Hello community, here is the log from the commit of package dracut for openSUSE:Factory checked in at 2016-11-12 12:58:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dracut (Old) and /work/SRC/openSUSE:Factory/.dracut.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dracut" Changes: -------- --- /work/SRC/openSUSE:Factory/dracut/dracut.changes 2016-10-22 13:03:11.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.dracut.new/dracut.changes 2016-11-12 12:58:59.000000000 +0100 @@ -1,0 +2,23 @@ +Tue Nov 8 15:19:37 UTC 2016 - [email protected] + +- systemd-initrd: Add initrd-root-device.target. Cherry-pick to get + systemd v230 into factory (bsc1009089) + * add 0451-systemd-initrd-add-initrd-root-device.target.patch + +------------------------------------------------------------------- +Mon Nov 7 15:54:09 UTC 2016 - [email protected] + +- Bash cannot handle binary strigns with embedded NULs. This used + to work by accident, it no longer does starting from bash 4.4. + Strip NULs during all comparison operations as a workaround. + Addresses bsc989218. + * add 0450-Strip-NUL-bytes-in-stream-before-push-in-string.patch + +------------------------------------------------------------------- +Mon Nov 7 12:06:51 UTC 2016 - [email protected] + +- Do not create initramfs with world-readable permissions if + early microcode update is used bsc#1008340 CVE-2016-8637 + 0503-dracut.sh-create-the-initramfs-non-world-readable-al.patch + +------------------------------------------------------------------- New: ---- 0450-Strip-NUL-bytes-in-stream-before-push-in-string.patch 0451-systemd-initrd-add-initrd-root-device.target.patch 0503-dracut.sh-create-the-initramfs-non-world-readable-al.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dracut.spec ++++++ --- /var/tmp/diff_new_pack.uEo2BS/_old 2016-11-12 12:59:01.000000000 +0100 +++ /var/tmp/diff_new_pack.uEo2BS/_new 2016-11-12 12:59:01.000000000 +0100 @@ -169,10 +169,15 @@ Patch403: 0403-95lunmask-Add-module-to-handle-LUN-masking.patch Patch404: 0404-dracut-emergency-optionally-print-fs-help.patch +# Workarounds/Patches no longer relevant in 045 +Patch450: 0450-Strip-NUL-bytes-in-stream-before-push-in-string.patch +Patch451: 0451-systemd-initrd-add-initrd-root-device.target.patch + # On top patches/fixes which have to be applied late Patch500: 0500-Reset-IFS-variable.patch Patch501: 0501-dasd_fix_ssid_bigger_zero.patch Patch502: 0502-persistent_device_policy_param_enhance.patch +Patch503: 0503-dracut.sh-create-the-initramfs-non-world-readable-al.patch BuildRequires: asciidoc BuildRequires: bash @@ -368,9 +373,13 @@ %patch403 -p1 %patch404 -p1 +%patch450 -p1 +%patch451 -p1 + %patch500 -p1 %patch501 -p1 %patch502 -p1 +%patch503 -p1 %build %configure\ ++++++ 0450-Strip-NUL-bytes-in-stream-before-push-in-string.patch ++++++ >From 8ebcb9c3ded888ecd5c6fc0bbf4c9f490c3cdb56 Mon Sep 17 00:00:00 2001 From: Daniel Molkentin <[email protected]> Date: Tue, 1 Mar 2016 21:03:18 +0100 Subject: [PATCH] Strip NUL bytes