From 99cb156ae5307c20df842949703adbd4b80c32fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jpandre@users.sourceforge.net>
Date: Mon, 1 Jun 2015 12:48:43 +0200
Subject: [PATCH] Ported clearing the environment when starting mount or umount

When starting mount or umount, the environment was not cleared and
could be used for privilege escalation (CVE-2015-3202).
This is a port of the fix to full fuse by using execle(3) instead
of execl(3)
---
 libfuse-lite/mount_util.c | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/libfuse-lite/mount_util.c b/libfuse-lite/mount_util.c
index 1a7ac3c7..8ea5e088 100644
--- a/libfuse-lite/mount_util.c
+++ b/libfuse-lite/mount_util.c
@@ -66,6 +66,7 @@ int fuse_mnt_add_mount(const char *progname, const char *fsname,
         return -1;
     }
     if (res == 0) {
+        char *env = NULL;
         char templ[] = "/tmp/fusermountXXXXXX";
         char *tmp;
 
@@ -87,8 +88,8 @@ int fuse_mnt_add_mount(const char *progname, const char *fsname,
             exit(1);
         }
         rmdir(tmp);
-        execl("/sbin/mount", "/sbin/mount", "-F", type, "-o", opts,
-              fsname, mnt, NULL);
+        execle("/sbin/mount", "/sbin/mount", "-F", type, "-o", opts,
+              fsname, mnt, NULL, &env);
         fprintf(stderr, "%s: failed to execute /sbin/mount: %s\n", progname,
                 strerror(errno));
         exit(1);
@@ -120,9 +121,16 @@ int fuse_mnt_umount(const char *progname, const char *mnt, int lazy)
         return -1;
     }
     if (res == 0) {
+        char *env = NULL;
+
         setuid(geteuid());
-        execl("/sbin/umount", "/sbin/umount", !lazy ? "-f" : NULL, mnt,
-              NULL);
+        if (lazy) {
+            execle("/sbin/umount", "/sbin/umount", mnt,
+                   NULL, &env);
+        } else {
+            execle("/sbin/umount", "/sbin/umount", "-f", mnt,
+                   NULL, &env);
+        }
         fprintf(stderr, "%s: failed to execute /sbin/umount: %s\n", progname,
                 strerror(errno));
         exit(1);
@@ -302,6 +310,7 @@ int fuse_mnt_add_mount(const char *progname, const char *fsname,
         return 0;
     }
     if (res == 0) {
+        char *env = NULL;
         char templ[] = "/tmp/fusermountXXXXXX";
         char *tmp;
 
@@ -325,8 +334,8 @@ int fuse_mnt_add_mount(const char *progname, const char *fsname,
             exit(1);
         }
         rmdir(tmp);
-        execl("/bin/mount", "/bin/mount", "-i", "-f", "-t", type, "-o", opts,
-              fsname, mnt, NULL);
+        execle("/bin/mount", "/bin/mount", "-i", "-f", "-t", type, "-o", opts,
+               fsname, mnt, NULL, &env);
         fprintf(stderr, "%s: failed to execute /bin/mount: %s\n", progname,
                 strerror(errno));
         exit(1);
@@ -353,11 +362,18 @@ int fuse_mnt_umount(const char *progname, const char *mnt, int lazy)
         return -1;
     }
     if (res == 0) {
+        char *env = NULL;
+
         if (setuid(geteuid()))
             fprintf(stderr, "%s: failed to setuid : %s\n", progname,
                          strerror(errno));
-        execl("/bin/umount", "/bin/umount", "-i", mnt, lazy ? "-l" : NULL,
-              NULL);
+        if (lazy) {
+            execle("/bin/umount", "/bin/umount", "-i", mnt, "-l",
+                   NULL, &env);
+        } else {
+            execle("/bin/umount", "/bin/umount", "-i", mnt,
+                   NULL, &env);
+        }
         fprintf(stderr, "%s: failed to execute /bin/umount: %s\n", progname,
                 strerror(errno));
         exit(1);