - end = strchr(*value + 1, '"'); - if (!end) { + char *p = end = *value + 1; + + /* convert 'foo\"bar' to 'foo"bar' */ + while (*p) { + if (*p == '\\') { + p++; + *end = *p; + } else { + *end = *p; + if (*p == '"') + break; + } + p++; + end++; + } + + if (*end != '"') { DBG(READ, ul_debug("unbalanced quotes at: %s", *value)); *cp = *value; return -BLKID_ERR_CACHE; } (*value)++; *end = '\0'; - end++; + end = ++p; } else { end = skip_over_word(*value); if (*end) { diff --git a/libblkid/src/save.c b/libblkid/src/save.c index 8216f09..5e8bbee 100644 --- a/libblkid/src/save.c +++ b/libblkid/src/save.c @@ -26,6 +26,21 @@ #include "blkidP.h" + +static void save_quoted(const char *data, FILE *file) +{ + const char *p; + + fputc('"', file); + for (p = data; p && *p; p++) { + if ((unsigned char) *p == 0x22 || /* " */ + (unsigned char) *p == 0x5c) /* \ */ + fputc('\\', file); + + fputc(*p, file); + } + fputc('"', file); +} static int save_dev(blkid_dev dev, FILE *file) { struct list_head *p; @@ -43,9 +58,14 @@ static int save_dev(blkid_dev dev, FILE *file) if (dev->bid_pri) fprintf(file, " PRI=\"%d\"", dev->bid_pri); + list_for_each(p, &dev->bid_tags) { blkid_tag tag = list_entry(p, struct blkid_struct_tag, bit_tags); - fprintf(file, " %s=\"%s\"", tag->bit_name,tag->bit_val); + + fputc(' ', file); /* space between tags */ + fputs(tag->bit_name, file); /* tag NAME */ + fputc('=', file); /* separator between NAME and VALUE */ + save_quoted(tag->bit_val, file); /* tag "VALUE" */ } fprintf(file, ">%s</device>\n", dev->bid_name); diff --git a/misc-utils/blkid.8 b/misc-utils/blkid.8 index 156a14b..c95b833 100644 --- a/misc-utils/blkid.8 +++ b/misc-utils/blkid.8 @@ -200,7 +200,10 @@ partitions. This output format is \fBDEPRECATED\fR. .TP .B export print key=value pairs for easy import into the environment; this output format -is automatically enabled when I/O Limits (\fB-i\fR option) are requested +is automatically enabled when I/O Limits (\fB-i\fR option) are requested. + +The non-printing characters are encoded by ^ and M- notation and all +potentially unsafe characters are escaped. .RE .TP .BI \-O " offset" diff --git a/misc-utils/blkid.c b/misc-utils/blkid.c index a6ca660..1bd8646 100644 --- a/misc-utils/blkid.c +++ b/misc-utils/blkid.c @@ -306,7 +306,7 @@ static void print_value(int output, int num, const char *devname, printf("DEVNAME=%s\n", devname); fputs(name, stdout); fputs("=", stdout); - safe_print(value, valsz, NULL); + safe_print(value, valsz, " \\\"'$`<>"); fputs("\n", stdout); } else { @@ -315,7 +315,7 @@ static void print_value(int output, int num, const char *devname, fputs(" ", stdout); fputs(name, stdout); fputs("=\"", stdout); - safe_print(value, valsz, "\""); + safe_print(value, valsz, "\"\\"); fputs("\"", stdout); } } -- 2.2.2 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
