[arch-commits] Commit in ecryptfs-utils/repos (6 files)
Timothy Redaelli
tredaelli at archlinux.org
Mon Dec 12 16:43:35 UTC 2016
Date: Monday, December 12, 2016 @ 16:43:34
Author: tredaelli
Revision: 199039
archrelease: copy trunk to community-i686, community-x86_64
Added:
ecryptfs-utils/repos/community-i686/PKGBUILD
(from rev 199038, ecryptfs-utils/trunk/PKGBUILD)
ecryptfs-utils/repos/community-x86_64/PKGBUILD
(from rev 199038, ecryptfs-utils/trunk/PKGBUILD)
Deleted:
ecryptfs-utils/repos/community-i686/CVE-2016-1572.patch
ecryptfs-utils/repos/community-i686/PKGBUILD
ecryptfs-utils/repos/community-x86_64/CVE-2016-1572.patch
ecryptfs-utils/repos/community-x86_64/PKGBUILD
--------------------------------------+
/PKGBUILD | 64 ++++++++++++++++++++
community-i686/CVE-2016-1572.patch | 101 ---------------------------------
community-i686/PKGBUILD | 39 ------------
community-x86_64/CVE-2016-1572.patch | 101 ---------------------------------
community-x86_64/PKGBUILD | 39 ------------
5 files changed, 64 insertions(+), 280 deletions(-)
Deleted: community-i686/CVE-2016-1572.patch
===================================================================
--- community-i686/CVE-2016-1572.patch 2016-12-12 16:43:24 UTC (rev 199038)
+++ community-i686/CVE-2016-1572.patch 2016-12-12 16:43:34 UTC (rev 199039)
@@ -1,101 +0,0 @@
-From 8fcdb9ef8406cd05c45acef6210a3bfa0831e857 Mon Sep 17 00:00:00 2001
-From: Tyler Hicks <tyhicks at canonical.com>
-Date: Thu, 7 Jan 2016 19:39:14 -0600
-Subject: [PATCH] mount.ecryptfs_private: Validate mount destination fs type
-
-Refuse to mount over non-standard filesystems. Mounting over
-certain types filesystems is a red flag that the user is doing
-something devious, such as mounting over the /proc/self symlink
-target with malicious content in order to confuse programs that may
-attempt to parse those files. (LP: #1530566)
-
-https://launchpad.net/bugs/1530566
----
- debian/changelog | 8 +++++
- src/utils/mount.ecryptfs_private.c | 61 ++++++++++++++++++++++++++++++++++++++
- 2 files changed, 69 insertions(+)
-
---- a/src/utils/mount.ecryptfs_private.c
-+++ b/src/utils/mount.ecryptfs_private.c
-@@ -30,6 +30,7 @@
- #include <sys/param.h>
- #include <sys/stat.h>
- #include <sys/types.h>
-+#include <sys/vfs.h>
- #include <ctype.h>
- #include <errno.h>
- #include <keyutils.h>
-@@ -220,6 +221,62 @@ err:
- return NULL;
- }
-
-+static int check_cwd_f_type()
-+{
-+ /**
-+ * This is *not* a list of compatible lower filesystems list for
-+ * eCryptfs. This is a list of filesystems that we reasonably expect to
-+ * see mount.ecryptfs_private users mounting on top of. In other words,
-+ * the filesystem type of the 'target' parameter of mount(2).
-+ *
-+ * This whitelist is to prevent malicious mount.ecryptfs_private users
-+ * from mounting over filesystem types such as PROC_SUPER_MAGIC to
-+ * deceive other programs with a crafted /proc/self/*. See
-+ * https://launchpad.net/bugs/1530566 for more details.
