diff options
Diffstat (limited to 'import-layers/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch')
| -rw-r--r-- | import-layers/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch | 65 |
1 files changed, 0 insertions, 65 deletions
diff --git a/import-layers/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch b/import-layers/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch deleted file mode 100644 index 4252f97c3..000000000 --- a/import-layers/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 2001 -From: Li Zhou <li.zhou@windriver.com> -Date: Mon, 5 Sep 2016 10:28:08 +0800 -Subject: [PATCH] ecryptfs-utils: CVE-2016-6224 - -src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from -being automatically enabled by systemd. This bug affected GPT partitioned -NVMe/MMC drives and resulted in the swap partition being used without -encryption. It also resulted in a usability issue in that users were -erroneously prompted to enter a pass-phrase to unlock their swap partition -at boot. (LP: #1597154) - -the patch comes from: -https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224 -https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882 - -Upstream-Status: backport - -Signed-off-by: Li Zhou <li.zhou@windriver.com> ---- - ChangeLog | 9 +++++++++ - src/utils/ecryptfs-setup-swap | 10 ++++++++-- - 2 files changed, 17 insertions(+), 2 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index d255a94..2c9c73e 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,12 @@ -+ecryptfs-utils-112 -+ [ Jason Gerard DeRose ] -+ * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from -+ being automatically enabled by systemd. This bug affected GPT partitioned -+ NVMe/MMC drives and resulted in the swap partition being used without -+ encryption. It also resulted in a usability issue in that users were -+ erroneously prompted to enter a pass-phrase to unlock their swap partition -+ at boot. (LP: #1597154) -+ - ecryptfs-utils-74 - [ Michal Hlavinka ] - * Changes for RH/Fedora release -diff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap -index 41cf18a..e4785d7 100755 ---- a/src/utils/ecryptfs-setup-swap -+++ b/src/utils/ecryptfs-setup-swap -@@ -166,8 +166,14 @@ for swap in $swaps; do - # If this is a GPT partition, mark it as no-auto mounting, to avoid - # auto-activating it on boot - if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then -- drive="${swap%[0-9]*}" -- partno="${swap#$drive}" -+ # Correctly handle NVMe/MMC drives, as well as any similar physical -+ # block device that follow the "/dev/foo0p1" pattern (LP: #1597154) -+ if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then -+ drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:") -+ else -+ drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:") -+ fi -+ partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:") - if [ -b "$drive" ]; then - if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then - echo "$swap is already marked as no-auto" --- -1.9.1 - |
