From: Karel Zak <kzak@redhat.com>
Date: Thu, 26 Sep 2013 12:45:14 +0000 (+0200)
Subject: libmount: compose mount.<type> helpers paths more carefully
X-Git-Tag: v2.24-rc1~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=51e3530cdcb1d4f3ab91ae953ebc5adcdc5f9239;p=thirdparty%2Futil-linux.git

libmount: compose mount.<type> helpers paths more carefully

The [u]mount helper path is "/sbin/mount.<type>", the <type> should not
be possible to interpret like a path, for example:

  # mkdir /sbin/mount.fake
  # mount -t fake/../../../home/user/foo.sh

Anyway, this is *not mount(8) security issue*, because:

  - non-root users don't have permissions to specify -t on mount(8)
    command line
  - /sbin is not writable for regular users

This patch makes libmount more robust for situations when the library
is used by incompetent developers who don't sanitize user's input.

Reported-by: "Horsfall, Matthew" <mhorsfal@akamai.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
---

diff --git a/libmount/src/context.c b/libmount/src/context.c
index 014f0ee90d..0f8f112d45 100644
--- a/libmount/src/context.c
+++ b/libmount/src/context.c
@@ -1624,6 +1624,7 @@ int mnt_context_prepare_helper(struct libmnt_context *cxt, const char *name,
 	if (mnt_context_is_nohelpers(cxt)
 	    || !type
 	    || !strcmp(type, "none")
+	    || strstr(type, "/..")		/* don't try to smuggle path */
 	    || mnt_fs_is_swaparea(cxt->fs))
 		return 0;