rpms/afuse/devel afuse-template-tokenize.patch, NONE, 1.1 afuse.spec, 1.3, 1.4
Tom Callaway
spot at fedoraproject.org
Mon Aug 17 17:22:13 UTC 2009
- Previous message (by thread): rpms/afuse/F-11 afuse-template-tokenize.patch, NONE, 1.1 afuse.spec, 1.2, 1.3
- Next message (by thread): rpms/python-netaddr/devel .cvsignore, 1.10, 1.11 python-netaddr.spec, 1.15, 1.16 sources, 1.10, 1.11
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: spot
Update of /cvs/pkgs/rpms/afuse/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29623/devel
Modified Files:
afuse.spec
Added Files:
afuse-template-tokenize.patch
Log Message:
fix CVE-2008-2232
afuse-template-tokenize.patch:
afuse.c | 136 ++++++++++++++++++++++++++++++++++++++--------------------------
1 file changed, 82 insertions(+), 54 deletions(-)
--- NEW FILE afuse-template-tokenize.patch ---
diff -ur afuse-0.2.orig/src/afuse.c afuse-0.2/src/afuse.c
--- afuse-0.2.orig/src/afuse.c 2008-02-18 17:16:32.000000000 -0500
+++ afuse-0.2/src/afuse.c 2008-07-10 21:50:06.000000000 -0400
@@ -280,14 +280,19 @@
}
-// !!FIXME!! allow escaping of %'s
// Note: this method strips out quotes and applies them itself as should be appropriate
-char *expand_template(const char *template, const char *mount_point, const char *root_name)
+bool run_template(const char *template, const char *mount_point, const char *root_name)
{
int len = 0;
+ int nargs = 1;
int i;
- char *expanded_name;
- char *expanded_name_start;
+ char *buf;
+ char *p;
+ char **args;
+ char **arg;
+ bool quote = false;
+ pid_t pid;
+ int status;
// calculate length
for(i = 0; template[i]; i++)
@@ -295,53 +300,100 @@
switch(template[i + 1])
{
case 'm':
- len += strlen(mount_point) + 2;
+ len += strlen(mount_point);
i++;
break;
case 'r':
- len += strlen(root_name) + 2;
+ len += strlen(root_name);
+ i++;
+ break;
+ case '%':
+ len++;
i++;
break;
}
- } else if(template[i] != '"')
+ } else if(template[i] == ' ' && !quote) {
+ len++;
+ nargs++;
+ } else if(template[i] == '"')
+ quote = !quote;
+ else if(template[i] == '\\' && template[i + 1])
+ len++, i++;
+ else
len++;
- expanded_name_start = expanded_name = my_malloc(len + 1);
+ buf = my_malloc(len + 1);
+ args = my_malloc((nargs + 1) * sizeof(*args));
+
+ p = buf;
+ arg = args;
+ *arg++ = p;
for(i = 0; template[i]; i++)
if(template[i] == '%') {
- int j = 0;
switch(template[i + 1])
{
case 'm':
- *expanded_name++ = '"';
- while(mount_point[j])
- *expanded_name++ = mount_point[j++];
- *expanded_name++ = '"';
+ strcpy(p, mount_point);
+ p += strlen(mount_point);
i++;
break;
case 'r':
- *expanded_name++ = '"';
- while(root_name[j])
- *expanded_name++ = root_name[j++];
- *expanded_name++ = '"';
+ strcpy(p, root_name);
+ p += strlen(root_name);
+ i++;
+ break;
+ case '%':
+ *p++ = '%';
i++;
break;
}
- } else if(template[i] != '"')
- *expanded_name++ = template[i];
-
- *expanded_name = '\0';
-
- return expanded_name_start;
+ } else if(template[i] == ' ' && !quote) {
+ *p++ = '\0';
+ *arg++ = p;
+ } else if(template[i] == '"')
+ quote = !quote;
+ else if(template[i] == '\\' && template[i + 1])
+ *p++ = template[++i];
+ else
+ *p++ = template[i];
+
+ *p = '\0';
+ *arg = NULL;
+
+ pid = fork();
+ if(pid == -1) {
+ fprintf(stderr, "Failed to fork (%s)\n", strerror(errno));
+ free(args);
+ free(buf);
+ return false;
+ }
+ if(pid == 0) {
+ execvp(args[0], args);
+ abort();
+ }
+ pid = waitpid(pid, &status, 0);
+ if(pid == -1) {
+ fprintf(stderr, "Failed to waitpid (%s)\n", strerror(errno));
+ free(args);
+ free(buf);
+ return false;
+ }
+ if(!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
+ fprintf(stderr, "Failed to invoke command: %s\n", args[0]);
+ free(args);
+ free(buf);
+ return false;
+ }
+ free(args);
+ free(buf);
+ return true;
}
mount_list_t *do_mount(const char *root_name)
{
char *mount_point;
- char *mount_command;
mount_list_t *mount;
- int sysret;
fprintf(stderr, "Mounting: %s\n", root_name);
@@ -351,57 +403,33 @@
return NULL;
}
- mount_command = expand_template(user_options.mount_command_template,
- mount_point, root_name);
- sysret = system(mount_command);
-
- fprintf(stderr, "sysret: %.8x\n", sysret);
-
- if(sysret) {
- fprintf(stderr, "Failed to invoke mount command: '%s' (%s)\n",
- mount_command, sysret != -1 ?
