1 files changed, 65 insertions, 0 deletions
diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
new file mode 100644
index 0000000..4252f97
--- /dev/null
+++ b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
@@ -0,0 +1,65 @@
+From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Mon, 5 Sep 2016 10:28:08 +0800
+Subject: [PATCH] ecryptfs-utils: CVE-2016-6224
+src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
+being automatically enabled by systemd. This bug affected GPT partitioned
+NVMe/MMC drives and resulted in the swap partition being used without
+encryption. It also resulted in a usability issue in that users were
+erroneously prompted to enter a pass-phrase to unlock their swap partition
+at boot. (LP: #1597154)
+the patch comes from:
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224
+https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882
+Upstream-Status: backport
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ ChangeLog                     |  9 +++++++++
+ src/utils/ecryptfs-setup-swap | 10 ++++++++--
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index d255a94..2c9c73e 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,12 @@
+ecryptfs-utils-112
+  [ Jason Gerard DeRose ]
+  * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
+    being automatically enabled by systemd. This bug affected GPT partitioned
+    NVMe/MMC drives and resulted in the swap partition being used without
+    encryption. It also resulted in a usability issue in that users were
+    erroneously prompted to enter a pass-phrase to unlock their swap partition
+    at boot. (LP: #1597154)
+
+ ecryptfs-utils-74
+   [ Michal Hlavinka ]
+   * Changes for RH/Fedora release
+diff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap
+index 41cf18a..e4785d7 100755
+--- a/src/utils/ecryptfs-setup-swap
+++ b/src/utils/ecryptfs-setup-swap
+@@ -166,8 +166,14 @@ for swap in $swaps; do
+        # If this is a GPT partition, mark it as no-auto mounting, to avoid
+        # auto-activating it on boot
+        if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then
+-               drive="${swap%[0-9]*}"
+-               partno="${swap#$drive}"
+               # Correctly handle NVMe/MMC drives, as well as any similar physical
+               # block device that follow the "/dev/foo0p1" pattern (LP: #1597154)
+               if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then
+                       drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:")
+               else
+                       drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:")
+               fi
+               partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:")
+                if [ -b "$drive" ]; then
+                        if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then
+                                echo "$swap is already marked as no-auto"
+-- 
+1.9.1

diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch new file mode 100644 index 0000000..4252f97 --- /dev/null +++ b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
@@ -0,0 +1,65 @@
	1	From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 2001
	2	From: Li Zhou <li.zhou@windriver.com>
	3	Date: Mon, 5 Sep 2016 10:28:08 +0800
	4	Subject: [PATCH] ecryptfs-utils: CVE-2016-6224
	5
	6	src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
	7	being automatically enabled by systemd. This bug affected GPT partitioned
	8	NVMe/MMC drives and resulted in the swap partition being used without
	9	encryption. It also resulted in a usability issue in that users were
	10	erroneously prompted to enter a pass-phrase to unlock their swap partition
	11	at boot. (LP: #1597154)
	12
	13	the patch comes from:
	14	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224
	15	https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882
	16
	17	Upstream-Status: backport
	18
	19	Signed-off-by: Li Zhou <li.zhou@windriver.com>
	20	---
	21	ChangeLog \| 9 +++++++++
	22	src/utils/ecryptfs-setup-swap \| 10 ++++++++--
	23	2 files changed, 17 insertions(+), 2 deletions(-)
	24
	25	diff --git a/ChangeLog b/ChangeLog
	26	index d255a94..2c9c73e 100644
	27	--- a/ChangeLog
	28	+++ b/ChangeLog
	29	@@ -1,3 +1,12 @@
	30	+ecryptfs-utils-112
	31	+ [ Jason Gerard DeRose ]
	32	+ * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
	33	+ being automatically enabled by systemd. This bug affected GPT partitioned
	34	+ NVMe/MMC drives and resulted in the swap partition being used without
	35	+ encryption. It also resulted in a usability issue in that users were
	36	+ erroneously prompted to enter a pass-phrase to unlock their swap partition
	37	+ at boot. (LP: #1597154)
	38	+
	39	ecryptfs-utils-74
	40	[ Michal Hlavinka ]
	41	* Changes for RH/Fedora release
	42	diff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap
	43	index 41cf18a..e4785d7 100755
	44	--- a/src/utils/ecryptfs-setup-swap
	45	+++ b/src/utils/ecryptfs-setup-swap
	46	@@ -166,8 +166,14 @@ for swap in $swaps; do
	47	# If this is a GPT partition, mark it as no-auto mounting, to avoid
	48	# auto-activating it on boot
	49	if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then
	50	- drive="${swap%[0-9]*}"
	51	- partno="${swap#$drive}"
	52	+ # Correctly handle NVMe/MMC drives, as well as any similar physical
	53	+ # block device that follow the "/dev/foo0p1" pattern (LP: #1597154)
	54	+ if echo "$swap" \| grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then
	55	+ drive=$(echo "$swap" \| sed "s:\(.\+[0-9]\)p[0-9]\+:\1:")
	56	+ else
	57	+ drive=$(echo "$swap" \| sed "s:\(.\+[^0-9]\)[0-9]\+:\1:")
	58	+ fi
	59	+ partno=$(echo "$swap" \| sed "s:.\+[^0-9]\([0-9]\+\):\1:")
	60	if [ -b "$drive" ]; then
	61	if printf "x\np\n" \| fdisk "$drive" \| grep -q "^$swap .* GUID:.*\b63\b"; then
	62	echo "$swap is already marked as no-auto"
	63	--
	64	1.9.1
	65