| Richard Marian Thomaiyar | 14fddef | 2018-07-13 23:55:56 +0530 | [diff] [blame] | 1 | From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 2001 |
| 2 | From: Li Zhou <li.zhou@windriver.com> |
| 3 | Date: Mon, 5 Sep 2016 10:28:08 +0800 |
| 4 | Subject: [PATCH] ecryptfs-utils: CVE-2016-6224 |
| 5 | |
| 6 | src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from |
| 7 | being automatically enabled by systemd. This bug affected GPT partitioned |
| 8 | NVMe/MMC drives and resulted in the swap partition being used without |
| 9 | encryption. It also resulted in a usability issue in that users were |
| 10 | erroneously prompted to enter a pass-phrase to unlock their swap partition |
| 11 | at boot. (LP: #1597154) |
| 12 | |
| 13 | the patch comes from: |
| 14 | https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224 |
| 15 | https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882 |
| 16 | |
| 17 | Upstream-Status: backport |
| 18 | |
| 19 | Signed-off-by: Li Zhou <li.zhou@windriver.com> |
| 20 | --- |
| 21 | ChangeLog | 9 +++++++++ |
| 22 | src/utils/ecryptfs-setup-swap | 10 ++++++++-- |
| 23 | 2 files changed, 17 insertions(+), 2 deletions(-) |
| 24 | |
| 25 | diff --git a/ChangeLog b/ChangeLog |
| 26 | index d255a94..2c9c73e 100644 |
| 27 | --- a/ChangeLog |
| 28 | +++ b/ChangeLog |
| 29 | @@ -1,3 +1,12 @@ |
| 30 | +ecryptfs-utils-112 |
| 31 | + [ Jason Gerard DeRose ] |
| 32 | + * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from |
| 33 | + being automatically enabled by systemd. This bug affected GPT partitioned |
| 34 | + NVMe/MMC drives and resulted in the swap partition being used without |
| 35 | + encryption. It also resulted in a usability issue in that users were |
| 36 | + erroneously prompted to enter a pass-phrase to unlock their swap partition |
| 37 | + at boot. (LP: #1597154) |
| 38 | + |
| 39 | ecryptfs-utils-74 |
| 40 | [ Michal Hlavinka ] |
| 41 | * Changes for RH/Fedora release |
| 42 | diff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap |
| 43 | index 41cf18a..e4785d7 100755 |
| 44 | --- a/src/utils/ecryptfs-setup-swap |
| 45 | +++ b/src/utils/ecryptfs-setup-swap |
| 46 | @@ -166,8 +166,14 @@ for swap in $swaps; do |
| 47 | # If this is a GPT partition, mark it as no-auto mounting, to avoid |
| 48 | # auto-activating it on boot |
| 49 | if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then |
| 50 | - drive="${swap%[0-9]*}" |
| 51 | - partno="${swap#$drive}" |
| 52 | + # Correctly handle NVMe/MMC drives, as well as any similar physical |
| 53 | + # block device that follow the "/dev/foo0p1" pattern (LP: #1597154) |
| 54 | + if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then |
| 55 | + drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:") |
| 56 | + else |
| 57 | + drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:") |
| 58 | + fi |
| 59 | + partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:") |
| 60 | if [ -b "$drive" ]; then |
| 61 | if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then |
| 62 | echo "$swap is already marked as no-auto" |
| 63 | -- |
| 64 | 1.9.1 |
| 65 | |