-+ */
-+ __SWORD_TYPE f_type_whitelist[] = {
-+ 0x61756673 /* AUFS_SUPER_MAGIC */,
-+ 0x9123683E /* BTRFS_SUPER_MAGIC */,
-+ 0x00C36400 /* CEPH_SUPER_MAGIC */,
-+ 0xFF534D42 /* CIFS_MAGIC_NUMBER */,
-+ 0x0000F15F /* ECRYPTFS_SUPER_MAGIC */,
-+ 0x0000EF53 /* EXT[234]_SUPER_MAGIC */,
-+ 0xF2F52010 /* F2FS_SUPER_MAGIC */,
-+ 0x65735546 /* FUSE_SUPER_MAGIC */,
-+ 0x01161970 /* GFS2_MAGIC */,
-+ 0x3153464A /* JFS_SUPER_MAGIC */,
-+ 0x0000564C /* NCP_SUPER_MAGIC */,
-+ 0x00006969 /* NFS_SUPER_MAGIC */,
-+ 0x00003434 /* NILFS_SUPER_MAGIC */,
-+ 0x5346544E /* NTFS_SB_MAGIC */,
-+ 0x794C7630 /* OVERLAYFS_SUPER_MAGIC */,
-+ 0x52654973 /* REISERFS_SUPER_MAGIC */,
-+ 0x73717368 /* SQUASHFS_MAGIC */,
-+ 0x01021994 /* TMPFS_MAGIC */,
-+ 0x58465342 /* XFS_SB_MAGIC */,
-+ 0x2FC12FC1 /* ZFS_SUPER_MAGIC */,
-+ };
-+ struct statfs buf;
-+ size_t i, whitelist_len;
-+
-+ if (statfs(".", &buf) != 0) {
-+ fprintf(stderr, "Failed to check filesystem type: %m\n");
-+ return 1;
-+ }
-+
-+ whitelist_len = sizeof(f_type_whitelist) / sizeof(*f_type_whitelist);
-+ for (i = 0; i < whitelist_len; i++) {
-+ if (buf.f_type == f_type_whitelist[i]) {
-+ return 0;
-+ }
-+ }
-+
-+ fprintf(stderr,
-+ "Refusing to mount over an unapproved filesystem type: %#lx\n",
-+ buf.f_type);
-+ return 1;
-+}
-+
- int check_ownership_mnt(uid_t uid, char **mnt) {
- /* Check ownership of mount point, chdir into it, and
- * canonicalize the path for use in mtab updating.
-@@ -629,6 +686,10 @@ int main(int argc, char *argv[]) {
- goto fail;
- }
-
-+ if (check_cwd_f_type() != 0) {
-+ goto fail;
-+ }
-+
- if (mounting == 1) {
- /* Increment mount counter, errors non-fatal */
- if (increment(fh_counter) < 0) {
Deleted: community-i686/PKGBUILD
===================================================================
--- community-i686/PKGBUILD 2016-12-12 16:43:24 UTC (rev 199038)
+++ community-i686/PKGBUILD 2016-12-12 16:43:34 UTC (rev 199039)
@@ -1,39 +0,0 @@
-# $Id$
-# Maintainer: Timothy Redaelli <timothy.redaelli at gmail.com>
-# Contributor: Richard Murri <admin at richardmurri.com>
-# Contributor: Michal Krenek <mikos at sg1.cz>
-
-pkgname=ecryptfs-utils
-pkgver=108
-pkgrel=2
-arch=('i686' 'x86_64')
-pkgdesc="Enterprise-class stacked cryptographic filesystem for Linux"
-url="https://launchpad.net/ecryptfs"
-license=('GPL')
-makedepends=('swig' 'intltool' 'gettext' 'python2')
-depends=('nss' 'pam')
-optdepends=('python2: for python module')
-source=("http://launchpad.net/ecryptfs/trunk/${pkgver}/+download/${pkgname}_${pkgver}.orig.tar.gz"
- "${pkgname}_${pkgver}.orig.tar.gz.sig::http://launchpad.net/ecryptfs/trunk/${pkgver}/+download/..-${pkgname}_${pkgver}.orig.tar.gz.asc"
- CVE-2016-1572.patch)
-md5sums=('80f2a73e14030239fa01a2f1e5606a0e'
- 'SKIP'
- '3932ca86f3f6e3c770d61d32b45ed3c0')
-validpgpkeys=('E2D9E1C5F9F5D59291F4607D95E64373F1529469')
-
-prepare() {
- cd "${pkgname}-${pkgver}"
- patch -p1 -i "$srcdir"/CVE-2016-1572.patch
-}
-
-build() {
- cd "${pkgname}-${pkgver}"
- ./configure --prefix=/usr --with-pamdir=/usr/lib/security PYTHON=python2
- make
-}
-
-package() {
- cd "${pkgname}-${pkgver}"
- make DESTDIR="$pkgdir/" rootsbindir='/usr/bin' install