in stream before push in string MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on a patch by Tomasz Paweł Gajc <[email protected]> Workaround for bsc989218, the next upstream release fixes this properly. --- dracut.sh | 2 +- modules.d/50drm/module-setup.sh | 6 +++--- modules.d/90kernel-modules/module-setup.sh | 6 +++--- modules.d/90kernel-network-modules/module-setup.sh | 6 +++--- modules.d/90multipath/module-setup.sh | 6 +++--- modules.d/95iscsi/module-setup.sh | 6 +++--- 6 files changed, 16 insertions(+), 16 deletions(-) Index: dracut-044/dracut.sh =================================================================== --- dracut-044.orig/dracut.sh +++ dracut-044/dracut.sh @@ -1641,7 +1641,7 @@ if [[ $do_strip = yes ]] && ! [[ $DRACUT # strip kernel modules, but do not touch signed modules find "$initdir" -type f -path '*/lib/modules/*.ko' -print0 \ | while read -r -d $'\0' f || [ -n "$f" ]; do - SIG=$(tail -c 28 "$f") + SIG=$(tail -c 28 "$f" | tr -d '\000') [[ $SIG == '~Module signature appended~' ]] || { printf "%s\000" "$f"; } done | xargs -r -0 strip -g Index: dracut-044/modules.d/50drm/module-setup.sh =================================================================== --- dracut-044.orig/modules.d/50drm/module-setup.sh +++ dracut-044/modules.d/50drm/module-setup.sh @@ -24,9 +24,9 @@ installkernel() { local _fname _fcont while read _fname || [ -n "$_fname" ]; do case "$_fname" in - *.ko) _fcont="$(< $_fname)" ;; - *.ko.gz) _fcont="$(gzip -dc $_fname)" ;; - *.ko.xz) _fcont="$(xz -dc $_fname)" ;; + *.ko) _fcont="$(cat "$_fname" | tr -cd '[:print:]')" ;; + *.ko.gz) _fcont="$(gzip -dc "$_fname" | tr -cd '[:print:]')" ;; + *.ko.xz) _fcont="$(xz -dc "$_fname" | tr -cd '[:print:]')" ;; esac [[ $_fcont =~ $_drm_drivers && ! $_fcont =~ iw_handler_get_spy ]] \ Index: dracut-044/modules.d/90kernel-modules/module-setup.sh =================================================================== --- dracut-044.orig/modules.d/90kernel-modules/module-setup.sh +++ dracut-044/modules.d/90kernel-modules/module-setup.sh @@ -10,9 +10,9 @@ installkernel() { function bmf1() { local _f while read _f || [ -n "$_f" ]; do case "$_f" in - *.ko) [[ $(< $_f) =~ $_blockfuncs ]] && echo "$_f" ;; - *.ko.gz) [[ $(gzip -dc <$_f) =~ $_blockfuncs ]] && echo "$_f" ;; - *.ko.xz) [[ $(xz -dc <$_f) =~ $_blockfuncs ]] && echo "$_f" ;; + *.ko) [[ $(cat "$_f" | tr -cd '[:print:]') =~ $_blockfuncs ]] && echo "$_f" ;; + *.ko.gz) [[ $(gzip -dc <"$_f" | tr -cd '[:print:]') =~ $_blockfuncs ]] && echo "$_f" ;; + *.ko.xz) [[ $(xz -dc <"$_f" | tr -cd '[:print:]') =~ $_blockfuncs ]] && echo "$_f" ;; esac done return 0 Index: dracut-044/modules.d/90kernel-network-modules/module-setup.sh =================================================================== --- dracut-044.orig/modules.d/90kernel-network-modules/module-setup.sh +++ dracut-044/modules.d/90kernel-network-modules/module-setup.sh @@ -45,9 +45,9 @@ installkernel() { while read _fname; do [[ $_fname =~ $_unwanted_drivers ]] && continue