summaryrefslogtreecommitdiff
path: root/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch')
-rw-r--r--meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch65
1 files changed, 65 insertions, 0 deletions
diff --git a/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch b/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
new file mode 100644
index 000000000..4252f97c3
--- /dev/null
+++ b/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
@@ -0,0 +1,65 @@
+From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Mon, 5 Sep 2016 10:28:08 +0800
+Subject: [PATCH] ecryptfs-utils: CVE-2016-6224
+
+src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
+being automatically enabled by systemd. This bug affected GPT partitioned
+NVMe/MMC drives and resulted in the swap partition being used without
+encryption. It also resulted in a usability issue in that users were
+erroneously prompted to enter a pass-phrase to unlock their swap partition
+at boot. (LP: #1597154)
+
+the patch comes from:
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224
+https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882
+
+Upstream-Status: backport
+
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ ChangeLog | 9 +++++++++
+ src/utils/ecryptfs-setup-swap | 10 ++++++++--
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index d255a94..2c9c73e 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,12 @@
++ecryptfs-utils-112
++ [ Jason Gerard DeRose ]
++ * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
++ being automatically enabled by systemd. This bug affected GPT partitioned
++ NVMe/MMC drives and resulted in the swap partition being used without
++ encryption. It also resulted in a usability issue in that users were
++ erroneously prompted to enter a pass-phrase to unlock their swap partition
++ at boot. (LP: #1597154)
++
+ ecryptfs-utils-74
+ [ Michal Hlavinka ]
+ * Changes for RH/Fedora release
+diff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap
+index 41cf18a..e4785d7 100755
+--- a/src/utils/ecryptfs-setup-swap
++++ b/src/utils/ecryptfs-setup-swap
+@@ -166,8 +166,14 @@ for swap in $swaps; do
+ # If this is a GPT partition, mark it as no-auto mounting, to avoid
+ # auto-activating it on boot
+ if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then
+- drive="${swap%[0-9]*}"
+- partno="${swap#$drive}"
++ # Correctly handle NVMe/MMC drives, as well as any similar physical
++ # block device that follow the "/dev/foo0p1" pattern (LP: #1597154)
++ if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then
++ drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:")
++ else
++ drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:")
++ fi
++ partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:")
+ if [ -b "$drive" ]; then
+ if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then
+ echo "$swap is already marked as no-auto"
+--
+1.9.1
+