summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTom Callaway <spot@fedoraproject.org>2009-08-17 17:22:13 (GMT)
committerTom Callaway <spot@fedoraproject.org>2009-08-17 17:22:13 (GMT)
commit0e0a24209f58b5fba33c99d5f1a86c76a1ff7c4a (patch)
treed0560b96263c1000d40bcc56034dbc94b426c168
parent1aa268285ea2d5f14e7fbd4c4688122171b2fc2d (diff)
downloadafuse-0e0a24209f58b5fba33c99d5f1a86c76a1ff7c4a.zip
afuse-0e0a24209f58b5fba33c99d5f1a86c76a1ff7c4a.tar.gz
afuse-0e0a24209f58b5fba33c99d5f1a86c76a1ff7c4a.tar.xz
fix CVE-2008-2232afuse-0_2-4_fc10
-rw-r--r--afuse-template-tokenize.patch214
-rw-r--r--afuse.spec14
2 files changed, 227 insertions, 1 deletions
diff --git a/afuse-template-tokenize.patch b/afuse-template-tokenize.patch
new file mode 100644
index 0000000..914400e
--- /dev/null
+++ b/afuse-template-tokenize.patch
@@ -0,0 +1,214 @@
+diff -ur afuse-0.2.orig/src/afuse.c afuse-0.2/src/afuse.c
+--- afuse-0.2.orig/src/afuse.c 2008-02-18 17:16:32.000000000 -0500
++++ afuse-0.2/src/afuse.c 2008-07-10 21:50:06.000000000 -0400
+@@ -280,14 +280,19 @@
+ }
+
+
+-// !!FIXME!! allow escaping of %'s
+ // Note: this method strips out quotes and applies them itself as should be appropriate
+-char *expand_template(const char *template, const char *mount_point, const char *root_name)
++bool run_template(const char *template, const char *mount_point, const char *root_name)
+ {
+ int len = 0;
++ int nargs = 1;
+ int i;
+- char *expanded_name;
+- char *expanded_name_start;
++ char *buf;
++ char *p;
++ char **args;
++ char **arg;
++ bool quote = false;
++ pid_t pid;
++ int status;
+
+ // calculate length
+ for(i = 0; template[i]; i++)
+@@ -295,53 +300,100 @@
+ switch(template[i + 1])
+ {
+ case 'm':
+- len += strlen(mount_point) + 2;
++ len += strlen(mount_point);
+ i++;
+ break;
+ case 'r':
+- len += strlen(root_name) + 2;
++ len += strlen(root_name);
++ i++;
++ break;
++ case '%':
++ len++;
+ i++;
+ break;
+ }
+- } else if(template[i] != '"')
++ } else if(template[i] == ' ' && !quote) {
++ len++;
++ nargs++;
++ } else if(template[i] == '"')
++ quote = !quote;
++ else if(template[i] == '\\' && template[i + 1])
++ len++, i++;
++ else
+ len++;
+
+- expanded_name_start = expanded_name = my_malloc(len + 1);
++ buf = my_malloc(len + 1);
++ args = my_malloc((nargs + 1) * sizeof(*args));
++
++ p = buf;
++ arg = args;
++ *arg++ = p;
+
+ for(i = 0; template[i]; i++)
+ if(template[i] == '%') {
+- int j = 0;
+ switch(template[i + 1])
+ {
+ case 'm':
+- *expanded_name++ = '"';
+- while(mount_point[j])
+- *expanded_name++ = mount_point[j++];
+- *expanded_name++ = '"';
++ strcpy(p, mount_point);
++ p += strlen(mount_point);
+ i++;
+ break;
+ case 'r':
+- *expanded_name++ = '"';
+- while(root_name[j])
+- *expanded_name++ = root_name[j++];
+- *expanded_name++ = '"';
++ strcpy(p, root_name);
++ p += strlen(root_name);
++ i++;
++ break;
++ case '%':
++ *p++ = '%';
+ i++;
+ break;
+ }
+- } else if(template[i] != '"')
+- *expanded_name++ = template[i];
+-
+- *expanded_name = '\0';
+-
+- return expanded_name_start;
++ } else if(template[i] == ' ' && !quote) {
++ *p++ = '\0';
++ *arg++ = p;
++ } else if(template[i] == '"')
++ quote = !quote;
++ else if(template[i] == '\\' && template[i + 1])
++ *p++ = template[++i];
++ else
++ *p++ = template[i];
++
++ *p = '\0';
++ *arg = NULL;
++
++ pid = fork();
++ if(pid == -1) {
