[Bug 14442] Shell command injection vulnerability in mount.cifs

[samba-bugs@samba.org]

https://bugzilla.samba.org/show_bug.cgi?id=14442

--- Comment #1 from Paulo Alcantara <palcantara@suse.de> ---
Hi Vadim,

Thanks for the report!

I was able to reproduce it and ended up with the following changes:

diff --git a/mount.cifs.c b/mount.cifs.c
index 40918c18649f..bb8a7e958898 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -1695,6 +1695,43 @@ drop_child_privs(void)
        return 0;
 }

+#ifdef ENABLE_SYSTEMD
+static int get_passwd_by_systemd(const char *prompt, char *input, int
capacity)
+{
+       int fd[2];
+       pid_t pid;
+       int rc;
+
+       if (pipe(fd) == -1) {
+               fprintf(stderr, "Failed to create pipe: %s\n",
strerror(errno));
+               return -1;
+       }
+
+       pid = fork();
+       if (pid == -1) {
+               fprintf(stderr, "Unable to fork: %s\n", strerror(errno));
+               return -1;
+       }
+
+       if (pid == 0) {
+               close(fd[0]);
+               dup2(fd[1], STDOUT_FILENO);
+               execlp("systemd-ask-password", "systemd-ask-password", prompt,
NULL);
+       }
+
+       close(fd[1]);
+       wait(&rc);
+       if (!WIFEXITED(rc))
+               return 1;
+       if (read(fd[0], input, capacity) == -1) {
+               fprintf(stderr, "Failed to read from pipe: %s\n",
strerror(errno));
+               return 1;
+       }
+
+       return 0;
+}
+#endif
+
 /*
  * If systemd is running and systemd-ask-password --
  * is available, then use that else fallback on getpass(..)
@@ -1714,27 +1751,11 @@ get_password(const char *prompt, char *input, int
capacity)
                && (lstat("/sys/fs/cgroup/systemd", &b) == 0)
                && (a.st_dev != b.st_dev);

-       if (is_systemd_running) {
-               char *cmd, *ret;
-               FILE *ask_pass_fp = NULL;
-
-               cmd = ret = NULL;
-               if (asprintf(&cmd, "systemd-ask-password \"%s\"", prompt) >= 0)
{
-                       ask_pass_fp = popen (cmd, "re");
-                       free (cmd);
-               }
-
-               if (ask_pass_fp) {
-                       ret = fgets(input, capacity, ask_pass_fp);
-                       pclose(ask_pass_fp);
-               }
-
-               if (ret) {
-                       int len = strlen(input);
-                       if (input[len - 1] == '\n')
-                               input[len - 1] = '\0';
-                       return input;
-               }
+       if (is_systemd_running && !get_passwd_by_systemd(prompt, input,
capacity)) {
+               int len = strlen(input);
+               if (input[len - 1] == '\n')
+                       input[len - 1] = '\0';
+               return input;
        }
 #endif


---
Before the patch:

$ sudo ./mount.cifs -o username="test \$(id)" //1 /mnt
Password for test uid=0(root) gid=0(root) groups=0(root)@//1:  (press TAB for
no echo)

After the patch:

$ sudo ./mount.cifs -o username="test \$(id)" //1 /mnt
Password for test $(id)@//1:  (press TAB for no echo)

Let me know what you think.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.