forked from pool/util-linux
80e621960b
- Do not try to unregister an info file (ipc.info.gz) which we do not own. Already in May 2011, we stopped registering it: "do not register ipc.info.gz (not provided by this package)". - libblkid: care about unsafe chars and possible buffer overflow in cache (CVE-2014-9114, util-linux-libblkid-unsafe-chars.patch, util-linux-libblkid-overflow.patch, bsc#907434) - Update to version 2.25.2: mostly minor fixes (including boo#908742) - re-enable utmpdump and ipcs tests for all archs - Use util-linux:/bin/logger as split-provide, /usr/lib/systemd/system/fstrim.service didn't exist in 13.1 - Do not try to unregister an info file (ipc.info.gz) which we do not own. Already in May 2011, we stopped registering it: "do not register ipc.info.gz (not provided by this package)". - libblkid: care about unsafe chars and possible buffer overflow in cache (CVE-2014-9114, util-linux-libblkid-unsafe-chars.patch, util-linux-libblkid-overflow.patch, bsc#907434) - Update to version 2.25.2: mostly minor fixes (including boo#908742) - re-enable utmpdump and ipcs tests for all archs - Use util-linux:/bin/logger as split-provide, /usr/lib/systemd/system/fstrim.service didn't exist in 13.1 OBS-URL: https://build.opensuse.org/request/show/285829 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/util-linux?expand=0&rev=197
168 lines
4.6 KiB
Diff
168 lines
4.6 KiB
Diff
From 89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc Mon Sep 17 00:00:00 2001
|
|
From: Karel Zak <kzak@redhat.com>
|
|
Date: Thu, 27 Nov 2014 13:39:35 +0100
|
|
Subject: [PATCH] libblkid: care about unsafe chars in cache
|
|
|
|
The high-level libblkid API uses /run/blkid/blkid.tab cache to
|
|
store probing results. The cache format is
|
|
|
|
<device NAME="value" ...>devname</device>
|
|
|
|
and unfortunately the cache code does not escape quotation marks:
|
|
|
|
# mkfs.ext4 -L 'AAA"BBB'
|
|
|
|
# cat /run/blkid/blkid.tab
|
|
...
|
|
<device ... LABEL="AAA"BBB" ...>/dev/sdb1</device>
|
|
|
|
such string is later incorrectly parsed and blkid(8) returns
|
|
nonsenses. And for use-cases like
|
|
|
|
# eval $(blkid -o export /dev/sdb1)
|
|
|
|
it's also insecure.
|
|
|
|
Note that mount, udevd and blkid -p are based on low-level libblkid
|
|
API, it bypass the cache and directly read data from the devices.
|
|
|
|
The current udevd upstream does not depend on blkid(8) output at all,
|
|
it's directly linked with the library and all unsafe chars are encoded by
|
|
\x<hex> notation.
|
|
|
|
# mkfs.ext4 -L 'X"`/tmp/foo` "' /dev/sdb1
|
|
# udevadm info --export-db | grep LABEL
|
|
...
|
|
E: ID_FS_LABEL=X__/tmp/foo___
|
|
E: ID_FS_LABEL_ENC=X\x22\x60\x2ftmp\x2ffoo\x60\x20\x22
|
|
|
|
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
---
|
|
libblkid/src/read.c | 21 ++++++++++++++++++---
|
|
libblkid/src/save.c | 22 +++++++++++++++++++++-
|
|
misc-utils/blkid.8 | 5 ++++-
|
|
misc-utils/blkid.c | 4 ++--
|
|
4 files changed, 45 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/libblkid/src/read.c b/libblkid/src/read.c
|
|
index 0e91c9c..81ab0df 100644
|
|
--- a/libblkid/src/read.c
|
|
+++ b/libblkid/src/read.c
|
|
@@ -252,15 +252,30 @@ static int parse_token(char **name, char **value, char **cp)
|
|
*value = skip_over_blank(*value + 1);
