From 8dc5e3958166da7423f08b018335c4fac7c414a1 Mon Sep 17 00:00:00 2001
From: Ian Kent <iankent@fedoraproject.org>
Date: Dec 21 2007 10:47:56 +0000
Subject: - Bug 426400: CVE-2007-6285 autofs default doesn't set nodev in /net [f8]

- use mount option "nodev" for "-hosts" map unless "dev" is explicily
    specified.

---

diff --git a/autofs-5.0.2-hosts-nodev-default.patch b/autofs-5.0.2-hosts-nodev-default.patch
new file mode 100644
index 0000000..029e217
--- /dev/null
+++ b/autofs-5.0.2-hosts-nodev-default.patch
@@ -0,0 +1,77 @@
+diff --git a/man/auto.master.5.in b/man/auto.master.5.in
+index 56aaa5d..49a711c 100644
+--- a/man/auto.master.5.in
++++ b/man/auto.master.5.in
+@@ -196,8 +196,8 @@ For example, with an entry in the master map of
+ accessing /net/myserver will mount exports from myserver on directories below
+ /net/myserver.
+ .P
+-NOTE: mounts done from a hosts map will be mounted with the "nosuid" option
+-unless the "suid" option is explicitly given in the master map entry.
++NOTE: mounts done from a hosts map will be mounted with the "nosuid" and "nodev" options
++unless the options "suid" and "dev" are explicitly given in the master map entry.
+ .SH LDAP MAPS
+ If the map type \fBldap\fP is specified the mapname is of the form
+ \fB[//servername/]dn\fP, where the optional \fBservername\fP is
+diff --git a/modules/parse_sun.c b/modules/parse_sun.c
+index a97a7aa..4241f16 100644
+--- a/modules/parse_sun.c
++++ b/modules/parse_sun.c
+@@ -589,8 +589,12 @@ static int sun_mount(struct autofs_point *ap, const char *root,
+ 	type = ap->entry->maps->type;
+ 	if (type && !strcmp(type, "hosts")) {
+ 		if (options) {
+-			if (!strstr(options, "suid")) {
+-				char *tmp = alloca(strlen(options) + 8);
++			int len = strlen(options);
++			int suid = strstr(options, "suid") ? 0 : 7;
++			int dev = strstr(options, "dev") ? 0 : 6;
++
++			if (suid || dev) {
++				char *tmp = alloca(len + suid + dev + 1);
+ 				if (!tmp) {
+ 					error(ap->logopt, MODPREFIX
+ 					      "alloca failed for options");
+@@ -598,12 +602,16 @@ static int sun_mount(struct autofs_point *ap, const char *root,
+ 						return -1;
+ 					return 1;
+ 				}
++
+ 				strcpy(tmp, options);
+-				strcat(tmp, ",nosuid");
++				if (suid)
++					strcat(tmp, ",nosuid");
++				if (dev)
++					strcat(tmp, ",nodev");
+ 				options = tmp;
+ 			}
+ 		} else {
+-			char *tmp = alloca(7);
++			char *tmp = alloca(13);
+ 			if (!tmp) {
+ 				error(ap->logopt,
+ 				      MODPREFIX "alloca failed for options");
+@@ -611,7 +619,7 @@ static int sun_mount(struct autofs_point *ap, const char *root,
+ 					return -1;
+ 				return 1;
+ 			}
+-			strcpy(tmp, "nosuid");
++			strcpy(tmp, "nosuid,nodev");
+ 			options = tmp;
+ 		}
+ 	}
+diff --git a/samples/auto.master b/samples/auto.master
+index 4995976..9fe5609 100644
+--- a/samples/auto.master
++++ b/samples/auto.master
+@@ -7,8 +7,8 @@
+ /misc	/etc/auto.misc
+ #
+ # NOTE: mounts done from a hosts map will be mounted with the
+-#	"nosuid" option unless the "suid" option is explicitly
+-#	given.
++#	"nosuid" and "nodev" options unless the "suid" and "dev"
++#	options are explicitly given.
+ #
+ /net	-hosts
+ #
diff --git a/autofs.spec b/autofs.spec
index 28e5acb..400532c 100644
--- a/autofs.spec
+++ b/autofs.spec
@@ -4,7 +4,7 @@
 Summary: A tool for automatically mounting and unmounting filesystems
 Name: autofs
 Version: 5.0.2
-Release: 22
+Release: 23
 Epoch: 1
 License: GPL
 Group: System Environment/Daemons
@@ -57,6 +57,7 @@ Patch43: autofs-5.0.2-dynamic-logging-non-sasl.patch
 Patch44: autofs-5.0.2-singleton-host-list.patch
 Patch45: autofs-5.0.2-hosts-nosuid-default.patch
 Patch46: autofs-5.0.2-fd-close-on-exec-mutex.patch
+Patch47: autofs-5.0.2-hosts-nodev-default.patch
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: autoconf, hesiod-devel, openldap-devel, bison, flex, libxml2-devel, cyrus-sasl-devel, openssl-devel module-init-tools util-linux nfs-utils e2fsprogs
 Conflicts: kernel < 2.6.17
@@ -145,6 +146,7 @@ echo %{version}-%{release} > .version
 %patch44 -p1
 %patch45 -p1
 %patch46 -p1
+%patch47 -p1
 
 %build
 #CFLAGS="$RPM_OPT_FLAGS" ./configure --prefix=/usr --libdir=%{_libdir}
@@ -197,6 +199,10 @@ fi
 %{_libdir}/autofs/
 
 %changelog
+* Fri Dec 21 2007 Ian Kent <ikent@redhat.com> - 5.0.1-23
+- Bug 426400: CVE-2007-6285 autofs default doesn't set nodev in /net [f8]
+  - use mount option "nodev" for "-hosts" map unless "dev" is explicily specified.
+
 * Tue Dec 18 2007 Ian Kent <ikent@redhat.com> - 5.0.2-22
 - Bug 397591 SELinux is preventing /sbin/rpc.statd (rpcd_t) "search" to <Unknown> (sysctl_fs_t).
   - prevent fork between fd open and setting of FD_CLOEXEC.