diff --git a/afuse-template-tokenize.patch b/afuse-template-tokenize.patch new file mode 100644 index 0000000..914400e --- /dev/null +++ b/afuse-template-tokenize.patch @@ -0,0 +1,214 @@ +diff -ur afuse-0.2.orig/src/afuse.c afuse-0.2/src/afuse.c +--- afuse-0.2.orig/src/afuse.c 2008-02-18 17:16:32.000000000 -0500 ++++ afuse-0.2/src/afuse.c 2008-07-10 21:50:06.000000000 -0400 +@@ -280,14 +280,19 @@ + } + + +-// !!FIXME!! allow escaping of %'s + // Note: this method strips out quotes and applies them itself as should be appropriate +-char *expand_template(const char *template, const char *mount_point, const char *root_name) ++bool run_template(const char *template, const char *mount_point, const char *root_name) + { + int len = 0; ++ int nargs = 1; + int i; +- char *expanded_name; +- char *expanded_name_start; ++ char *buf; ++ char *p; ++ char **args; ++ char **arg; ++ bool quote = false; ++ pid_t pid; ++ int status; + + // calculate length + for(i = 0; template[i]; i++) +@@ -295,53 +300,100 @@ + switch(template[i + 1]) + { + case 'm': +- len += strlen(mount_point) + 2; ++ len += strlen(mount_point); + i++; + break; + case 'r': +- len += strlen(root_name) + 2; ++ len += strlen(root_name); ++ i++; ++ break; ++ case '%': ++ len++; + i++; + break; + } +- } else if(template[i] != '"') ++ } else if(template[i] == ' ' && !quote) { ++ len++; ++ nargs++; ++ } else if(template[i] == '"') ++ quote = !quote; ++ else if(template[i] == '\\' && template[i + 1]) ++ len++, i++; ++ else + len++; + +- expanded_name_start = expanded_name = my_malloc(len + 1); ++ buf = my_malloc(len + 1); ++ args = my_malloc((nargs + 1) * sizeof(*args)); ++ ++ p = buf; ++ arg = args; ++ *arg++ = p; + + for(i = 0; template[i]; i++) + if(template[i] == '%') { +- int j = 0; + switch(template[i + 1]) + { + case 'm': +- *expanded_name++ = '"'; +- while(mount_point[j]) +- *expanded_name++ = mount_point[j++]; +- *expanded_name++ = '"'; ++ strcpy(p, mount_point); ++ p += strlen(mount_point); + i++; + break; + case 'r': +- *expanded_name++ = '"'; +- while(root_name[j]) +- *expanded_name++ = root_name[j++]; +- *expanded_name++ = '"'; ++ strcpy(p, root_name); ++ p += strlen(root_name); ++ i++; ++ break; ++ case '%': ++ *p++ = '%'; + i++; + break; + } +- } else if(template[i] != '"') +- *expanded_name++ = template[i]; +- +- *expanded_name = '\0'; +- +- return expanded_name_start; ++ } else if(template[i] == ' ' && !quote) { ++ *p++ = '\0'; ++ *arg++ = p; ++ } else if(template[i] == '"') ++ quote = !quote; ++ else if(template[i] == '\\' && template[i + 1]) ++ *p++ = template[++i]; ++ else ++ *p++ = template[i]; ++ ++ *p = '\0'; ++ *arg = NULL; ++ ++ pid = fork(); ++ if(pid == -1) { ++ fprintf(stderr, "Failed to fork (%s)\n", strerror(errno)); ++ free(args); ++ free(buf); ++ return false; ++ } ++ if(pid == 0) { ++ execvp(args[0], args); ++ abort(); ++ } ++ pid = waitpid(pid, &status, 0); ++ if(pid == -1) { ++ fprintf(stderr, "Failed to waitpid (%s)\n", strerror(errno)); ++ free(args); ++ free(buf); ++ return false; ++ } ++ if(!WIFEXITED(status) || WEXITSTATUS(status) != 0) { ++ fprintf(stderr, "Failed to invoke command: %s\n", args[0]); ++ free(args); ++ free(buf); ++ return false; ++ } ++ free(args); ++ free(buf); ++ return true; + } + + mount_list_t *do_mount(const char *root_name) + { + char *mount_point; +- char *mount_command; + mount_list_t *mount; +- int sysret; + + fprintf(stderr, "Mounting: %s\n", root_name); + +@@ -351,57 +403,33 @@ + return NULL; + } + +- mount_command = expand_template(user_options.mount_command_template, +- mount_point, root_name); +- sysret = system(mount_command); +- +- fprintf(stderr, "sysret: %.8x\n", sysret); +- +- if(sysret) { +- fprintf(stderr, "Failed to invoke mount command: '%s' (%s)\n", +- mount_command, sysret != -1 ? +- "Error executing mount" : +- strerror(errno)); +- ++ if(!run_template(user_options.mount_command_template, ++ mount_point, root_name)) { + // remove the now unused directory + if( rmdir(mount_point) == -1 ) + fprintf(stderr, "Failed to remove mount point dir: %s (%s)", + mount_point, strerror(errno)); + +- free(mount_command); + free(mount_point); + return NULL; + } + + mount = add_mount(root_name, mount_point); +- +- free(mount_command); + return mount; + } + + int do_umount(mount_list_t *mount) + { +- char *unmount_command; +- int sysret; +- + fprintf(stderr, "Unmounting: %s\n", mount->root_name); + +- unmount_command = expand_template(user_options.unmount_command_template, +- mount->mount_point, mount->root_name); +- sysret = system(unmount_command); +- if(sysret) { +- fprintf(stderr, "Failed to invoke unmount command: '%s' (%s)\n", +- unmount_command, sysret != -1 ? +- "Error executing mount" : +- strerror(errno)); +- /* Still unmount anyway */ +- } ++ run_template(user_options.unmount_command_template, ++ mount->mount_point, mount->root_name); ++ /* Still unmount anyway */ + + if( rmdir(mount->mount_point) == -1 ) + fprintf(stderr, "Failed to remove mount point dir: %s (%s)", + mount->mount_point, strerror(errno)); + remove_mount(mount); +- free(unmount_command); + return 1; + } + + + diff --git a/afuse.spec b/afuse.spec index 3d8f24d..f5a284e 100644 --- a/afuse.spec +++ b/afuse.spec @@ -1,13 +1,15 @@ Name: afuse Summary: An automounter implemented with FUSE Version: 0.2 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Base Source0: http://downloads.sourceforge.net/afuse/%{name}-%{version}.tar.gz URL: http://afuse.sourceforge.net/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: fuse-devel +# fix CVE-2008-2232 +Patch0: afuse-template-tokenize.patch %description Afuse is an automounting file system implemented in user-space using FUSE. @@ -20,6 +22,7 @@ with an error. %prep %setup -q +%patch0 -p1 -b .CVS-2008-2232 %build %configure @@ -38,6 +41,9 @@ rm -rf %{buildroot} %{_bindir}/afuse %changelog +* Mon Aug 17 2009 Tom "spot" Callaway - 0.2-4 +- fix CVS-2008-2232 + * Fri Jul 24 2009 Fedora Release Engineering - 0.2-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild