1eb8dc403SDave CobbleyFrom 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 2001 2eb8dc403SDave CobbleyFrom: Li Zhou <li.zhou@windriver.com> 3eb8dc403SDave CobbleyDate: Mon, 5 Sep 2016 10:28:08 +0800 4eb8dc403SDave CobbleySubject: [PATCH] ecryptfs-utils: CVE-2016-6224 5eb8dc403SDave Cobbley 6eb8dc403SDave Cobbleysrc/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from 7eb8dc403SDave Cobbleybeing automatically enabled by systemd. This bug affected GPT partitioned 8eb8dc403SDave CobbleyNVMe/MMC drives and resulted in the swap partition being used without 9eb8dc403SDave Cobbleyencryption. It also resulted in a usability issue in that users were 10eb8dc403SDave Cobbleyerroneously prompted to enter a pass-phrase to unlock their swap partition 11eb8dc403SDave Cobbleyat boot. (LP: #1597154) 12eb8dc403SDave Cobbley 13eb8dc403SDave Cobbleythe patch comes from: 14eb8dc403SDave Cobbleyhttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224 15eb8dc403SDave Cobbleyhttps://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882 16eb8dc403SDave Cobbley 17*520786ccSPatrick WilliamsUpstream-Status: Backport 18eb8dc403SDave Cobbley 19eb8dc403SDave CobbleySigned-off-by: Li Zhou <li.zhou@windriver.com> 20eb8dc403SDave Cobbley--- 21eb8dc403SDave Cobbley ChangeLog | 9 +++++++++ 22eb8dc403SDave Cobbley src/utils/ecryptfs-setup-swap | 10 ++++++++-- 23eb8dc403SDave Cobbley 2 files changed, 17 insertions(+), 2 deletions(-) 24eb8dc403SDave Cobbley 25eb8dc403SDave Cobbleydiff --git a/ChangeLog b/ChangeLog 26eb8dc403SDave Cobbleyindex d255a94..2c9c73e 100644 27eb8dc403SDave Cobbley--- a/ChangeLog 28eb8dc403SDave Cobbley+++ b/ChangeLog 29eb8dc403SDave Cobbley@@ -1,3 +1,12 @@ 30eb8dc403SDave Cobbley+ecryptfs-utils-112 31eb8dc403SDave Cobbley+ [ Jason Gerard DeRose ] 32eb8dc403SDave Cobbley+ * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from 33eb8dc403SDave Cobbley+ being automatically enabled by systemd. This bug affected GPT partitioned 34eb8dc403SDave Cobbley+ NVMe/MMC drives and resulted in the swap partition being used without 35eb8dc403SDave Cobbley+ encryption. It also resulted in a usability issue in that users were 36eb8dc403SDave Cobbley+ erroneously prompted to enter a pass-phrase to unlock their swap partition 37eb8dc403SDave Cobbley+ at boot. (LP: #1597154) 38eb8dc403SDave Cobbley+ 39eb8dc403SDave Cobbley ecryptfs-utils-74 40eb8dc403SDave Cobbley [ Michal Hlavinka ] 41eb8dc403SDave Cobbley * Changes for RH/Fedora release 42eb8dc403SDave Cobbleydiff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap 43eb8dc403SDave Cobbleyindex 41cf18a..e4785d7 100755 44eb8dc403SDave Cobbley--- a/src/utils/ecryptfs-setup-swap 45eb8dc403SDave Cobbley+++ b/src/utils/ecryptfs-setup-swap 46eb8dc403SDave Cobbley@@ -166,8 +166,14 @@ for swap in $swaps; do 47eb8dc403SDave Cobbley # If this is a GPT partition, mark it as no-auto mounting, to avoid 48eb8dc403SDave Cobbley # auto-activating it on boot 49eb8dc403SDave Cobbley if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then 50eb8dc403SDave Cobbley- drive="${swap%[0-9]*}" 51eb8dc403SDave Cobbley- partno="${swap#$drive}" 52eb8dc403SDave Cobbley+ # Correctly handle NVMe/MMC drives, as well as any similar physical 53eb8dc403SDave Cobbley+ # block device that follow the "/dev/foo0p1" pattern (LP: #1597154) 54eb8dc403SDave Cobbley+ if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then 55eb8dc403SDave Cobbley+ drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:") 56eb8dc403SDave Cobbley+ else 57eb8dc403SDave Cobbley+ drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:") 58eb8dc403SDave Cobbley+ fi 59eb8dc403SDave Cobbley+ partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:") 60eb8dc403SDave Cobbley if [ -b "$drive" ]; then 61eb8dc403SDave Cobbley if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then 62eb8dc403SDave Cobbley echo "$swap is already marked as no-auto" 63eb8dc403SDave Cobbley-- 64eb8dc403SDave Cobbley1.9.1 65eb8dc403SDave Cobbley 66