CVE-2018-14722: btrfsmaintenance: Code execution

[Marcus Meissner <meissner () suse de>]

Hi,

SUSE employee Fabian Vogt has found a shell code injection issue in the "btrfsmaintenance" tools.

https://bugzilla.suse.com/show_bug.cgi?id=1102721

Mounting btrfs images with a label including shell injection characters could cause
the cron jobs (running as root) to execute the include shellcode.

Our proposed fix attached to this email.

bad image can be created with:
        mkfs.btrfs --label "`/evil/command`' /dev/sdx

Ciao, Marcus

Attachment: btrfsmaintenance-CVE-2018-14722.patch
Description: