From 51e3530cdcb1d4f3ab91ae953ebc5adcdc5f9239 Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Thu, 26 Sep 2013 14:45:14 +0200
Subject: [PATCH] libmount: compose mount.<type> helpers paths more carefully

The [u]mount helper path is "/sbin/mount.<type>", the <type> should not
be possible to interpret like a path, for example:

  # mkdir /sbin/mount.fake
  # mount -t fake/../../../home/user/foo.sh

Anyway, this is *not mount(8) security issue*, because:

  - non-root users don't have permissions to specify -t on mount(8)
    command line
  - /sbin is not writable for regular users

This patch makes libmount more robust for situations when the library
is used by incompetent developers who don't sanitize user's input.

Reported-by: "Horsfall, Matthew" <mhorsfal@akamai.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
---
 libmount/src/context.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libmount/src/context.c b/libmount/src/context.c
index 014f0ee90d..0f8f112d45 100644
--- a/libmount/src/context.c
+++ b/libmount/src/context.c
@@ -1624,6 +1624,7 @@ int mnt_context_prepare_helper(struct libmnt_context *cxt, const char *name,
 	if (mnt_context_is_nohelpers(cxt)
 	    || !type
 	    || !strcmp(type, "none")
+	    || strstr(type, "/..")		/* don't try to smuggle path */
 	    || mnt_fs_is_swaparea(cxt->fs))
 		return 0;
 
-- 
2.47.3