libfuse: fix exec environment for mount and umount

Found by Tavis Ormandy (CVE-2015-3202).

diff --git a/ChangeLog b/ChangeLog
index 279249390f9a745af0b2813db2ada45a12ae1a16..0cd0cdddfbee6d801b58e7e5939380144daa49c3 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2015-05-22  Miklos Szeredi <miklos@szeredi.hu>
+
+       * libfuse: fix exec environment for mount and umount.  Found by
+       Tavis Ormandy (CVE-2015-3202).
+
 2015-02-26  Miklos Szeredi <miklos@szeredi.hu>
 
        * libfuse: fix fuse_remove_signal_handlers() to properly restore

diff --git a/lib/mount_util.c b/lib/mount_util.c
index 3cad2e6af2b7249a54c990ae2bd98f900785aca0..defb92f62f55a4abd17bd93f2607c7e3236b8d5f 100644 (file)
--- a/lib/mount_util.c
+++ b/lib/mount_util.c
@@ -96,10 +96,12 @@ static int add_mount(const char *progname, const char *fsname,
                goto out_restore;
        }
        if (res == 0) {
+               char *env = NULL;
+
                sigprocmask(SIG_SETMASK, &oldmask, NULL);
                setuid(geteuid());
-               execl("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
-                     "-f", "-t", type, "-o", opts, fsname, mnt, NULL);
+               execle("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
+                      "-f", "-t", type, "-o", opts, fsname, mnt, NULL, &env);
                fprintf(stderr, "%s: failed to execute /bin/mount: %s\n",
                        progname, strerror(errno));
                exit(1);
@@ -147,10 +149,17 @@ static int exec_umount(const char *progname, const char *rel_mnt, int lazy)
                goto out_restore;
        }
        if (res == 0) {
+               char *env = NULL;
+
                sigprocmask(SIG_SETMASK, &oldmask, NULL);
                setuid(geteuid());
-               execl("/bin/umount", "/bin/umount", "-i", rel_mnt,
-                     lazy ? "-l" : NULL, NULL);
+               if (lazy) {
+                       execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
+                              "-l", NULL, &env);
+               } else {
+                       execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
+                              NULL, &env);
+               }
                fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
                        progname, strerror(errno));
                exit(1);
@@ -206,10 +215,12 @@ static int remove_mount(const char *progname, const char *mnt)
                goto out_restore;
        }
        if (res == 0) {
+               char *env = NULL;
+
                sigprocmask(SIG_SETMASK, &oldmask, NULL);
                setuid(geteuid());
-               execl("/bin/umount", "/bin/umount", "--no-canonicalize", "-i",
-                     "--fake", mnt, NULL);
+               execle("/bin/umount", "/bin/umount", "--no-canonicalize", "-i",
+                      "--fake", mnt, NULL, &env);
                fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
                        progname, strerror(errno));
                exit(1);