Unfortunately, the saga continues. Your /shm/ check doesn't do anything,
because, as it turns out, because you realpath twice, I don't need to
use /shm/ at all! Your code is still broken. Giving up should still be
an option on the table for you. In case, however, you've become
determined and still want to fix things, I've traced through the code
for your recent commit showing you where and how things are broken.
/tmp/burrito is a file
argv[2] = /tmp/burrito
332 if (strncmp(action, "mount", 5) == 0) {
333 dev = realpath(argv[2], NULL);
dev = /tmp/burrito
334 if (dev == NULL) {
335 fprintf(stderr, "Failed to resolve device node.\n");
336 exit(EXIT_FAILURE);
337 }
339 check_dev(dev);
239 void check_dev(const char *dev) {
dev = /tmp/burrito
240 char buffer[PATH_MAX+1];
241 struct stat file_info;
242
243 if (dev == NULL || strlen(dev) < strlen(DEV)) {
244 fprintf(stderr, "Invalid arguments\n");
245 exit(EXIT_FAILURE);
246 }
JUST BEFORE this next line, we modify /tmp/burrito so that it points to
/dev/sda
/tmp/burrito = -->/dev/sda
247
248 if (realpath(dev, buffer) == NULL) {
249 fprintf(stderr, "Unable to resolve dev path\n");
250 exit(EXIT_FAILURE);
251 }
buffer = /dev/sda
252
253 if (strncmp(DEV, buffer, strlen(DEV)) != 0) {
254 fprintf(stderr, "Trying to operate on a dev node not under
/dev\n");
255 exit(EXIT_FAILURE);
256 }
this last block passes!
257
258 if (stat(dev, &file_info) != 0) {
259 fprintf(stderr, "stat call on dev node failed\n");
260 exit(EXIT_FAILURE);
261 }
262
263 if (strstr(dev, "/shm/") != NULL) {
264 fprintf(stderr, "naughty, naughty!\n");
265 exit(EXIT_FAILURE);
266 }
dev doesnt contain /shm/, since it's /tmp/burrito
267
268 if (!S_ISBLK(file_info.st_mode)) {
269 fprintf(stderr, "dev node is not a block device\n");
270 exit(EXIT_FAILURE);
271 }
stat follows the link, so it sees /dev/sda which is a block device, so this
passes
272
273 }
:-)
As well, the problem presented in .70-Calibrer HAS NOT BEEN FIXED. You can
still mount over /etc/pam.d or wherever due to the still existing race there.
Implement the chdir logic that I've outlined above.
Then, just after this code block, change /tmp/burrito to point to anything --
any file image at all. No shm needed :-).
** Changed in: calibre
Status: Fix Released => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabilities
To manage notifications about this bug go to:
https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
