Date: Wed, 26 Feb 2014 09:06:12 +0530
From: Huzaifa Sidhpurwala <huzaifas@redhat.com>
Subject: [vs-plain] udisks/udisks2

Hello Vendors,

Florian Weimer of the Red Hat Product Security Team found a flaw in the
way udisks and udisks2 handled long path names. A malicious, local user
could use this flaw to create a specially-crafted directory structure
that could lead to arbitrary code execution with the privileges of the
udisks daemon (root).

This issue has been assigned CVE-2014-0004. We propose an un-embargo
date 10-March-2014.

Attached below is the proposed patch.

Regards,

Huzaifa Sidhpurwala / Red Hat Security Response Team.


---
 src/udisksmountmonitor.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)
--- a/src/udisksmountmonitor.c
+++ a/src/udisksmountmonitor.c
@@ -416,8 +416,8 @@ udisks_mount_monitor_get_mountinfo
(UDisksMountMonitor  *monitor,
       guint mount_id;
       guint parent_id;
       guint major, minor;
-      gchar encoded_root[PATH_MAX];
-      gchar encoded_mount_point[PATH_MAX];
+      gchar encoded_root[4096];
+      gchar encoded_mount_point[4096];
       gchar *mount_point;
       dev_t dev;

@@ -425,7 +425,7 @@ udisks_mount_monitor_get_mountinfo
(UDisksMountMonitor  *monitor,
         continue;

       if (sscanf (lines[n],
-                  "%d %d %d:%d %s %s",
+                  "%d %d %d:%d %4095s %4095s",
                   &mount_id,
                   &parent_id,
                   &major,
@@ -436,6 +436,8 @@ udisks_mount_monitor_get_mountinfo
(UDisksMountMonitor  *monitor,
           udisks_warning ("Error parsing line '%s'", lines[n]);
           continue;
         }
+      encoded_root[sizeof encoded_root - 1] = '\0';
+      encoded_mount_point[sizeof encoded_mount_point - 1] = '\0';

       /* Temporary work-around for btrfs, see
        *
@@ -450,15 +452,17 @@ udisks_mount_monitor_get_mountinfo
(UDisksMountMonitor  *monitor,
           sep = strstr (lines[n], " - ");
           if (sep != NULL)
             {
-              gchar fstype[PATH_MAX];
-              gchar mount_source[PATH_MAX];
+              gchar fstype[4096];
+              gchar mount_source[4096];
               struct stat statbuf;

-              if (sscanf (sep + 3, "%s %s", fstype, mount_source) != 2)
+              if (sscanf (sep + 3, "%4095s %4095s", fstype,
mount_source) != 2)
                 {
                   udisks_warning ("Error parsing things past - for
'%s'", lines[n]);
                   continue;
                 }
+              fstype[sizeof fstype - 1] = '\0';
+              mount_source[sizeof mount_source - 1] = '\0';

               if (g_strcmp0 (fstype, "btrfs") != 0)
                 continue;
@@ -546,7 +550,7 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor
*monitor,
   lines = g_strsplit (contents, "\n", 0);
   for (n = 0; lines[n] != NULL; n++)
     {
-      gchar filename[PATH_MAX];
+      gchar filename[4096];
       struct stat statbuf;
       dev_t dev;

@@ -557,11 +561,12 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor
 *monitor,
       if (strlen (lines[n]) == 0)
         continue;

-      if (sscanf (lines[n], "%s", filename) != 1)
+      if (sscanf (lines[n], "%4095s", filename) != 1)
         {
           udisks_warning ("Error parsing line '%s'", lines[n]);
           continue;
         }
+      filename[sizeof filename - 1] = '\0';

       if (stat (filename, &statbuf) != 0)
         {