packages/util-linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-3995 and CVE-2021-3996

Browse Source
This commit is contained in:
shangyibin 2022-02-15 10:21:50 +08:00
parent 5e9ed23992
commit f20de5c819
4 changed files with 432 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
backport-CVE-2021-3995.patch Normal file
View File

@ -0,0 +1,138 @@
From f3db9bd609494099f0c1b95231c5dfe383346929 Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Wed, 24 Nov 2021 13:53:25 +0100
Subject: [PATCH] libmount: fix UID check for FUSE umount [CVE-2021-3995]
Improper UID check allows an unprivileged user to unmount FUSE
filesystems of users with similar UID.
Signed-off-by: Karel Zak <kzak@redhat.com>
Reference:https://github.com/util-linux/util-linux/commit/f3db9bd609494099f0c1b95231c5dfe383346929
Conflict:NA
---
include/strutils.h | 2 +-
libmount/src/context_umount.c | 13 +++--------
libmount/src/mountP.h | 1 +
libmount/src/optstr.c | 42 +++++++++++++++++++++++++++++++++++
4 files changed, 47 insertions(+), 11 deletions(-)
diff --git a/include/strutils.h b/include/strutils.h
index 4b3182f..50e493a 100644
--- a/include/strutils.h
+++ b/include/strutils.h
@@ -88,8 +88,8 @@ static inline char *mem2strcpy(char *dest, const void *src, size_t n, size_t nma
if (n + 1 > nmax)
n = nmax - 1;
+ memset(dest, '\0', nmax);
memcpy(dest, src, n);
- dest[nmax-1] = '\0';
return dest;
}
diff --git a/libmount/src/context_umount.c b/libmount/src/context_umount.c
index 94f824b..0d77fff 100644
--- a/libmount/src/context_umount.c
+++ b/libmount/src/context_umount.c
@@ -393,10 +393,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
struct libmnt_ns *ns_old;
const char *type = mnt_fs_get_fstype(cxt->fs);
const char *optstr;
- char *user_id = NULL;
- size_t sz;
- uid_t uid;
- char uidstr[sizeof(stringify_value(ULONG_MAX))];
+ uid_t uid, entry_uid;
*errsv = 0;
@@ -414,10 +411,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
if (!optstr)
return 0;
- if (mnt_optstr_get_option(optstr, "user_id", &user_id, &sz) != 0)
- return 0;
-
- if (sz == 0 || user_id == NULL)
+ if (mnt_optstr_get_uid(optstr, "user_id", &entry_uid) != 0)
return 0;
/* get current user */
@@ -434,8 +428,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
return 0;
}
- snprintf(uidstr, sizeof(uidstr), "%lu", (unsigned long) uid);
- return strncmp(user_id, uidstr, sz) == 0;
+ return uid == entry_uid;
}
/*
diff --git a/libmount/src/mountP.h b/libmount/src/mountP.h
index d8ba0ab..4a2ddb3 100644
--- a/libmount/src/mountP.h
+++ b/libmount/src/mountP.h
@@ -401,6 +401,7 @@ extern const struct libmnt_optmap *mnt_optmap_get_entry(
const struct libmnt_optmap **mapent);
/* optstr.c */
+extern int mnt_optstr_get_uid(const char *optstr, const char *name, uid_t *uid);
extern int mnt_optstr_remove_option_at(char **optstr, char *begin, char *end);
extern int mnt_optstr_fix_gid(char **optstr, char *value, size_t valsz, char **next);
extern int mnt_optstr_fix_uid(char **optstr, char *value, size_t valsz, char **next);
diff --git a/libmount/src/optstr.c b/libmount/src/optstr.c
index eea952b..8a92c32 100644
--- a/libmount/src/optstr.c
+++ b/libmount/src/optstr.c
@@ -1090,6 +1090,48 @@ int mnt_optstr_fix_user(char **optstr)
return rc;
}
+/*
+ * Converts value from @optstr addressed by @name to uid.
