Bug#786475: ntfs-3g: CVE-2015-3202

Thu, 21 May 2015 21:51:36 -0700 

Source: ntfs-3g
Version: 1:2013.1.13AR.3-2
Severity: grave
Tags: security patch upstream
Justification: user security hole

Hi Laszlo

ntfs-3g in jessie and above is similarly affected by CVE-2015-3202
since ntfs-3g since 1:2013.1.13AR.3-2 builds with internal fuse copy.

The patch I have used to prepare the updates for jessie is attached.

ntfs-3g though should try to use the system fuse and not the embedded
copy, could you check to switch this back?

Regards,
Salvatore

Description: Fix CVE-2015-3202
 Missing scrubbing of the environment before executing a mount or umount
 of a filesystem.
Origin: backport
Author: Miklos Szeredi <mik...@szeredi.hu>
Last-Update: 2015-05-19

---
 lib/mount_util.c |   23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

--- a/libfuse-lite/mount_util.c
+++ b/libfuse-lite/mount_util.c
@@ -66,6 +66,7 @@ int fuse_mnt_add_mount(const char *progn
         return -1;
     }
     if (res == 0) {
+        char *env = NULL;
         char templ[] = "/tmp/fusermountXXXXXX";
         char *tmp;
 
@@ -87,8 +88,8 @@ int fuse_mnt_add_mount(const char *progn
             exit(1);
         }
         rmdir(tmp);
-        execl("/sbin/mount", "/sbin/mount", "-F", type, "-o", opts,
-              fsname, mnt, NULL);
+        execle("/sbin/mount", "/sbin/mount", "-F", type, "-o", opts,
+              fsname, mnt, NULL, &env);
         fprintf(stderr, "%s: failed to execute /sbin/mount: %s\n", progname,
                 strerror(errno));
         exit(1);
@@ -120,9 +121,16 @@ int fuse_mnt_umount(const char *progname
         return -1;
     }
     if (res == 0) {
+        char *env = NULL;
+
         setuid(geteuid());
-        execl("/sbin/umount", "/sbin/umount", !lazy ? "-f" : NULL, mnt,
-              NULL);
+        if (!lazy) {
+                execle("/sbin/umount", "/sbin/umount", "-f", mnt,
+                       NULL, &env);
+        } else {
+                execle("/sbin/umount", "/sbin/umount", mnt,
+                       NULL, &env);
+        }
         fprintf(stderr, "%s: failed to execute /sbin/umount: %s\n", progname,
                 strerror(errno));
         exit(1);
@@ -302,6 +310,7 @@ int fuse_mnt_add_mount(const char *progn
         return 0;
     }
     if (res == 0) {
+        char *env = NULL;
         char templ[] = "/tmp/fusermountXXXXXX";
         char *tmp;
 
@@ -325,8 +334,8 @@ int fuse_mnt_add_mount(const char *progn
             exit(1);
         }
         rmdir(tmp);
-        execl("/bin/mount", "/bin/mount", "-i", "-f", "-t", type, "-o", opts,
-              fsname, mnt, NULL);
+        execle("/bin/mount", "/bin/mount", "-i", "-f", "-t", type, "-o", opts,
+              fsname, mnt, NULL, &env);
         fprintf(stderr, "%s: failed to execute /bin/mount: %s\n", progname,
                 strerror(errno));
         exit(1);

Reply via email to