blob: 4252f97c3076bc04ad7beaffafae8ee2ad53eb70 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 2001
From: Li Zhou <li.zhou@windriver.com>
Date: Mon, 5 Sep 2016 10:28:08 +0800
Subject: [PATCH] ecryptfs-utils: CVE-2016-6224
src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
being automatically enabled by systemd. This bug affected GPT partitioned
NVMe/MMC drives and resulted in the swap partition being used without
encryption. It also resulted in a usability issue in that users were
erroneously prompted to enter a pass-phrase to unlock their swap partition
at boot. (LP: #1597154)
the patch comes from:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224
https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882
Upstream-Status: backport
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
ChangeLog | 9 +++++++++
src/utils/ecryptfs-setup-swap | 10 ++++++++--
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index d255a94..2c9c73e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+ecryptfs-utils-112
+ [ Jason Gerard DeRose ]
+ * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
+ being automatically enabled by systemd. This bug affected GPT partitioned
+ NVMe/MMC drives and resulted in the swap partition being used without
+ encryption. It also resulted in a usability issue in that users were
+ erroneously prompted to enter a pass-phrase to unlock their swap partition
+ at boot. (LP: #1597154)
+
ecryptfs-utils-74
[ Michal Hlavinka ]
* Changes for RH/Fedora release
diff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap
index 41cf18a..e4785d7 100755
--- a/src/utils/ecryptfs-setup-swap
+++ b/src/utils/ecryptfs-setup-swap
@@ -166,8 +166,14 @@ for swap in $swaps; do
# If this is a GPT partition, mark it as no-auto mounting, to avoid
# auto-activating it on boot
if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then
- drive="${swap%[0-9]*}"
- partno="${swap#$drive}"
+ # Correctly handle NVMe/MMC drives, as well as any similar physical
+ # block device that follow the "/dev/foo0p1" pattern (LP: #1597154)
+ if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then
+ drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:")
+ else
+ drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:")
+ fi
+ partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:")
if [ -b "$drive" ]; then
if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then
echo "$swap is already marked as no-auto"
--
1.9.1
|