+ *
+ * Returns: 0 on success, 1 if not found, <0 on error
+ */
+int mnt_optstr_get_uid(const char *optstr, const char *name, uid_t *uid)
+{
+ char *value = NULL;
+ size_t valsz = 0;
+ char buf[sizeof(stringify_value(UINT64_MAX))];
+ int rc;
+ uint64_t num;
+
+ assert(optstr);
+ assert(name);
+ assert(uid);
+
+ rc = mnt_optstr_get_option(optstr, name, &value, &valsz);
+ if (rc != 0)
+ goto fail;
+
+ if (valsz > sizeof(buf) - 1) {
+ rc = -ERANGE;
+ goto fail;
+ }
+ mem2strcpy(buf, value, valsz, sizeof(buf));
+
+ rc = ul_strtou64(buf, &num, 10);
+ if (rc != 0)
+ goto fail;
+ if (num > ULONG_MAX || (uid_t) num != num) {
+ rc = -ERANGE;
+ goto fail;
+ }
+ *uid = (uid_t) num;
+
+ return 0;
+fail:
+ DBG(UTILS, ul_debug("failed to convert '%s'= to number [rc=%d]", name, rc));
+ return rc;
+}
+
/**
* mnt_match_options:
* @optstr: options string
--
2.27.0

226
backport-CVE-2021-3996.patch Normal file
View File

@ -0,0 +1,226 @@
From 018a10907fa9885093f6d87401556932c2d8bd2b Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Tue, 4 Jan 2022 10:54:20 +0100
Subject: [PATCH] libmount: fix (deleted) suffix issue [CVE-2021-3996]
This issue is related to parsing the /proc/self/mountinfo file allows an
unprivileged user to unmount other user's filesystems that are either
world-writable themselves or mounted in a world-writable directory.
The support for "(deleted)" is no more necessary as the Linux kernel does
not use it in /proc/self/mountinfo and /proc/self/mount files anymore.
Signed-off-by: Karel Zak <kzak@redhat.com>
Reference:https://github.com/util-linux/util-linux/commit/018a10907fa9885093f6d87401556932c2d8bd2b
Conflict:NA
---
libmount/src/tab_parse.c | 5 -----
tests/expected/findmnt/filter-options | 1 -
tests/expected/findmnt/filter-options-nameval-neg | 3 +--
tests/expected/findmnt/filter-types-neg | 1 -
tests/expected/findmnt/outputs-default | 3 +--
tests/expected/findmnt/outputs-force-tree | 3 +--
tests/expected/findmnt/outputs-kernel | 3 +--
tests/expected/libmount/tabdiff-mount | 1 -
tests/expected/libmount/tabdiff-move | 1 -
tests/expected/libmount/tabdiff-remount | 1 -
tests/expected/libmount/tabdiff-umount | 1 -
tests/expected/libmount/tabfiles-parse-mountinfo | 11 -----------
tests/expected/libmount/tabfiles-py-parse-mountinfo | 11 -----------
tests/ts/findmnt/files/mountinfo | 1 -
tests/ts/findmnt/files/mountinfo-nonroot | 1 -
tests/ts/libmount/files/mountinfo | 1 -
16 files changed, 4 insertions(+), 44 deletions(-)
diff --git a/libmount/src/tab_parse.c b/libmount/src/tab_parse.c
index 3a2cc0d..eec9758 100644
--- a/libmount/src/tab_parse.c
+++ b/libmount/src/tab_parse.c
@@ -225,11 +225,6 @@ static int mnt_parse_mountinfo_line(struct libmnt_fs *fs, const char *s)
goto fail;
}
- /* remove "\040(deleted)" suffix */
- p = (char *) endswith(fs->target, PATH_DELETED_SUFFIX);
- if (p && *p)
- *p = '\0';
-
s = skip_separator(s);
/* (6) vfs options (fs-independent) */
diff --git a/tests/expected/findmnt/filter-options b/tests/expected/findmnt/filter-options
index 2606bce..97b0ead 100644
--- a/tests/expected/findmnt/filter-options
+++ b/tests/expected/findmnt/filter-options
@@ -28,5 +28,4 @@ TARGET SOURCE FSTYPE OPTIONS
/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
-/mnt/foo /fooooo bar rw,relatime
rc=0
