From 62db13fe917ef4a8ce1ae3cef03211c7d68ff88d Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Jul 15 2016 11:09:30 +0000 Subject: ecryptfs-utils updated to 111 - fix ecryptfs-setup-swap improperly configures encrypted swap when using GPT partitioning on a NVMe or MMC drive (CVE-2016-6224, rhbz#1356828) --- diff --git a/.gitignore b/.gitignore index 19aa673..ad782c5 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,4 @@ ecryptfs-mount-private.png /ecryptfs-utils_108.orig.tar.gz /ecryptfs-utils_109.orig.tar.gz /ecryptfs-utils_110.orig.tar.gz +/ecryptfs-utils_111.orig.tar.gz diff --git a/ecryptfs-utils-111-cve_2016_5224.patch b/ecryptfs-utils-111-cve_2016_5224.patch new file mode 100644 index 0000000..d30ff8d --- /dev/null +++ b/ecryptfs-utils-111-cve_2016_5224.patch @@ -0,0 +1,21 @@ +=== modified file 'src/utils/ecryptfs-setup-swap' +--- a/src/utils/ecryptfs-setup-swap 2015-08-04 15:42:02 +0000 ++++ a/src/utils/ecryptfs-setup-swap 2016-07-06 22:31:21 +0000 +@@ -166,8 +166,14 @@ + # If this is a GPT partition, mark it as no-auto mounting, to avoid + # auto-activating it on boot + if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then +- drive="${swap%[0-9]*}" +- partno="${swap#$drive}" ++ # Correctly handle NVMe/MMC drives, as well as any similar physical ++ # block device that follow the "/dev/foo0p1" pattern (LP: #1597154) ++ if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then ++ drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:") ++ else ++ drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:") ++ fi ++ partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:") + if [ -b "$drive" ]; then + if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then + echo "$swap is already marked as no-auto" + diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec index 414afbf..fc5fef6 100644 --- a/ecryptfs-utils.spec +++ b/ecryptfs-utils.spec @@ -4,7 +4,7 @@ %global _sbindir /sbin Name: ecryptfs-utils -Version: 110 +Version: 111 Release: 1%{?dist} Summary: The eCryptfs mount helper and support libraries Group: System Environment/Base @@ -64,6 +64,9 @@ Patch22: ecryptfs-utils-99-selinux.patch # rhbz#868330 Patch23: ecryptfs-utils-100-sudokeyring.patch +# for e-u < 112 +Patch24: ecryptfs-utils-111-cve_2016_5224.patch + BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Requires: keyutils, cryptsetup-luks, util-linux, gettext BuildRequires: libgcrypt-devel keyutils-libs-devel openssl-devel pam-devel @@ -119,6 +122,7 @@ the interface supplied by the ecryptfs-utils library. %patch21 -p1 -b .groupcheck %patch22 -p1 -b .selinux %patch23 -p1 -b .sudokeyring +%patch24 -p1 -b .cve_2016_5224 %build %global _hardened_build 1 @@ -269,6 +273,11 @@ rm -rf $RPM_BUILD_ROOT %{python_sitearch}/ecryptfs-utils/_libecryptfs.so %changelog +* Fri Jul 15 2016 Michal Hlavinka - 111-1 +- ecryptfs-utils updated to 111 +- fix ecryptfs-setup-swap improperly configures encrypted swap when using GPT + partitioning on a NVMe or MMC drive (CVE-2016-6224, rhbz#1356828) + * Mon Feb 29 2016 Michal Hlavinka - 110-1 - ecryptfs-utils updated to 110 diff --git a/sources b/sources index ea1999d..6a85677 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ e612ddb9ccb17f8fec79df26e626a8c6 ecryptfs-mount-private.png -3205ce74b2236ee7fe94509dc0fe3660 ecryptfs-utils_110.orig.tar.gz +83513228984f671930752c3518cac6fd ecryptfs-utils_111.orig.tar.gz