From: Miklos Szeredi <mszeredi@suse.cz>
Date: Fri, 22 May 2015 08:58:43 +0000 (+0200)
Subject: libfuse: fix exec environment for mount and umount
X-Git-Tag: fuse-3.0.0pre0~75
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=cfe13b7a217075ae741c018da50cd600e5330de2;p=qemu-gpiodev%2Flibfuse.git

libfuse: fix exec environment for mount and umount

Found by Tavis Ormandy (CVE-2015-3202).
---

diff --git a/ChangeLog b/ChangeLog
index 5c1c267..c2601ce 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2015-05-22  Miklos Szeredi <miklos@szeredi.hu>
+
+	* libfuse: fix exec environment for mount and umount.  Found by
+	Tavis Ormandy (CVE-2015-3202).
+
 2015-04-23  Miklos Szeredi <miklos@szeredi.hu>
 
 	* libfuse: add FUSE_CAP_NO_OPEN_SUPPORT flag to ->init()
diff --git a/lib/mount_util.c b/lib/mount_util.c
index 87e3888..589f76d 100644
--- a/lib/mount_util.c
+++ b/lib/mount_util.c
@@ -97,10 +97,12 @@ static int add_mount(const char *progname, const char *fsname,
 		goto out_restore;
 	}
 	if (res == 0) {
+		char *env = NULL;
+
 		sigprocmask(SIG_SETMASK, &oldmask, NULL);
 		setuid(geteuid());
-		execl("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
-		      "-f", "-t", type, "-o", opts, fsname, mnt, NULL);
+		execle("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
+		       "-f", "-t", type, "-o", opts, fsname, mnt, NULL, &env);
 		fprintf(stderr, "%s: failed to execute /bin/mount: %s\n",
 			progname, strerror(errno));
 		exit(1);
@@ -148,10 +150,17 @@ static int exec_umount(const char *progname, const char *rel_mnt, int lazy)
 		goto out_restore;
 	}
 	if (res == 0) {
+		char *env = NULL;
+
 		sigprocmask(SIG_SETMASK, &oldmask, NULL);
 		setuid(geteuid());
-		execl("/bin/umount", "/bin/umount", "-i", rel_mnt,
-		      lazy ? "-l" : NULL, NULL);
+		if (lazy) {
+			execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
+			       "-l", NULL, &env);
+		} else {
+			execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
+			       NULL, &env);
+		}
 		fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
 			progname, strerror(errno));
 		exit(1);
@@ -207,10 +216,12 @@ static int remove_mount(const char *progname, const char *mnt)
 		goto out_restore;
 	}
 	if (res == 0) {
+		char *env = NULL;
+
 		sigprocmask(SIG_SETMASK, &oldmask, NULL);
 		setuid(geteuid());
-		execl("/bin/umount", "/bin/umount", "--no-canonicalize", "-i",
-		      "--fake", mnt, NULL);
+		execle("/bin/umount", "/bin/umount", "--no-canonicalize", "-i",
+		       "--fake", mnt, NULL, &env);
 		fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
 			progname, strerror(errno));
 		exit(1);