diff --git a/tests/expected/findmnt/filter-options-nameval-neg b/tests/expected/findmnt/filter-options-nameval-neg
index 5471d65..f0467ef 100644
--- a/tests/expected/findmnt/filter-options-nameval-neg
+++ b/tests/expected/findmnt/filter-options-nameval-neg
@@ -29,6 +29,5 @@ TARGET SOURCE FSTYPE OPTIO
|-/home/kzak /dev/mapper/kzak-home ext4 rw,noatime,barrier=1,data=ordered
| `-/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
|-/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
-|-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
-`-/mnt/foo /fooooo bar rw,relatime
+`-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
rc=0
diff --git a/tests/expected/findmnt/filter-types-neg b/tests/expected/findmnt/filter-types-neg
index 2606bce..97b0ead 100644
--- a/tests/expected/findmnt/filter-types-neg
+++ b/tests/expected/findmnt/filter-types-neg
@@ -28,5 +28,4 @@ TARGET SOURCE FSTYPE OPTIONS
/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
-/mnt/foo /fooooo bar rw,relatime
rc=0
diff --git a/tests/expected/findmnt/outputs-default b/tests/expected/findmnt/outputs-default
index 5949579..0159935 100644
--- a/tests/expected/findmnt/outputs-default
+++ b/tests/expected/findmnt/outputs-default
@@ -30,6 +30,5 @@ TARGET SOURCE FSTYPE OPTIO
|-/home/kzak /dev/mapper/kzak-home ext4 rw,noatime,barrier=1,data=ordered
| `-/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
|-/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
-|-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
-`-/mnt/foo /fooooo bar rw,relatime
+`-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
rc=0
diff --git a/tests/expected/findmnt/outputs-force-tree b/tests/expected/findmnt/outputs-force-tree
index 5949579..0159935 100644
--- a/tests/expected/findmnt/outputs-force-tree
+++ b/tests/expected/findmnt/outputs-force-tree
@@ -30,6 +30,5 @@ TARGET SOURCE FSTYPE OPTIO
|-/home/kzak /dev/mapper/kzak-home ext4 rw,noatime,barrier=1,data=ordered
| `-/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
|-/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
-|-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
-`-/mnt/foo /fooooo bar rw,relatime
+`-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
rc=0
diff --git a/tests/expected/findmnt/outputs-kernel b/tests/expected/findmnt/outputs-kernel
index 5949579..0159935 100644
--- a/tests/expected/findmnt/outputs-kernel
+++ b/tests/expected/findmnt/outputs-kernel
@@ -30,6 +30,5 @@ TARGET SOURCE FSTYPE OPTIO
|-/home/kzak /dev/mapper/kzak-home ext4 rw,noatime,barrier=1,data=ordered
| `-/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
|-/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
-|-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
-`-/mnt/foo /fooooo bar rw,relatime
+`-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
rc=0
diff --git a/tests/expected/libmount/tabdiff-mount b/tests/expected/libmount/tabdiff-mount
index 420aeac..3c18f8d 100644
--- a/tests/expected/libmount/tabdiff-mount
+++ b/tests/expected/libmount/tabdiff-mount
@@ -1,3 +1,2 @@
/dev/mapper/kzak-home on /home/kzak: MOUNTED
-/fooooo on /mnt/foo: MOUNTED
tmpfs on /mnt/test/foo bar: MOUNTED
diff --git a/tests/expected/libmount/tabdiff-move b/tests/expected/libmount/tabdiff-move
index 24f9bc7..95820d9 100644
--- a/tests/expected/libmount/tabdiff-move
