[Pkg-loop-aes-commits] r1463 - in /trunk/loop-aes-utils: ./ debian/changelog debian/patches/00list debian/patches/50_realpath_use_after_free.dpatch

xam at users.alioth.debian.org xam at users.alioth.debian.org
Fri Oct 19 22:15:12 UTC 2007 

Author: xam
Date: Fri Oct 19 22:15:12 2007
New Revision: 1463

URL: http://svn.debian.org/wsvn/pkg-loop-aes/?sc=1&rev=1463
Log:
mount: chain of symlinks to fstab causes use of pointer after free

Added:
    trunk/loop-aes-utils/debian/patches/50_realpath_use_after_free.dpatch
Modified:
    trunk/loop-aes-utils/   (props changed)
    trunk/loop-aes-utils/debian/changelog
    trunk/loop-aes-utils/debian/patches/00list

Propchange: trunk/loop-aes-utils/
------------------------------------------------------------------------------
--- svk:merge (original)
+++ svk:merge Fri Oct 19 22:15:12 2007
@@ -1,4 +1,4 @@
-02a4734a-7125-4a10-a2dd-ccf7f6155d04:/local/pkg-loop-aes/trunk/loop-aes-utils:11444
+02a4734a-7125-4a10-a2dd-ccf7f6155d04:/local/pkg-loop-aes/trunk/loop-aes-utils:11445
 53348a03-e5de-0310-b097-96e6f85ea926:/import/loop-aes-utils/branches/2.12-alternative:120
 53348a03-e5de-0310-b097-96e6f85ea926:/import/loop-aes-utils/branches/2.12-dpatch:196
 53348a03-e5de-0310-b097-96e6f85ea926:/import/loop-aes-utils/trunk/current:338

Modified: trunk/loop-aes-utils/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-loop-aes/trunk/loop-aes-utils/debian/changelog?rev=1463&op=diff
==============================================================================
--- trunk/loop-aes-utils/debian/changelog (original)
+++ trunk/loop-aes-utils/debian/changelog Fri Oct 19 22:15:12 2007
@@ -3,6 +3,7 @@
   * Sync with util-linux 2.13-8
   * SECURITY: mount: doesn't drop privileges properly when 
     calling helpers [CVE-2007-5191]
+  * mount: chain of symlinks to fstab causes use of pointer after free
 
  -- Max Vozeler <xam at debian.org>  Fri, 19 Oct 2007 23:14:28 +0200
 

Modified: trunk/loop-aes-utils/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-loop-aes/trunk/loop-aes-utils/debian/patches/00list?rev=1463&op=diff
==============================================================================
--- trunk/loop-aes-utils/debian/patches/00list (original)
+++ trunk/loop-aes-utils/debian/patches/00list Fri Oct 19 22:15:12 2007
@@ -1,2 +1,3 @@
 20loop-AES
+50_realpath_use_after_free
 51_CVE-2007-5191

Added: trunk/loop-aes-utils/debian/patches/50_realpath_use_after_free.dpatch
URL: http://svn.debian.org/wsvn/pkg-loop-aes/trunk/loop-aes-utils/debian/patches/50_realpath_use_after_free.dpatch?rev=1463&op=file
==============================================================================
--- trunk/loop-aes-utils/debian/patches/50_realpath_use_after_free.dpatch (added)
+++ trunk/loop-aes-utils/debian/patches/50_realpath_use_after_free.dpatch Fri Oct 19 22:15:12 2007
@@ -1,0 +1,42 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+ at DPATCH@
+commit a9d6150d12b368820a98cb26ec0d9f76fa4f0905
+Author: Norbert Buchmuller <norbi at nix.hu>
+Date:   Sun Sep 2 14:08:53 2007 -0600
+
+    mount: chain of symlinks to fstab causes use of pointer after free
+    
+    Looking at the source in 'mount/realpath.c' we find that when dealing with
+    the second or later symlink in the chain, a memory block was free()d before
+    copying its contents to a newly allocated block.
+
+diff --git a/mount/realpath.c b/mount/realpath.c
+index 9dc517e..d659685 100644
+--- a/mount/realpath.c
++++ b/mount/realpath.c
+@@ -97,6 +97,7 @@ myrealpath(const char *path, char *resolved_path, int maxreslth) {
+ 		} else {
+ #ifdef resolve_symlinks		/* Richard Gooch dislikes sl resolution */
+ 			int m;
++			char *newbuf;
+ 
+ 			/* Note: readlink doesn't add the null byte. */
+ 			link_path[n] = '\0';
+@@ -110,12 +111,12 @@ myrealpath(const char *path, char *resolved_path, int maxreslth) {
+ 
+ 			/* Insert symlink contents into path. */
+ 			m = strlen(path);
++			newbuf = xmalloc(m + n + 1);
++			memcpy(newbuf, link_path, n);
++			memcpy(newbuf + n, path, m + 1);
+ 			if (buf)
+ 				free(buf);
+-			buf = xmalloc(m + n + 1);
+-			memcpy(buf, link_path, n);
+-			memcpy(buf + n, path, m + 1);
+-			path = buf;
++			path = buf = newbuf;
+ #endif
+ 		}
+ 		*npath++ = '/';

More information about the Pkg-loop-aes-commits mailing list