1
Description: fix privilege escalation via mount.cifs race
2
Origin: backport, http://git.samba.org/?p=samba.git;a=commit;h=3ae5dac462c4ed0fb2cd94553583c56fce2f9d80
3
Origin: backport, http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054
4
Bug: https://bugzilla.samba.org/show_bug.cgi?id=6853
6
Index: samba-3.4.3/source3/client/mount.cifs.c
7
===================================================================
8
--- samba-3.4.3.orig/source3/client/mount.cifs.c 2010-01-28 15:20:37.000000000 -0500
9
+++ samba-3.4.3/source3/client/mount.cifs.c 2010-01-28 15:20:57.000000000 -0500
10
@@ -1043,6 +1043,36 @@
11
MOUNT_CIFS_VENDOR_SUFFIX);
15
+ * This function borrowed from fuse-utils...
17
+ * glibc's addmntent (at least as of 2.10 or so) doesn't properly encode
18
+ * newlines embedded within the text fields. To make sure no one corrupts
19
+ * the mtab, fail the mount if there are embedded newlines.
21
+static int check_newline(const char *progname, const char *name)
24
+ for (s = "\n"; *s; s++) {
25
+ if (strchr(name, *s)) {
26
+ fprintf(stderr, "%s: illegal character 0x%02x in mount entry\n",
34
+static int check_mtab(const char *progname, const char *devname,
37
+ if (check_newline(progname, devname) == -1 ||
38
+ check_newline(progname, dir) == -1)
44
int main(int argc, char ** argv)
47
@@ -1463,7 +1493,11 @@
49
fprintf(stderr, "\n");
51
- if (!fakemnt && mount(dev_name, mountpoint, "cifs", flags, options)) {
52
+ rc = check_mtab(thisprogram, dev_name, mountpoint);
56
+ if (!fakemnt && mount(dev_name, ".", "cifs", flags, options)) {