+++ b/tests/expected/libmount/tabdiff-move
@@ -1,3 +1,2 @@
//foo.home/bar/ on /mnt/music: MOVED to /mnt/music
-/fooooo on /mnt/foo: UMOUNTED
tmpfs on /mnt/test/foo bar: UMOUNTED
diff --git a/tests/expected/libmount/tabdiff-remount b/tests/expected/libmount/tabdiff-remount
index 82ebeab..876bfd9 100644
--- a/tests/expected/libmount/tabdiff-remount
+++ b/tests/expected/libmount/tabdiff-remount
@@ -1,4 +1,3 @@
/dev/mapper/kzak-home on /home/kzak: REMOUNTED from 'rw,noatime,barrier=1,data=ordered' to 'ro,noatime,barrier=1,data=ordered'
//foo.home/bar/ on /mnt/sounds: REMOUNTED from 'rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344' to 'ro,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344'
-/fooooo on /mnt/foo: UMOUNTED
tmpfs on /mnt/test/foo bar: UMOUNTED
diff --git a/tests/expected/libmount/tabdiff-umount b/tests/expected/libmount/tabdiff-umount
index a3e0fe4..c7be725 100644
--- a/tests/expected/libmount/tabdiff-umount
+++ b/tests/expected/libmount/tabdiff-umount
@@ -1,3 +1,2 @@
/dev/mapper/kzak-home on /home/kzak: UMOUNTED
-/fooooo on /mnt/foo: UMOUNTED
tmpfs on /mnt/test/foo bar: UMOUNTED
diff --git a/tests/expected/libmount/tabfiles-parse-mountinfo b/tests/expected/libmount/tabfiles-parse-mountinfo
index 47eb770..d5ba524 100644
--- a/tests/expected/libmount/tabfiles-parse-mountinfo
+++ b/tests/expected/libmount/tabfiles-parse-mountinfo
@@ -351,17 +351,6 @@ id: 47
parent: 20
devno: 0:38
------ fs:
-source: /fooooo
-target: /mnt/foo
-fstype: bar
-optstr: rw,relatime
-VFS-optstr: rw,relatime
-FS-opstr: rw
-root: /
-id: 48
-parent: 20
-devno: 0:39
------- fs:
source: tmpfs
target: /mnt/test/foo bar
fstype: tmpfs
diff --git a/tests/expected/libmount/tabfiles-py-parse-mountinfo b/tests/expected/libmount/tabfiles-py-parse-mountinfo
index 47eb770..d5ba524 100644
--- a/tests/expected/libmount/tabfiles-py-parse-mountinfo
+++ b/tests/expected/libmount/tabfiles-py-parse-mountinfo
@@ -351,17 +351,6 @@ id: 47
parent: 20
devno: 0:38
------ fs:
-source: /fooooo
-target: /mnt/foo
-fstype: bar
-optstr: rw,relatime
-VFS-optstr: rw,relatime
-FS-opstr: rw
-root: /
-id: 48
-parent: 20
-devno: 0:39
------- fs:
source: tmpfs
target: /mnt/test/foo bar
fstype: tmpfs
diff --git a/tests/ts/findmnt/files/mountinfo b/tests/ts/findmnt/files/mountinfo
index 475ea1a..ff1e664 100644
--- a/tests/ts/findmnt/files/mountinfo
+++ b/tests/ts/findmnt/files/mountinfo
@@ -30,4 +30,3 @@
44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500
45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw
47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw
diff --git a/tests/ts/findmnt/files/mountinfo-nonroot b/tests/ts/findmnt/files/mountinfo-nonroot
index e15b467..87b421d 100644
--- a/tests/ts/findmnt/files/mountinfo-nonroot
+++ b/tests/ts/findmnt/files/mountinfo-nonroot
@@ -29,4 +29,3 @@
44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500
45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw
47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw
diff --git a/tests/ts/libmount/files/mountinfo b/tests/ts/libmount/files/mountinfo
index c063071..2b01740 100644
--- a/tests/ts/libmount/files/mountinfo
+++ b/tests/ts/libmount/files/mountinfo
@@ -30,5 +30,4 @@
44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500
45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw
