Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

rhel 6
shell weakness #5

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

fuse-2.8.3/lib/mount_util.c

Context:

The highlighted line of code below is the trigger point of this particular Red Hat Enterprise Linux 6 shell weakness.

 	sigemptyset(&blockmask);
	sigaddset(&blockmask, SIGCHLD);
	res = sigprocmask(SIG_BLOCK, &blockmask, &oldmask);
	if (res == -1) {
		fprintf(stderr, "%s: sigprocmask: %s\n", progname, strerror(errno));
		return -1;
	}

	res = fork();
	if (res == -1) {
		fprintf(stderr, "%s: fork: %s\n", progname, strerror(errno));
		goto out_restore;
	}
	if (res == 0) {
		/*
		 * Hide output, because old versions don't support
		 * --no-canonicalize
		 */
		int fd = open("/dev/null", O_RDONLY);
		dup2(fd, 1);
		dup2(fd, 2);

		sigprocmask(SIG_SETMASK, &oldmask, NULL);
		setuid(geteuid());
		execl("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
		      "-f", "-t", type, "-o", opts, fsname, mnt, NULL);
		fprintf(stderr, "%s: failed to execute /bin/mount: %s\n",
			progname, strerror(errno));
		exit(1);
	}
	res = waitpid(res, &status, 0);
	if (res == -1)
		fprintf(stderr, "%s: waitpid: %s\n", progname, strerror(errno));

	if (status != 0)
		res = -1;

 out_restore:
	sigprocmask(SIG_SETMASK, &oldmask, NULL);

	return res;
}

int fuse_mnt_add_mount(const char *progname, const char *fsname,
		       const char *mnt, const char *type, const char *opts)
{
	int res;

	if (!mtab_needs_update(mnt))
		return 0; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.