mirror of
https://git.yoctoproject.org/meta-security
synced 2026-01-12 03:10:13 +00:00
df8a1eb479
* as reported by openembedded-core/scripts/contrib/patchreview.py -v . Malformed Signed-off-by 'Signed-Off-By:' (./recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch) Malformed Signed-off-by 'Signed-Off-By:' (./recipes-mac/AppArmor/files/disable_perl_h_check.patch) Missing Upstream-Status tag (./recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch) Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-ids/samhain/files/samhain-pid-path.patch Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-ids/suricata/files/fixup.patch Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-scanners/clamav/files/fix2_libcurl_check.patch Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/isic/files/configure_fix.patch Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/krill/files/panic_workaround.patch Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/opendnssec/files/libdns_conf_fix.patch Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/opendnssec/files/libxml2_conf.patch Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
66 lines
2.6 KiB
Diff
66 lines
2.6 KiB
Diff
From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 2001
|
|
From: Li Zhou <li.zhou@windriver.com>
|
|
Date: Mon, 5 Sep 2016 10:28:08 +0800
|
|
Subject: [PATCH] ecryptfs-utils: CVE-2016-6224
|
|
|
|
src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
|
|
being automatically enabled by systemd. This bug affected GPT partitioned
|
|
NVMe/MMC drives and resulted in the swap partition being used without
|
|
encryption. It also resulted in a usability issue in that users were
|
|
erroneously prompted to enter a pass-phrase to unlock their swap partition
|
|
at boot. (LP: #1597154)
|
|
|
|
the patch comes from:
|
|
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224
|
|
https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882
|
|
|
|
Upstream-Status: Backport
|
|
|
|
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
|
---
|
|
ChangeLog | 9 +++++++++
|
|
src/utils/ecryptfs-setup-swap | 10 ++++++++--
|
|
2 files changed, 17 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/ChangeLog b/ChangeLog
|
|
index d255a94..2c9c73e 100644
|
|
--- a/ChangeLog
|
|
+++ b/ChangeLog
|
|
@@ -1,3 +1,12 @@
|
|
+ecryptfs-utils-112
|
|
+ [ Jason Gerard DeRose ]
|
|
+ * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
|
|
+ being automatically enabled by systemd. This bug affected GPT partitioned
|
|
+ NVMe/MMC drives and resulted in the swap partition being used without
|
|
+ encryption. It also resulted in a usability issue in that users were
|
|
+ erroneously prompted to enter a pass-phrase to unlock their swap partition
|
|
+ at boot. (LP: #1597154)
|
|
+
|
|
ecryptfs-utils-74
|
|
[ Michal Hlavinka ]
|
|
* Changes for RH/Fedora release
|
|
diff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap
|
|
index 41cf18a..e4785d7 100755
|
|
--- a/src/utils/ecryptfs-setup-swap
|
|
+++ b/src/utils/ecryptfs-setup-swap
|
|
@@ -166,8 +166,14 @@ for swap in $swaps; do
|
|
# If this is a GPT partition, mark it as no-auto mounting, to avoid
|
|
# auto-activating it on boot
|
|
if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then
|
|
- drive="${swap%[0-9]*}"
|
|
- partno="${swap#$drive}"
|
|
+ # Correctly handle NVMe/MMC drives, as well as any similar physical
|
|
+ # block device that follow the "/dev/foo0p1" pattern (LP: #1597154)
|
|
+ if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then
|
|
+ drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:")
|
|
+ else
|
|
+ drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:")
|
|
+ fi
|
|
+ partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:")
|
|
if [ -b "$drive" ]; then
|
|
if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then
|
|
echo "$swap is already marked as no-auto"
|
|
--
|
|
1.9.1
|
|
|