++ fprintf(stderr, "Failed to fork (%s)\n", strerror(errno));
++ free(args);
++ free(buf);
++ return false;
++ }
++ if(pid == 0) {
++ execvp(args[0], args);
++ abort();
++ }
++ pid = waitpid(pid, &status, 0);
++ if(pid == -1) {
++ fprintf(stderr, "Failed to waitpid (%s)\n", strerror(errno));
++ free(args);
++ free(buf);
++ return false;
++ }
++ if(!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
++ fprintf(stderr, "Failed to invoke command: %s\n", args[0]);
++ free(args);
++ free(buf);
++ return false;
++ }
++ free(args);
++ free(buf);
++ return true;
+ }
+
+ mount_list_t *do_mount(const char *root_name)
+ {
+ char *mount_point;
+- char *mount_command;
+ mount_list_t *mount;
+- int sysret;
+
+ fprintf(stderr, "Mounting: %s\n", root_name);
+
+@@ -351,57 +403,33 @@
+ return NULL;
+ }
+
+- mount_command = expand_template(user_options.mount_command_template,
+- mount_point, root_name);
+- sysret = system(mount_command);
+-
+- fprintf(stderr, "sysret: %.8x\n", sysret);
+-
+- if(sysret) {
+- fprintf(stderr, "Failed to invoke mount command: '%s' (%s)\n",
+- mount_command, sysret != -1 ?
+- "Error executing mount" :
+- strerror(errno));
+-
++ if(!run_template(user_options.mount_command_template,
++ mount_point, root_name)) {
+ // remove the now unused directory
+ if( rmdir(mount_point) == -1 )
+ fprintf(stderr, "Failed to remove mount point dir: %s (%s)",
+ mount_point, strerror(errno));
+
+- free(mount_command);
+ free(mount_point);
+ return NULL;
+ }
+
+ mount = add_mount(root_name, mount_point);
+-
+- free(mount_command);
+ return mount;
+ }
+
+ int do_umount(mount_list_t *mount)
+ {
+- char *unmount_command;
+- int sysret;
+-
+ fprintf(stderr, "Unmounting: %s\n", mount->root_name);
+
+- unmount_command = expand_template(user_options.unmount_command_template,
+- mount->mount_point, mount->root_name);
+- sysret = system(unmount_command);
+- if(sysret) {
+- fprintf(stderr, "Failed to invoke unmount command: '%s' (%s)\n",
+- unmount_command, sysret != -1 ?
+- "Error executing mount" :
+- strerror(errno));
+- /* Still unmount anyway */
+- }
++ run_template(user_options.unmount_command_template,
++ mount->mount_point, mount->root_name);
++ /* Still unmount anyway */
+
+ if( rmdir(mount->mount_point) == -1 )
+ fprintf(stderr, "Failed to remove mount point dir: %s (%s)",
+ mount->mount_point, strerror(errno));
+ remove_mount(mount);
+- free(unmount_command);
+ return 1;
+ }
+
+
+
diff --git a/afuse.spec b/afuse.spec
index ef4b8f6..f5a284e 100644
--- a/afuse.spec
+++ b/afuse.spec
@@ -1,13 +1,15 @@
Name: afuse
Summary: An automounter implemented with FUSE
Version: 0.2
-Release: 1%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source0: http://downloads.sourceforge.net/afuse/%{name}-%{version}.tar.gz
URL: http://afuse.sourceforge.net/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: fuse-devel
+# fix CVE-2008-2232
+Patch0: afuse-template-tokenize.patch
%description
Afuse is an automounting file system implemented in user-space using FUSE.
@@ -20,6 +22,7 @@ with an error.
%prep
%setup -q
+%patch0 -p1 -b .CVS-2008-2232
%build
%configure
@@ -38,5 +41,14 @@ rm -rf %{buildroot}
%{_bindir}/afuse
%changelog
+* Mon Aug 17 2009 Tom "spot" Callaway <tcallawa@redhat.com> - 0.2-4
+- fix CVS-2008-2232
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
* Fri Nov 21 2008 Tom "spot" Callaway <tcallawa@redhat.com> 0.2-1
- Initial package for Fedora