Accepting request 355042 from security

- validate-mount-destination-fs-type.patch: A local user could have escalated privileges by mounting over special filesystems (bsc#962052 CVE-2016-1572) (forwarded request 355041 from msmeissn) OBS-URL: https://build.opensuse.org/request/show/355042 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ecryptfs-utils?expand=0&rev=47
2016-01-23 00:16:28 +00:00 · 2016-01-23 00:16:28 +00:00 · 4b2074c1b0
commit 4b2074c1b0
parent 1b5f539c9d c30b7d87e6
3 changed files with 113 additions and 1 deletions
--- a/ecryptfs-utils.changes
+++ b/ecryptfs-utils.changes
@ -1,3 +1,10 @@
 -------------------------------------------------------------------
 Wed Jan 20 16:31:19 UTC 2016 - meissner@suse.com
 - validate-mount-destination-fs-type.patch: A local user could have
  escalated privileges by mounting over special filesystems (bsc#962052
  CVE-2016-1572)
 -------------------------------------------------------------------
 Sat Oct 17 08:13:38 UTC 2015 - mpluskal@suse.com
--- a/ecryptfs-utils.spec
+++ b/ecryptfs-utils.spec
@ -1,7 +1,7 @@
 #
 # spec file for package ecryptfs-utils
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -31,6 +31,7 @@ Source2:        ecryptfs-mount-private.png
 Patch0:         ecryptfs-setup-swap-SuSE.patch
 # PATCH-FIX-OPENSUSE build with -fpie/-pie
 Patch1:         ecryptfs-utils-src-utils-Makefile.patch
 Patch2:         validate-mount-destination-fs-type.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  fdupes
@ -76,6 +77,7 @@ A stacked cryptographic filesystem for Linux.
 %setup -q
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
 %build
 export RPM_OPT_FLAGS="%{optflags} -fno-strict-aliasing"
--- a/validate-mount-destination-fs-type.patch
+++ b/validate-mount-destination-fs-type.patch
@ -0,0 +1,103 @@
 From 8fcdb9ef8406cd05c45acef6210a3bfa0831e857 Mon Sep 17 00:00:00 2001
 From: Tyler Hicks <tyhicks@canonical.com>
 Date: Thu, 7 Jan 2016 19:39:14 -0600
 Subject: [PATCH] mount.ecryptfs_private: Validate mount destination fs type
 Refuse to mount over non-standard filesystems. Mounting over
 certain types filesystems is a red flag that the user is doing
 something devious, such as mounting over the /proc/self symlink
 target with malicious content in order to confuse programs that may
 attempt to parse those files. (LP: #1530566)
 https://launchpad.net/bugs/1530566
 ---
 debian/changelog                   |  8 +++++
 src/utils/mount.ecryptfs_private.c | 61 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)
 Index: ecryptfs-utils-108/src/utils/mount.ecryptfs_private.c
 ===================================================================
 --- ecryptfs-utils-108.orig/src/utils/mount.ecryptfs_private.c
 +++ ecryptfs-utils-108/src/utils/mount.ecryptfs_private.c
@@ -30,6 +30,7 @@
 #include <sys/param.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 +#include <sys/vfs.h>
 #include <ctype.h>
 #include <errno.h>
 #include <keyutils.h>
@@ -220,6 +221,62 @@ err:
 	return NULL;
 }
 +static int check_cwd_f_type()
 +{
 +	/**
 +	 * This is *not* a list of compatible lower filesystems list for
 +	 * eCryptfs. This is a list of filesystems that we reasonably expect to
 +	 * see mount.ecryptfs_private users mounting on top of. In other words,
 +	 * the filesystem type of the 'target' parameter of mount(2).
 +	 *
 +	 * This whitelist is to prevent malicious mount.ecryptfs_private users
 +	 * from mounting over filesystem types such as PROC_SUPER_MAGIC to
 +	 * deceive other programs with a crafted /proc/self/*. See
 +	 * https://launchpad.net/bugs/1530566 for more details.
 +	 */
 +	__SWORD_TYPE f_type_whitelist[] = {
 +		0x61756673 /* AUFS_SUPER_MAGIC */,
 +		0x9123683E /* BTRFS_SUPER_MAGIC */,
 +		0x00C36400 /* CEPH_SUPER_MAGIC */,
 +		0xFF534D42 /* CIFS_MAGIC_NUMBER */,
 +		0x0000F15F /* ECRYPTFS_SUPER_MAGIC */,
 +		0x0000EF53 /* EXT[234]_SUPER_MAGIC */,
 +		0xF2F52010 /* F2FS_SUPER_MAGIC */,
 +		0x65735546 /* FUSE_SUPER_MAGIC */,
 +		0x01161970 /* GFS2_MAGIC */,
 +		0x3153464A /* JFS_SUPER_MAGIC */,
 +		0x0000564C /* NCP_SUPER_MAGIC */,
 +		0x00006969 /* NFS_SUPER_MAGIC */,
 +		0x00003434 /* NILFS_SUPER_MAGIC */,
 +		0x5346544E /* NTFS_SB_MAGIC */,
 +		0x794C7630 /* OVERLAYFS_SUPER_MAGIC */,
 +		0x52654973 /* REISERFS_SUPER_MAGIC */,
 +		0x73717368 /* SQUASHFS_MAGIC */,
 +		0x01021994 /* TMPFS_MAGIC */,
 +		0x58465342 /* XFS_SB_MAGIC */,
 +		0x2FC12FC1 /* ZFS_SUPER_MAGIC */,
 +	};
 +	struct statfs buf;
 +	size_t i, whitelist_len;
 +
 +	if (statfs(".", &buf) != 0) {
 +		fprintf(stderr, "Failed to check filesystem type: %m\n");
 +		return 1;
 +	}
 +
 +	whitelist_len = sizeof(f_type_whitelist) / sizeof(*f_type_whitelist);
 +	for (i = 0; i < whitelist_len; i++) {
 +		if (buf.f_type == f_type_whitelist[i]) {
 +			return 0;
 +		}
 +	}
 +
 +	fprintf(stderr,
 +		"Refusing to mount over an unapproved filesystem type: %#lx\n",
 +		buf.f_type);
 +	return 1;
 +}
 +
 int check_ownership_mnt(uid_t uid, char **mnt) {
 /* Check ownership of mount point, chdir into it, and
  * canonicalize the path for use in mtab updating.
@@ -682,6 +739,10 @@ int main(int argc, char *argv[]) {
  		goto fail;
  	}
 +	if (check_cwd_f_type() != 0) {
 +		goto fail;
 +	}
 +
 	if (mounting == 1) {
 		/* Increment mount counter, errors non-fatal */
 		if (increment(fh_counter) < 0) {