The expansion of the special keyword 'auto' was implemented in a way
that allowed external commands to be run if there was a crafted btrfs
filesystem present in the system.
The problem is not present if defaults are used. The configuration file
/etc/sys/config/btrfsmaintenance must contain 'auto' in one of the
BTRFS_*_MOUNPOINTS variable. Then the following steps need to happen:
mkfs.btrfs --label '`/evil/command`' /dev/sdx
# /dev/sdx is auto-mounted
# the respective btrfs-{scrub,trim,balance} job with configured 'auto' runs
The /evil/command is executed during the last step.
The problem is the use of eval in function evaluate_auto_mountpoint that
gets name of the variable as a parameter and sets its value to list of
mountpoints found in the filesystem.
Newly there's no eval and the list of paths is returned as a string.
CVE: CVE-2018-14722
Reported-by: Karol Babioch <kbabioch@suse.com>
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1102721
Signed-off-by: David Sterba <dsterba@suse.com>