- "Error executing mount" :
- strerror(errno));
-
+ if(!run_template(user_options.mount_command_template,
+ mount_point, root_name)) {
// remove the now unused directory
if( rmdir(mount_point) == -1 )
fprintf(stderr, "Failed to remove mount point dir: %s (%s)",
mount_point, strerror(errno));
- free(mount_command);
free(mount_point);
return NULL;
}
mount = add_mount(root_name, mount_point);
-
- free(mount_command);
return mount;
}
int do_umount(mount_list_t *mount)
{
- char *unmount_command;
- int sysret;
-
fprintf(stderr, "Unmounting: %s\n", mount->root_name);
- unmount_command = expand_template(user_options.unmount_command_template,
- mount->mount_point, mount->root_name);
- sysret = system(unmount_command);
- if(sysret) {
- fprintf(stderr, "Failed to invoke unmount command: '%s' (%s)\n",
- unmount_command, sysret != -1 ?
- "Error executing mount" :
- strerror(errno));
- /* Still unmount anyway */
- }
+ run_template(user_options.unmount_command_template,
+ mount->mount_point, mount->root_name);
+ /* Still unmount anyway */
if( rmdir(mount->mount_point) == -1 )
fprintf(stderr, "Failed to remove mount point dir: %s (%s)",
mount->mount_point, strerror(errno));
remove_mount(mount);
- free(unmount_command);
return 1;
}
Index: afuse.spec
===================================================================
RCS file: /cvs/pkgs/rpms/afuse/devel/afuse.spec,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -r1.3 -r1.4
--- afuse.spec 24 Jul 2009 16:37:51 -0000 1.3
+++ afuse.spec 17 Aug 2009 17:22:13 -0000 1.4
@@ -1,13 +1,15 @@
Name: afuse
Summary: An automounter implemented with FUSE
Version: 0.2
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source0: http://downloads.sourceforge.net/afuse/%{name}-%{version}.tar.gz
URL: http://afuse.sourceforge.net/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: fuse-devel
+# fix CVE-2008-2232
+Patch0: afuse-template-tokenize.patch
%description
Afuse is an automounting file system implemented in user-space using FUSE.
@@ -20,6 +22,7 @@ with an error.
%prep
%setup -q
+%patch0 -p1 -b .CVS-2008-2232
%build
%configure
@@ -38,6 +41,9 @@ rm -rf %{buildroot}
%{_bindir}/afuse
%changelog
+* Mon Aug 17 2009 Tom "spot" Callaway <tcallawa at redhat.com> - 0.2-4
+- fix CVS-2008-2232
+
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
- Previous message (by thread): rpms/afuse/F-11 afuse-template-tokenize.patch, NONE, 1.1 afuse.spec, 1.2, 1.3
- Next message (by thread): rpms/python-netaddr/devel .cvsignore, 1.10, 1.11 python-netaddr.spec, 1.15, 1.16 sources, 1.10, 1.11
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list