47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw
49 20 0:56 / /mnt/test/foo bar rw,relatime shared:323 - tmpfs tmpfs rw
--
2.27.0

58
backport-add-ul_strtou64.patch Normal file
View File

@ -0,0 +1,58 @@
From a9768580a49403a6ed4fcbc0403936073e301cdb Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Tue, 22 Jun 2021 14:20:42 +0200
Subject: [PATCH] include/strutils: cleanup strto..() functions
* add ul_strtos64() and ul_strtou64()
* add simple test
Addresses: https://github.com/karelzak/util-linux/issues/1358
Signed-off-by: Karel Zak <kzak@redhat.com>
Reference:https://github.com/util-linux/util-linux/commit/a9768580a49403a6ed4fcbc0403936073e301cdb
Conflict:add ul_strtou64
---
include/strutils.h | 2 ++
lib/strutils.c | 14 ++++++++++++++
2 files changed, 16 insertions(+)
diff --git a/include/strutils.h b/include/strutils.h
index 4b3182f..65b2934 100644
--- a/include/strutils.h
+++ b/include/strutils.h
@@ -16,6 +16,8 @@ extern int parse_size(const char *str, uintmax_t *res, int *power);
extern int strtosize(const char *str, uintmax_t *res);
extern uintmax_t strtosize_or_err(const char *str, const char *errmesg);
+extern int ul_strtou64(const char *str, uint64_t *num, int base);
+
extern int16_t strtos16_or_err(const char *str, const char *errmesg);
extern uint16_t strtou16_or_err(const char *str, const char *errmesg);
extern uint16_t strtox16_or_err(const char *str, const char *errmesg);
diff --git a/lib/strutils.c b/lib/strutils.c
index 6c33820..7befec1 100644
--- a/lib/strutils.c
+++ b/lib/strutils.c
@@ -320,6 +320,20 @@ char *strndup(const char *s, size_t n)
static uint32_t _strtou32_or_err(const char *str, const char *errmesg, int base);
static uint64_t _strtou64_or_err(const char *str, const char *errmesg, int base);
+int ul_strtou64(const char *str, uint64_t *num, int base)
+{
+ char *end = NULL;
+
+ errno = 0;
+ if (str == NULL || *str == '\0')
+ return -EINVAL;
+ *num = (uint64_t) strtoumax(str, &end, base);
+
+ if (errno || str == end || (end && *end))
+ return -EINVAL;
+ return 0;
+}
+
int16_t strtos16_or_err(const char *str, const char *errmesg)
{
int32_t num = strtos32_or_err(str, errmesg);
--
2.27.0

11
util-linux.spec
View File

@ -2,7 +2,7 @@
Name: util-linux
Version: 2.35.2
Release: 9
Release: 10
Summary: A random collection of Linux utilities
License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
URL: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git
@ -58,6 +58,9 @@ Patch19: backpaort-fix-rounding-in-size_to_human_string.patch
Patch20: backpaort-fix-uint64_t-overflow.patch
Patch21: backpaort-update-fdisk-outputs-due-to-sizes-rounding-change.patch
Patch6000: backport-CVE-2021-37600.patch
Patch6001: backport-add-ul_strtou64.patch
Patch6002: backport-CVE-2021-3995.patch
Patch6003: backport-CVE-2021-3996.patch
Patch9000: Add-check-to-resolve-uname26-version-test-failed.patch
Patch9001: modify-rescuemode-chinese-error.patch
@ -407,6 +410,12 @@ fi
%{_mandir}/man8/{swapoff.8*,swapon.8*,switch_root.8*,umount.8*,wdctl.8.gz,wipefs.8*,zramctl.8*}
%changelog
* Tue Feb 15 2021 shangyibin<shangyibin1@h-partners.com> - 2.35.2-10
- Type:CVE
- ID:CVE-2021-3995 CVE-2021-3996
- SUG:NA
- DESC:fix CVE-2021-3995 CVE-2021-3996
* Fri Aug 20 2021 zhangke <zhangkea@uniontech.com> - 2.35.2-9
- Type:enhancement
- Id:NA