- chmod +s "$pkgdir/usr/bin/mount.ecryptfs_private"
-}
Copied: ecryptfs-utils/repos/community-i686/PKGBUILD (from rev 199038, ecryptfs-utils/trunk/PKGBUILD)
===================================================================
--- community-i686/PKGBUILD (rev 0)
+++ community-i686/PKGBUILD 2016-12-12 16:43:34 UTC (rev 199039)
@@ -0,0 +1,32 @@
+# $Id$
+# Maintainer: Timothy Redaelli <timothy.redaelli at gmail.com>
+# Contributor: Richard Murri <admin at richardmurri.com>
+# Contributor: Michal Krenek <mikos at sg1.cz>
+
+pkgname=ecryptfs-utils
+pkgver=111
+pkgrel=1
+arch=('i686' 'x86_64')
+pkgdesc="Enterprise-class stacked cryptographic filesystem for Linux"
+url="https://launchpad.net/ecryptfs"
+license=('GPL')
+makedepends=('swig' 'intltool' 'gettext' 'python2')
+depends=('nss' 'pam')
+optdepends=('python2: for python module')
+source=("https://launchpad.net/ecryptfs/trunk/${pkgver}/+download/${pkgname}_${pkgver}.orig.tar.gz"
+ "${pkgname}_${pkgver}.orig.tar.gz.sig::https://launchpad.net/ecryptfs/trunk/${pkgver}/+download/..-${pkgname}_${pkgver}.orig.tar.gz.asc")
+md5sums=('83513228984f671930752c3518cac6fd'
+ 'SKIP')
+validpgpkeys=('E2D9E1C5F9F5D59291F4607D95E64373F1529469')
+
+build() {
+ cd "${pkgname}-${pkgver}"
+ ./configure --prefix=/usr --with-pamdir=/usr/lib/security PYTHON=python2
+ make
+}
+
+package() {
+ cd "${pkgname}-${pkgver}"
+ make DESTDIR="$pkgdir/" rootsbindir='/usr/bin' install
+ chmod +s "$pkgdir/usr/bin/mount.ecryptfs_private"
+}
Deleted: community-x86_64/CVE-2016-1572.patch
===================================================================
--- community-x86_64/CVE-2016-1572.patch 2016-12-12 16:43:24 UTC (rev 199038)
+++ community-x86_64/CVE-2016-1572.patch 2016-12-12 16:43:34 UTC (rev 199039)
@@ -1,101 +0,0 @@
-From 8fcdb9ef8406cd05c45acef6210a3bfa0831e857 Mon Sep 17 00:00:00 2001
-From: Tyler Hicks <tyhicks at canonical.com>
-Date: Thu, 7 Jan 2016 19:39:14 -0600
-Subject: [PATCH] mount.ecryptfs_private: Validate mount destination fs type
-
-Refuse to mount over non-standard filesystems. Mounting over
-certain types filesystems is a red flag that the user is doing
-something devious, such as mounting over the /proc/self symlink
-target with malicious content in order to confuse programs that may
-attempt to parse those files. (LP: #1530566)
-
-https://launchpad.net/bugs/1530566
----
- debian/changelog | 8 +++++
- src/utils/mount.ecryptfs_private.c | 61 ++++++++++++++++++++++++++++++++++++++
- 2 files changed, 69 insertions(+)
-
---- a/src/utils/mount.ecryptfs_private.c
-+++ b/src/utils/mount.ecryptfs_private.c
-@@ -30,6 +30,7 @@
- #include <sys/param.h>
- #include <sys/stat.h>
- #include <sys/types.h>
-+#include <sys/vfs.h>
- #include <ctype.h>
- #include <errno.h>
- #include <keyutils.h>
-@@ -220,6 +221,62 @@ err:
- return NULL;
- }
-
-+static int check_cwd_f_type()
-+{
-+ /**
-+ * This is *not* a list of compatible lower filesystems list for
-+ * eCryptfs. This is a list of filesystems that we reasonably expect to
-+ * see mount.ecryptfs_private users mounting on top of. In other words,
-+ * the filesystem type of the 'target' parameter of mount(2).
