libfuse: fix exec environment for mount and umount

Found by Tavis Ormandy (CVE-2015-3202).

diff --git a/ChangeLog b/ChangeLog
index 5c1c267da1136b03a917eb65db331ea4758c9497..c2601ce92a60d3d2236ad675f16487cf515c5463 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2015-05-22  Miklos Szeredi <miklos@szeredi.hu>
+
+       * libfuse: fix exec environment for mount and umount.  Found by
+       Tavis Ormandy (CVE-2015-3202).
+
 2015-04-23  Miklos Szeredi <miklos@szeredi.hu>
 
        * libfuse: add FUSE_CAP_NO_OPEN_SUPPORT flag to ->init()

diff --git a/lib/mount_util.c b/lib/mount_util.c
index 87e3888d5625a88a5baaeb9d3cb94bbdeed25172..589f76d7aa38155caab5403c0b08d73bdbae9dec 100644 (file)
--- a/lib/mount_util.c
+++ b/lib/mount_util.c
@@ -97,10 +97,12 @@ static int add_mount(const char *progname, const char *fsname,
                goto out_restore;
        }
        if (res == 0) {
+               char *env = NULL;
+
                sigprocmask(SIG_SETMASK, &oldmask, NULL);
                setuid(geteuid());
-               execl("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
-                     "-f", "-t", type, "-o", opts, fsname, mnt, NULL);
+               execle("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
+                      "-f", "-t", type, "-o", opts, fsname, mnt, NULL, &env);
                fprintf(stderr, "%s: failed to execute /bin/mount: %s\n",
                        progname, strerror(errno));
                exit(1);
@@ -148,10 +150,17 @@ static int exec_umount(const char *progname, const char *rel_mnt, int lazy)
                goto out_restore;
        }
        if (res == 0) {
+               char *env = NULL;
+
                sigprocmask(SIG_SETMASK, &oldmask, NULL);
                setuid(geteuid());
-               execl("/bin/umount", "/bin/umount", "-i", rel_mnt,
-                     lazy ? "-l" : NULL, NULL);
+               if (lazy) {
+                       execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
+                              "-l", NULL, &env);
+               } else {
+                       execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
+                              NULL, &env);
+               }
                fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
                        progname, strerror(errno));
                exit(1);
@@ -207,10 +216,12 @@ static int remove_mount(const char *progname, const char *mnt)
                goto out_restore;
        }
        if (res == 0) {
+               char *env = NULL;
+
                sigprocmask(SIG_SETMASK, &oldmask, NULL);
                setuid(geteuid());
-               execl("/bin/umount", "/bin/umount", "--no-canonicalize", "-i",
-                     "--fake", mnt, NULL);
+               execle("/bin/umount", "/bin/umount", "--no-canonicalize", "-i",
+                      "--fake", mnt, NULL, &env);
                fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
                        progname, strerror(errno));
                exit(1);