Expand auto mountpoints in a safe way
Latest commit fbc6731 Sep 25, 2018 History 
The expansion of the special keyword 'auto' was implemented in a way
that allowed external commands to be run if there was a crafted btrfs
filesystem present in the system.

The problem is not present if defaults are used. The configuration file
/etc/sys/config/btrfsmaintenance must contain 'auto' in one of the
BTRFS_*_MOUNPOINTS variable. Then the following steps need to happen:

 mkfs.btrfs --label '`/evil/command`' /dev/sdx
 # /dev/sdx is auto-mounted
 # the respective btrfs-{scrub,trim,balance} job with configured 'auto' runs

The /evil/command is executed during the last step.

The problem is the use of eval in function evaluate_auto_mountpoint that
gets name of the variable as a parameter and sets its value to list of
mountpoints found in the filesystem.

Newly there's no eval and the list of paths is returned as a string.

CVE: CVE-2018-14722
Reported-by: Karol Babioch <kbabioch@suse.com>
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1102721
Signed-off-by: David Sterba <dsterba@suse.com>
4 contributors

Users who have contributed to this file

@kdave @Micha-Btz @madmartin @comio