From 59ea2d7ba5089b64f5ba7c243c17c73a1a66f8b0 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Sat, 5 Apr 2014 19:10:35 +0200 Subject: Apply patch for CVE-2014-0004 to udisks-1.0.4 (cherry picked from commit 3b1f9899618f81794ce8b88fe4eaa867e549eb06) --- pkgs/os-specific/linux/udisks/1-default.nix | 2 +- pkgs/os-specific/linux/udisks/cve-2014-0004.patch | 82 +++++++++++++++++++++++ 2 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 pkgs/os-specific/linux/udisks/cve-2014-0004.patch (limited to 'pkgs/os-specific/linux/udisks') diff --git a/pkgs/os-specific/linux/udisks/1-default.nix b/pkgs/os-specific/linux/udisks/1-default.nix index 99506e81583..8c112417f0a 100644 --- a/pkgs/os-specific/linux/udisks/1-default.nix +++ b/pkgs/os-specific/linux/udisks/1-default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "1xgqifddwaavmjc8c30i0mdffyirsld7c6qhfyjw7f9khwv8jjw5"; }; - patches = [ ./purity.patch ./no-pci-db.patch ]; + patches = [ ./purity.patch ./no-pci-db.patch ./cve-2014-0004.patch ]; postPatch = '' diff --git a/pkgs/os-specific/linux/udisks/cve-2014-0004.patch b/pkgs/os-specific/linux/udisks/cve-2014-0004.patch new file mode 100644 index 00000000000..ce907507538 --- /dev/null +++ b/pkgs/os-specific/linux/udisks/cve-2014-0004.patch @@ -0,0 +1,82 @@ +commit ebf61ed8471a45cf8bce7231de00cb1bbc140708 +Author: Martin Pitt +Date: Wed Mar 5 14:07:44 2014 +0100 + + Fix buffer overflow in mount path parsing + + In the mount monitor we parse mount points from /proc/self/mountinfo. Ensure + that we don't overflow the buffers on platforms where mount paths could be + longer than PATH_MAX (unknown if that can actually happen), as at least the + mount paths for hotpluggable devices are somewhat user-controlled. + + Thanks to Florian Weimer for discovering this bug, and to David Zeuthen + for his initial patch! + + CVE-2014-0004 + +Index: udisks-1.0.4/src/mount-monitor.c +=================================================================== +--- udisks-1.0.4.orig/src/mount-monitor.c 2011-08-25 20:27:33.000000000 +0200 ++++ udisks-1.0.4/src/mount-monitor.c 2014-03-10 13:38:18.309406561 +0100 +@@ -39,6 +39,11 @@ + #include "mount.h" + #include "private.h" + ++/* build a %Ns format string macro with N == PATH_MAX */ ++#define xstr(s) str(s) ++#define str(s) #s ++#define PATH_MAX_FMT "%" xstr(PATH_MAX) "s" ++ + /*--------------------------------------------------------------------------------------------------------------*/ + + enum +@@ -320,8 +325,8 @@ mount_monitor_ensure (MountMonitor *moni + guint mount_id; + guint parent_id; + guint major, minor; +- gchar encoded_root[PATH_MAX]; +- gchar encoded_mount_point[PATH_MAX]; ++ gchar encoded_root[PATH_MAX + 1]; ++ gchar encoded_mount_point[PATH_MAX + 1]; + gchar *mount_point; + dev_t dev; + +@@ -329,7 +334,7 @@ mount_monitor_ensure (MountMonitor *moni + continue; + + if (sscanf (lines[n], +- "%d %d %d:%d %s %s", ++ "%d %d %d:%d " PATH_MAX_FMT " " PATH_MAX_FMT, + &mount_id, + &parent_id, + &major, +@@ -340,6 +345,8 @@ mount_monitor_ensure (MountMonitor *moni + g_warning ("Error parsing line '%s'", lines[n]); + continue; + } ++ encoded_root[sizeof encoded_root - 1] = '\0'; ++ encoded_mount_point[sizeof encoded_mount_point - 1] = '\0'; + + /* ignore mounts where only a subtree of a filesystem is mounted */ + if (g_strcmp0 (encoded_root, "/") != 0) +@@ -358,15 +365,17 @@ mount_monitor_ensure (MountMonitor *moni + sep = strstr (lines[n], " - "); + if (sep != NULL) + { +- gchar fstype[PATH_MAX]; +- gchar mount_source[PATH_MAX]; ++ gchar fstype[PATH_MAX + 1]; ++ gchar mount_source[PATH_MAX + 1]; + struct stat statbuf; + +- if (sscanf (sep + 3, "%s %s", fstype, mount_source) != 2) ++ if (sscanf (sep + 3, PATH_MAX_FMT " " PATH_MAX_FMT, fstype, mount_source) != 2) + { + g_warning ("Error parsing things past - for '%s'", lines[n]); + continue; + } ++ fstype[sizeof fstype - 1] = '\0'; ++ mount_source[sizeof mount_source - 1] = '\0'; + + if (g_strcmp0 (fstype, "btrfs") != 0) + continue; -- cgit 1.4.1