base-files: don't evaluate block-device uevent

Current code and also before commit da52dd0c83 was vulnerable to shell
injection using volume lables in the GPT partition table of block
devices. Given that partition names can be freely defined in GPT tables
we really shouldn't evaluate a string which is potentially crafted with
evil intentions. Hence rather use `export -n` to absorb the uevent's
variables into the environment.

Fixes commit da52dd0c83 (base-files: quote values when evaluating uevent)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[mschiffer@universe-factory.net: suggested export -n usage]
master
Daniel Golle 7 years ago
parent 49d3c5f057
commit 267873ac9b
No known key found for this signature in database
GPG Key ID: DD8D36F0A710502F
  1. 12
      package/base-files/files/lib/upgrade/common.sh

@ -101,7 +101,7 @@ get_magic_long() {
} }
export_bootdevice() { export_bootdevice() {
local cmdline uuid disk uevent local cmdline uuid disk uevent line
local MAJOR MINOR DEVNAME DEVTYPE local MAJOR MINOR DEVNAME DEVTYPE
if read cmdline < /proc/cmdline; then if read cmdline < /proc/cmdline; then
@ -134,7 +134,9 @@ export_bootdevice() {
esac esac
if [ -e "$uevent" ]; then if [ -e "$uevent" ]; then
eval "$(sed "s/=\(.*\)/=\'\1\'/" < "$uevent")" while read line; do
export -n "$line"
done < "$uevent"
export BOOTDEV_MAJOR=$MAJOR export BOOTDEV_MAJOR=$MAJOR
export BOOTDEV_MINOR=$MINOR export BOOTDEV_MINOR=$MINOR
return 0 return 0
@ -146,10 +148,12 @@ export_bootdevice() {
export_partdevice() { export_partdevice() {
local var="$1" offset="$2" local var="$1" offset="$2"
local uevent MAJOR MINOR DEVNAME DEVTYPE local uevent line MAJOR MINOR DEVNAME DEVTYPE
for uevent in /sys/class/block/*/uevent; do for uevent in /sys/class/block/*/uevent; do
eval "$(sed "s/=\(.*\)/=\'\1\'/" < "$uevent")" while read line; do
export -n "$line"
done < "$uevent"
if [ $BOOTDEV_MAJOR = $MAJOR -a $(($BOOTDEV_MINOR + $offset)) = $MINOR -a -b "/dev/$DEVNAME" ]; then if [ $BOOTDEV_MAJOR = $MAJOR -a $(($BOOTDEV_MINOR + $offset)) = $MINOR -a -b "/dev/$DEVNAME" ]; then
export "$var=$DEVNAME" export "$var=$DEVNAME"
return 0 return 0

Loading…
Cancel
Save