Hello community, here is the log from the commit of package util-linux for openSUSE:Factory checked in at 2013-01-08 15:05:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/util-linux (Old) and /work/SRC/openSUSE:Factory/.util-linux.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "util-linux", Maintainer is "pu...@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/util-linux/util-linux.changes 2013-01-03 13:54:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.util-linux.new/util-linux.changes 2013-01-08 15:05:10.000000000 +0100 @@ -1,0 +2,9 @@ +Mon Jan 7 13:26:15 UTC 2013 - pu...@suse.com + +- add-canonicalize_path_restricted.patch, + mount-sanitize-paths-from-non-root-users.patch, + umount-sanitize-paths-from-non-root-users.patch: + prevent leaking information about existence of folders + (bnc#797002, CVE-2013-0157) + +------------------------------------------------------------------- New: ---- add-canonicalize_path_restricted.patch mount-sanitize-paths-from-non-root-users.patch umount-sanitize-paths-from-non-root-users.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ util-linux.spec ++++++ --- /var/tmp/diff_new_pack.EnOIXH/_old 2013-01-08 15:05:14.000000000 +0100 +++ /var/tmp/diff_new_pack.EnOIXH/_new 2013-01-08 15:05:14.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package util-linux # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -106,6 +106,13 @@ # hack for boot.localfs Patch20: util-linux-HACK-boot.localfs.diff + +Patch21: 0001-include-bitops.h-Use-the-operating-system-byteswappi.patch + +#bnc#797002 +Patch22: add-canonicalize_path_restricted.patch +Patch23: mount-sanitize-paths-from-non-root-users.patch +Patch24: umount-sanitize-paths-from-non-root-users.patch ##### ## @@ -121,8 +128,6 @@ ## Patch60: time-1.7.dif -Patch61: 0001-include-bitops.h-Use-the-operating-system-byteswappi.patch - BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: %insserv_prereq %fillup_prereq /bin/sed # @@ -223,7 +228,10 @@ %patch13 -p1 # %patch20 -p1 -%patch61 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 # cd adjtimex-* # adjtimex patches belongs here ++++++ add-canonicalize_path_restricted.patch ++++++ >From 33c5fd0c5a774458470c86f9d318d8c48a9c9ccb Mon Sep 17 00:00:00 2001 From: Karel Zak <k...@redhat.com> Date: Mon, 26 Nov 2012 16:24:28 +0100 Subject: [PATCH] lib/canonicalize: add canonicalize_path_restricted() to canonicalize without suid permisssions Signed-off-by: Karel Zak <k...@redhat.com> Signed-off-by: Petr Uzel <petr.u...@suse.cz> --- include/canonicalize.h | 1 + lib/canonicalize.c | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) Index: util-linux-2.21.2/include/canonicalize.h =================================================================== --- util-linux-2.21.2.orig/include/canonicalize.h +++ util-linux-2.21.2/include/canonicalize.h @@ -4,6 +4,7 @@ #include "c.h" /* for PATH_MAX */ extern char *canonicalize_path(const char *path); +extern char *canonicalize_path_restricted(const char *path); extern char *canonicalize_dm_name(const char *ptname); #endif /* CANONICALIZE_H */ Index: util-linux-2.21.2/lib/canonicalize.c =================================================================== --- util-linux-2.21.2.orig/lib/canonicalize.c +++ util-linux-2.21.2/lib/canonicalize.c @@ -188,6 +188,48 @@ canonicalize_path(const char *path) return strdup(canonical); } +char * +canonicalize_path_restricted(const char *path) +{ + char canonical[PATH_MAX+2]; + char *p = NULL; + int errsv; + uid_t euid; + gid_t egid; + + if (path == NULL) + return NULL; + + euid = geteuid(); + egid = getegid(); + + /* drop permissions */ + if (setegid(getgid()) < 0 || seteuid(getuid()) < 0) + return NULL; + + errsv = errno = 0; + + if (myrealpath(path, canonical, PATH_MAX+1)) { + p = strrchr(canonical, '/'); + if (p && strncmp(p, "/dm-", 4) == 0 && isdigit(*(p + 4))) + p = canonicalize_dm_name(p+1); + else + p = NULL; + if (!p) + p = strdup(canonical); + } else + errsv = errno; + + /* restore */ + if (setegid(egid) < 0 || seteuid(euid) < 0) { + free(p); + return NULL; + } + + errno = errsv; + return p; +} + #ifdef TEST_PROGRAM_CANONICALIZE int main(int argc, char **argv) ++++++ mount-sanitize-paths-from-non-root-users.patch ++++++ >From 5ebbc3865d1e53ef42e5f121c41faab23dd59075 Mon Sep 17 00:00:00 2001 From: Karel Zak <k...@redhat.com> Date: Mon, 26 Nov 2012 14:30:22 +0100 Subject: [PATCH] mount: sanitize paths from non-root users $ mount /root/.ssh/../../dev/sda2 mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot this is too promiscuous. It seems better to ignore on command line specified paths which are not resolve-able for non-root users. Fixed version: $ mount /root/.ssh/../../dev/sda2 mount: /root/.ssh/../../dev/sda2: Permission denied $ mount /dev/sda2 mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot Note that this bug has no relation to mount(2) permissions evaluation in suid mode. The way how non-root user specifies paths on command line is completely irrelevant for comparison with fstab entries. Signed-off-by: Karel Zak <k...