-+ *
-+ * This whitelist is to prevent malicious mount.ecryptfs_private users
-+ * from mounting over filesystem types such as PROC_SUPER_MAGIC to
-+ * deceive other programs with a crafted /proc/self/*. See
-+ * https://launchpad.net/bugs/1530566 for more details.
-+ */
-+ __SWORD_TYPE f_type_whitelist[] = {
-+ 0x61756673 /* AUFS_SUPER_MAGIC */,
-+ 0x9123683E /* BTRFS_SUPER_MAGIC */,
-+ 0x00C36400 /* CEPH_SUPER_MAGIC */,
-+ 0xFF534D42 /* CIFS_MAGIC_NUMBER */,
-+ 0x0000F15F /* ECRYPTFS_SUPER_MAGIC */,
-+ 0x0000EF53 /* EXT[234]_SUPER_MAGIC */,
-+ 0xF2F52010 /* F2FS_SUPER_MAGIC */,
-+ 0x65735546 /* FUSE_SUPER_MAGIC */,
-+ 0x01161970 /* GFS2_MAGIC */,
-+ 0x3153464A /* JFS_SUPER_MAGIC */,
-+ 0x0000564C /* NCP_SUPER_MAGIC */,
-+ 0x00006969 /* NFS_SUPER_MAGIC */,
-+ 0x00003434 /* NILFS_SUPER_MAGIC */,
-+ 0x5346544E /* NTFS_SB_MAGIC */,
-+ 0x794C7630 /* OVERLAYFS_SUPER_MAGIC */,
-+ 0x52654973 /* REISERFS_SUPER_MAGIC */,
-+ 0x73717368 /* SQUASHFS_MAGIC */,
-+ 0x01021994 /* TMPFS_MAGIC */,
-+ 0x58465342 /* XFS_SB_MAGIC */,
-+ 0x2FC12FC1 /* ZFS_SUPER_MAGIC */,
-+ };
-+ struct statfs buf;
-+ size_t i, whitelist_len;
-+
-+ if (statfs(".", &buf) != 0) {
-+ fprintf(stderr, "Failed to check filesystem type: %m\n");
-+ return 1;
-+ }
-+
-+ whitelist_len = sizeof(f_type_whitelist) / sizeof(*f_type_whitelist);
-+ for (i = 0; i < whitelist_len; i++) {
-+ if (buf.f_type == f_type_whitelist[i]) {
-+ return 0;
-+ }
-+ }
-+
-+ fprintf(stderr,
-+ "Refusing to mount over an unapproved filesystem type: %#lx\n",
-+ buf.f_type);
-+ return 1;
-+}
-+
- int check_ownership_mnt(uid_t uid, char **mnt) {
- /* Check ownership of mount point, chdir into it, and
- * canonicalize the path for use in mtab updating.
