Description: Fix CVE-2015-3202 Missing scrubbing of the environment before executing a mount or umount of a filesystem. Origin: backport Author: Miklos Szeredi Last-Update: 2015-05-19 --- lib/mount_util.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) --- a/libfuse-lite/mount_util.c +++ b/libfuse-lite/mount_util.c @@ -66,6 +66,7 @@ int fuse_mnt_add_mount(const char *progn return -1; } if (res == 0) { + char *env = NULL; char templ[] = "/tmp/fusermountXXXXXX"; char *tmp; @@ -87,8 +88,8 @@ int fuse_mnt_add_mount(const char *progn exit(1); } rmdir(tmp); - execl("/sbin/mount", "/sbin/mount", "-F", type, "-o", opts, - fsname, mnt, NULL); + execle("/sbin/mount", "/sbin/mount", "-F", type, "-o", opts, + fsname, mnt, NULL, &env); fprintf(stderr, "%s: failed to execute /sbin/mount: %s\n", progname, strerror(errno)); exit(1); @@ -120,9 +121,16 @@ int fuse_mnt_umount(const char *progname return -1; } if (res == 0) { + char *env = NULL; + setuid(geteuid()); - execl("/sbin/umount", "/sbin/umount", !lazy ? "-f" : NULL, mnt, - NULL); + if (!lazy) { + execle("/sbin/umount", "/sbin/umount", "-f", mnt, + NULL, &env); + } else { + execle("/sbin/umount", "/sbin/umount", mnt, + NULL, &env); + } fprintf(stderr, "%s: failed to execute /sbin/umount: %s\n", progname, strerror(errno)); exit(1); @@ -302,6 +310,7 @@ int fuse_mnt_add_mount(const char *progn return 0; } if (res == 0) { + char *env = NULL; char templ[] = "/tmp/fusermountXXXXXX"; char *tmp; @@ -325,8 +334,8 @@ int fuse_mnt_add_mount(const char *progn exit(1); } rmdir(tmp); - execl("/bin/mount", "/bin/mount", "-i", "-f", "-t", type, "-o", opts, - fsname, mnt, NULL); + execle("/bin/mount", "/bin/mount", "-i", "-f", "-t", type, "-o", opts, + fsname, mnt, NULL, &env); fprintf(stderr, "%s: failed to execute /bin/mount: %s\n", progname, strerror(errno)); exit(1);