1*eb8dc403SDave CobbleyFrom 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 2001
2*eb8dc403SDave CobbleyFrom: Li Zhou <li.zhou@windriver.com>
3*eb8dc403SDave CobbleyDate: Mon, 5 Sep 2016 10:28:08 +0800
4*eb8dc403SDave CobbleySubject: [PATCH] ecryptfs-utils: CVE-2016-6224
5*eb8dc403SDave Cobbley
6*eb8dc403SDave Cobbleysrc/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
7*eb8dc403SDave Cobbleybeing automatically enabled by systemd. This bug affected GPT partitioned
8*eb8dc403SDave CobbleyNVMe/MMC drives and resulted in the swap partition being used without
9*eb8dc403SDave Cobbleyencryption. It also resulted in a usability issue in that users were
10*eb8dc403SDave Cobbleyerroneously prompted to enter a pass-phrase to unlock their swap partition
11*eb8dc403SDave Cobbleyat boot. (LP: #1597154)
12*eb8dc403SDave Cobbley
13*eb8dc403SDave Cobbleythe patch comes from:
14*eb8dc403SDave Cobbleyhttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224
15*eb8dc403SDave Cobbleyhttps://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882
16*eb8dc403SDave Cobbley
17*eb8dc403SDave CobbleyUpstream-Status: backport
18*eb8dc403SDave Cobbley
19*eb8dc403SDave CobbleySigned-off-by: Li Zhou <li.zhou@windriver.com>
20*eb8dc403SDave Cobbley---
21*eb8dc403SDave Cobbley ChangeLog                     |  9 +++++++++
22*eb8dc403SDave Cobbley src/utils/ecryptfs-setup-swap | 10 ++++++++--
23*eb8dc403SDave Cobbley 2 files changed, 17 insertions(+), 2 deletions(-)
24*eb8dc403SDave Cobbley
25*eb8dc403SDave Cobbleydiff --git a/ChangeLog b/ChangeLog
26*eb8dc403SDave Cobbleyindex d255a94..2c9c73e 100644
27*eb8dc403SDave Cobbley--- a/ChangeLog
28*eb8dc403SDave Cobbley+++ b/ChangeLog
29*eb8dc403SDave Cobbley@@ -1,3 +1,12 @@
30*eb8dc403SDave Cobbley+ecryptfs-utils-112
31*eb8dc403SDave Cobbley+  [ Jason Gerard DeRose ]
32*eb8dc403SDave Cobbley+  * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
33*eb8dc403SDave Cobbley+    being automatically enabled by systemd. This bug affected GPT partitioned
34*eb8dc403SDave Cobbley+    NVMe/MMC drives and resulted in the swap partition being used without
35*eb8dc403SDave Cobbley+    encryption. It also resulted in a usability issue in that users were
36*eb8dc403SDave Cobbley+    erroneously prompted to enter a pass-phrase to unlock their swap partition
37*eb8dc403SDave Cobbley+    at boot. (LP: #1597154)
38*eb8dc403SDave Cobbley+
39*eb8dc403SDave Cobbley ecryptfs-utils-74
40*eb8dc403SDave Cobbley   [ Michal Hlavinka ]
41*eb8dc403SDave Cobbley   * Changes for RH/Fedora release
42*eb8dc403SDave Cobbleydiff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap
43*eb8dc403SDave Cobbleyindex 41cf18a..e4785d7 100755
44*eb8dc403SDave Cobbley--- a/src/utils/ecryptfs-setup-swap
45*eb8dc403SDave Cobbley+++ b/src/utils/ecryptfs-setup-swap
46*eb8dc403SDave Cobbley@@ -166,8 +166,14 @@ for swap in $swaps; do
47*eb8dc403SDave Cobbley 	# If this is a GPT partition, mark it as no-auto mounting, to avoid
48*eb8dc403SDave Cobbley 	# auto-activating it on boot
49*eb8dc403SDave Cobbley 	if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then
50*eb8dc403SDave Cobbley-		drive="${swap%[0-9]*}"
51*eb8dc403SDave Cobbley-		partno="${swap#$drive}"
52*eb8dc403SDave Cobbley+		# Correctly handle NVMe/MMC drives, as well as any similar physical
53*eb8dc403SDave Cobbley+		# block device that follow the "/dev/foo0p1" pattern (LP: #1597154)
54*eb8dc403SDave Cobbley+		if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then
55*eb8dc403SDave Cobbley+			drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:")
56*eb8dc403SDave Cobbley+		else
57*eb8dc403SDave Cobbley+			drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:")
58*eb8dc403SDave Cobbley+		fi
59*eb8dc403SDave Cobbley+		partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:")
60*eb8dc403SDave Cobbley 		if [ -b "$drive" ]; then
61*eb8dc403SDave Cobbley 			if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then
62*eb8dc403SDave Cobbley 				echo "$swap is already marked as no-auto"
63*eb8dc403SDave Cobbley--
64*eb8dc403SDave Cobbley1.9.1
65*eb8dc403SDave Cobbley
66