-@@ -629,6 +686,10 @@ int main(int argc, char *argv[]) {
- goto fail;
- }
-
-+ if (check_cwd_f_type() != 0) {
-+ goto fail;
-+ }
-+
- if (mounting == 1) {
- /* Increment mount counter, errors non-fatal */
- if (increment(fh_counter) < 0) {
Deleted: community-x86_64/PKGBUILD
===================================================================
--- community-x86_64/PKGBUILD 2016-12-12 16:43:24 UTC (rev 199038)
+++ community-x86_64/PKGBUILD 2016-12-12 16:43:34 UTC (rev 199039)
@@ -1,39 +0,0 @@
-# $Id$
-# Maintainer: Timothy Redaelli <timothy.redaelli at gmail.com>
-# Contributor: Richard Murri <admin at richardmurri.com>
-# Contributor: Michal Krenek <mikos at sg1.cz>
-
-pkgname=ecryptfs-utils
-pkgver=108
-pkgrel=2
-arch=('i686' 'x86_64')
-pkgdesc="Enterprise-class stacked cryptographic filesystem for Linux"
-url="https://launchpad.net/ecryptfs"
-license=('GPL')
-makedepends=('swig' 'intltool' 'gettext' 'python2')
-depends=('nss' 'pam')
-optdepends=('python2: for python module')
-source=("http://launchpad.net/ecryptfs/trunk/${pkgver}/+download/${pkgname}_${pkgver}.orig.tar.gz"
- "${pkgname}_${pkgver}.orig.tar.gz.sig::http://launchpad.net/ecryptfs/trunk/${pkgver}/+download/..-${pkgname}_${pkgver}.orig.tar.gz.asc"
- CVE-2016-1572.patch)
-md5sums=('80f2a73e14030239fa01a2f1e5606a0e'
- 'SKIP'
- '3932ca86f3f6e3c770d61d32b45ed3c0')
-validpgpkeys=('E2D9E1C5F9F5D59291F4607D95E64373F1529469')
-
-prepare() {
- cd "${pkgname}-${pkgver}"
- patch -p1 -i "$srcdir"/CVE-2016-1572.patch
-}
-
-build() {
- cd "${pkgname}-${pkgver}"
- ./configure --prefix=/usr --with-pamdir=/usr/lib/security PYTHON=python2
- make
-}
-
-package() {
- cd "${pkgname}-${pkgver}"
- make DESTDIR="$pkgdir/" rootsbindir='/usr/bin' install
- chmod +s "$pkgdir/usr/bin/mount.ecryptfs_private"
-}
Copied: ecryptfs-utils/repos/community-x86_64/PKGBUILD (from rev 199038, ecryptfs-utils/trunk/PKGBUILD)
===================================================================
--- community-x86_64/PKGBUILD (rev 0)
+++ community-x86_64/PKGBUILD 2016-12-12 16:43:34 UTC (rev 199039)
@@ -0,0 +1,32 @@
+# $Id$
+# Maintainer: Timothy Redaelli <timothy.redaelli at gmail.com>
+# Contributor: Richard Murri <admin at richardmurri.com>
+# Contributor: Michal Krenek <mikos at sg1.cz>
+
+pkgname=ecryptfs-utils
+pkgver=111
+pkgrel=1
+arch=('i686' 'x86_64')
+pkgdesc="Enterprise-class stacked cryptographic filesystem for Linux"
+url="https://launchpad.net/ecryptfs"
+license=('GPL')
+makedepends=('swig' 'intltool' 'gettext' 'python2')
+depends=('nss' 'pam')
+optdepends=('python2: for python module')
+source=("https://launchpad.net/ecryptfs/trunk/${pkgver}/+download/${pkgname}_${pkgver}.orig.tar.gz"
+ "${pkgname}_${pkgver}.orig.tar.gz.sig::https://launchpad.net/ecryptfs/trunk/${pkgver}/+download/..-${pkgname}_${pkgver}.orig.tar.gz.asc")
+md5sums=('83513228984f671930752c3518cac6fd'
+ 'SKIP')
+validpgpkeys=('E2D9E1C5F9F5D59291F4607D95E64373F1529469')
+
+build() {
+ cd "${pkgname}-${pkgver}"
+ ./configure --prefix=/usr --with-pamdir=/usr/lib/security PYTHON=python2
+ make
+}
+
+package() {
+ cd "${pkgname}-${pkgver}"
+ make DESTDIR="$pkgdir/" rootsbindir='/usr/bin' install
+ chmod +s "$pkgdir/usr/bin/mount.ecryptfs_private"
+}
More information about the arch-commits
mailing list