@redhat.com> Signed-off-by: Petr Uzel <petr.u...@suse.cz> --- sys-utils/Makefile.am | 1 + sys-utils/mount.c | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) Index: util-linux-2.21.2/sys-utils/Makefile.am =================================================================== --- util-linux-2.21.2.orig/sys-utils/Makefile.am +++ util-linux-2.21.2/sys-utils/Makefile.am @@ -64,6 +64,7 @@ dist_man_MANS += mount.8 ../mount/fstab. mount_SOURCES = mount.c \ $(top_srcdir)/lib/env.c \ $(top_srcdir)/lib/xgetpass.c \ + $(top_srcdir)/lib/canonicalize.c \ $(top_srcdir)/lib/strutils.c mount_LDADD = $(ul_libmount_la) $(SELINUX_LIBS) Index: util-linux-2.21.2/sys-utils/mount.c =================================================================== --- util-linux-2.21.2.orig/sys-utils/mount.c +++ util-linux-2.21.2/sys-utils/mount.c @@ -38,6 +38,7 @@ #include "strutils.h" #include "exitcodes.h" #include "xalloc.h" +#include "canonicalize.h" /*** TODO: DOCS: * @@ -572,6 +573,37 @@ static struct libmnt_table *append_fstab return fstab; } +/* + * Check source and target paths -- non-root user should not be able to + * resolve paths which are unreadable for him. + */ +static void sanitize_paths(struct libmnt_context *cxt) +{ + const char *p; + struct libmnt_fs *fs = mnt_context_get_fs(cxt); + + if (!fs) + return; + + p = mnt_fs_get_target(fs); + if (p) { + char *np = canonicalize_path_restricted(p); + if (!np) + err(MOUNT_EX_USAGE, "%s", p); + mnt_fs_set_target(fs, np); + free(np); + } + + p = mnt_fs_get_srcpath(fs); + if (p) { + char *np = canonicalize_path_restricted(p); + if (!np) + err(MOUNT_EX_USAGE, "%s", p); + mnt_fs_set_source(fs, np); + free(np); + } +} + static void __attribute__((__noreturn__)) usage(FILE *out) { fputs(USAGE_HEADER, out); @@ -880,6 +912,9 @@ int main(int argc, char **argv) } else usage(stderr); + if (mnt_context_is_restricted(cxt)) + sanitize_paths(cxt); + if (oper) { /* MS_PROPAGATION operations, let's set the mount flags */ mnt_context_set_mflags(cxt, oper); ++++++ umount-sanitize-paths-from-non-root-users.patch ++++++ >From cc8cc8f32c863f3ae6a8a88e97b47bcd6a21825f Mon Sep 17 00:00:00 2001 From: Karel Zak <k...@redhat.com> Date: Mon, 26 Nov 2012 16:25:46 +0100 Subject: [PATCH] umount: sanitize paths from non-root users Signed-off-by: Karel Zak <k...@redhat.com> Signed-off-by: Petr Uzel <petr.u...@suse.cz> --- sys-utils/Makefile.am | 4 +++- sys-utils/umount.c | 32 ++++++++++++++++++++++++++++++-- 2 files changed, 33 insertions(+), 3 deletions(-) Index: util-linux-2.21.2/sys-utils/Makefile.am =================================================================== --- util-linux-2.21.2.orig/sys-utils/Makefile.am +++ util-linux-2.21.2/sys-utils/Makefile.am @@ -71,7 +71,9 @@ mount_LDADD = $(ul_libmount_la) $(SELINU mount_CFLAGS = $(SUID_CFLAGS) $(AM_CFLAGS) -I$(ul_libmount_incdir) mount_LDFLAGS = $(SUID_LDFLAGS) $(AM_LDFLAGS) -umount_SOURCES = umount.c $(top_srcdir)/lib/env.c +umount_SOURCES = umount.c \ + $(top_srcdir)/lib/env.c \ + $(top_srcdir)/lib/canonicalize.c umount_LDADD = $(ul_libmount_la) umount_CFLAGS = $(AM_CFLAGS) $(SUID_CFLAGS) -I$(ul_libmount_incdir) umount_LDFLAGS = $(SUID_LDFLAGS) $(AM_LDFLAGS) Index: util-linux-2.21.2/sys-utils/umount.c =================================================================== --- util-linux-2.21.2.orig/sys-utils/umount.c +++ util-linux-2.21.2/sys-utils/umount.c @@ -34,6 +34,7 @@ #include "env.h" #include "optutils.h" #include "exitcodes.h" +#include "canonicalize.h" static int table_parser_errcb(struct libmnt_table *tb __attribute__((__unused__)), const char *filename, int line) @@ -277,6 +278,24 @@ static int umount_one(struct libmnt_cont return rc; } +/* + * Check path -- non-root user should not be able to resolve path which is + * unreadable for him. + */ +static char *sanitize_path(const char *path) +{ + char *p; + + if (!path) + return NULL; + + p = canonicalize_path_restricted(path); + if (!p) + err(MOUNT_EX_USAGE, "%s", path); + + return p; +} + int main(int argc, char **argv) { int c, rc = 0, all = 0; @@ -388,8 +407,17 @@ int main(int argc, char **argv) } else if (argc < 1) { usage(stderr); - } else while (argc--) - rc += umount_one(cxt, *argv++); + } else while (argc--) { + char *path = *argv++; + + if (mnt_context_is_restricted(cxt)) + path = sanitize_path(path); + + rc += umount_one(cxt, path); + + if (mnt_context_is_restricted(cxt)) + free(path); + } mnt_free_context(cxt); return rc; -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org