|
|
|
|
if (**value == '"') {
|
|
- end = strchr(*value + 1, '"');
|
|
- if (!end) {
|
|
+ char *p = end = *value + 1;
|
|
+
|
|
+ /* convert 'foo\"bar' to 'foo"bar' */
|
|
+ while (*p) {
|
|
+ if (*p == '\\') {
|
|
+ p++;
|
|
+ *end = *p;
|
|
+ } else {
|
|
+ *end = *p;
|
|
+ if (*p == '"')
|
|
+ break;
|
|
+ }
|
|
+ p++;
|
|
+ end++;
|
|
+ }
|
|
+
|
|
+ if (*end != '"') {
|
|
DBG(READ, ul_debug("unbalanced quotes at: %s", *value));
|
|
*cp = *value;
|
|
return -BLKID_ERR_CACHE;
|
|
}
|
|
(*value)++;
|
|
*end = '\0';
|
|
- end++;
|
|
+ end = ++p;
|
|
} else {
|
|
end = skip_over_word(*value);
|
|
if (*end) {
|
|
diff --git a/libblkid/src/save.c b/libblkid/src/save.c
|
|
index 8216f09..5e8bbee 100644
|
|
--- a/libblkid/src/save.c
|
|
+++ b/libblkid/src/save.c
|
|
@@ -26,6 +26,21 @@
|
|
|
|
#include "blkidP.h"
|
|
|
|
+
|
|
+static void save_quoted(const char *data, FILE *file)
|
|
+{
|
|
+ const char *p;
|
|
+
|
|
+ fputc('"', file);
|
|
+ for (p = data; p && *p; p++) {
|
|
+ if ((unsigned char) *p == 0x22 || /* " */
|
|
+ (unsigned char) *p == 0x5c) /* \ */
|
|
+ fputc('\\', file);
|
|
+
|
|
+ fputc(*p, file);
|
|
+ }
|
|
+ fputc('"', file);
|
|
+}
|
|
static int save_dev(blkid_dev dev, FILE *file)
|
|
{
|
|
struct list_head *p;
|
|
@@ -43,9 +58,14 @@ static int save_dev(blkid_dev dev, FILE *file)
|
|
|
|
if (dev->bid_pri)
|
|
fprintf(file, " PRI=\"%d\"", dev->bid_pri);
|
|
+
|
|
list_for_each(p, &dev->bid_tags) {
|
|
blkid_tag tag = list_entry(p, struct blkid_struct_tag, bit_tags);
|
|
- fprintf(file, " %s=\"%s\"", tag->bit_name,tag->bit_val);
|
|
+
|
|
+ fputc(' ', file); /* space between tags */
|
|
+ fputs(tag->bit_name, file); /* tag NAME */
|
|
+ fputc('=', file); /* separator between NAME and VALUE */
|
|
+ save_quoted(tag->bit_val, file); /* tag "VALUE" */
|
|
}
|
|
fprintf(file, ">%s</device>\n", dev->bid_name);
|
|
|
|
diff --git a/misc-utils/blkid.8 b/misc-utils/blkid.8
|
|
index 156a14b..c95b833 100644
|
|
--- a/misc-utils/blkid.8
|
|
+++ b/misc-utils/blkid.8
|
|
@@ -200,7 +200,10 @@ partitions. This output format is \fBDEPRECATED\fR.
|
|
.TP
|
|
.B export
|
|
print key=value pairs for easy import into the environment; this output format
|
|
-is automatically enabled when I/O Limits (\fB-i\fR option) are requested
|
|
+is automatically enabled when I/O Limits (\fB-i\fR option) are requested.
|
|
+
|
|
+The non-printing characters are encoded by ^ and M- notation and all
|
|
+potentially unsafe characters are escaped.
|
|
.RE
|
|
.TP
|
|
.BI \-O " offset"
|
|
diff --git a/misc-utils/blkid.c b/misc-utils/blkid.c
|
|
index a6ca660..1bd8646 100644
|
|
--- a/misc-utils/blkid.c
|
|
+++ b/misc-utils/blkid.c
|
|
@@ -306,7 +306,7 @@ static void print_value(int output, int num, const char *devname,
|
|
printf("DEVNAME=%s\n", devname);
|
|
fputs(name, stdout);
|
|
fputs("=", stdout);
|
|
- safe_print(value, valsz, NULL);
|
|
+ safe_print(value, valsz, " \\\"'$`<>");
|
|
fputs("\n", stdout);
|
|
|
|
} else {
|
|
@@ -315,7 +315,7 @@ static void print_value(int output, int num, const char *devname,
|
|
fputs(" ", stdout);
|
|
fputs(name, stdout);
|
|
fputs("=\"", stdout);
|
|
- safe_print(value, valsz, "\"");
|
|
+ safe_print(value, valsz, "\"\\");
|
|
fputs("\"", stdout);
|
|
}
|
|
}
|
|
--
|
|
2.2.2
|
|
|