case "$_fname" in - *.ko) _fcont="$(< $_fname)" ;; - *.ko.gz) _fcont="$(gzip -dc $_fname)" ;; - *.ko.xz) _fcont="$(xz -dc $_fname)" ;; + *.ko) _fcont="$(cat "$_fname" | tr -cd '[:print:]')" ;; + *.ko.gz) _fcont="$(gzip -dc "$_fname" | tr -cd '[:print:]')" ;; + *.ko.xz) _fcont="$(xz -dc "$_fname" | tr -cd '[:print:]')" ;; esac [[ $_fcont =~ $_net_drivers && ! $_fcont =~ iw_handler_get_spy ]] \ Index: dracut-044/modules.d/90multipath/module-setup.sh =================================================================== --- dracut-044.orig/modules.d/90multipath/module-setup.sh +++ dracut-044/modules.d/90multipath/module-setup.sh @@ -49,9 +49,9 @@ installkernel() { local _f while read _f || [ -n "$_f" ]; do case "$_f" in - *.ko) [[ $(< $_f) =~ $_funcs ]] && echo "$_f" ;; - *.ko.gz) [[ $(gzip -dc <$_f) =~ $_funcs ]] && echo "$_f" ;; - *.ko.xz) [[ $(xz -dc <$_f) =~ $_funcs ]] && echo "$_f" ;; + *.ko) [[ $(cat "$_f" | tr -cd '[:print:]') =~ $_funcs ]] && echo "$_f" ;; + *.ko.gz) [[ $(gzip -dc <"$_f" | tr -cd '[:print:]') =~ $_funcs ]] && echo "$_f" ;; + *.ko.xz) [[ $(xz -dc <"$_f" | tr -cd '[:print:]') =~ $_funcs ]] && echo "$_f" ;; esac done return 0 Index: dracut-044/modules.d/95iscsi/module-setup.sh =================================================================== --- dracut-044.orig/modules.d/95iscsi/module-setup.sh +++ dracut-044/modules.d/95iscsi/module-setup.sh @@ -189,9 +189,9 @@ installkernel() { local _f while read _f || [ -n "$_f" ]; do case "$_f" in - *.ko) [[ $(< $_f) =~ $_funcs ]] && echo "$_f" ;; - *.ko.gz) [[ $(gzip -dc <$_f) =~ $_funcs ]] && echo "$_f" ;; - *.ko.xz) [[ $(xz -dc <$_f) =~ $_funcs ]] && echo "$_f" ;; + *.ko) [[ $(< "$_f" | tr -cd '[:print:]') =~ $_funcs ]] && echo "$_f" ;; + *.ko.gz) [[ $(gzip -dc <"$_f" | tr -cd '[:print:]') =~ $_funcs ]] && echo "$_f" ;; + *.ko.xz) [[ $(xz -dc <"$_f" | tr -cd '[:print:]') =~ $_funcs ]] && echo "$_f" ;; esac done return 0 ++++++ 0451-systemd-initrd-add-initrd-root-device.target.patch ++++++ >From d4efc0aeeecc470d9a267b7f3c130f472488905c Mon Sep 17 00:00:00 2001 From: Harald Hoyer <[email protected]> Date: Wed, 25 May 2016 15:06:29 +0200 Subject: [PATCH] systemd-initrd: add initrd-root-device.target --- modules.d/01systemd-initrd/module-setup.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/modules.d/01systemd-initrd/module-setup.sh b/modules.d/01systemd-initrd/module-setup.sh index fb6a9ea..c1ccd2a 100755 --- a/modules.d/01systemd-initrd/module-setup.sh +++ b/modules.d/01systemd-initrd/module-setup.sh @@ -28,6 +28,7 @@ install() { inst_multiple -o \ $systemdsystemunitdir/initrd.target \ $systemdsystemunitdir/initrd-fs.target \ + $systemdsystemunitdir/initrd-root-device.target \ $systemdsystemunitdir/initrd-root-fs.target \ $systemdsystemunitdir/initrd-switch-root.target \ $systemdsystemunitdir/initrd-switch-root.service \ -- 2.10.0 ++++++ 0503-dracut.sh-create-the-initramfs-non-world-readable-al.patch ++++++ >From 0db98910a11c12a454eac4c8e86dc7a7bbc764a4 Mon Sep 17 00:00:00 2001 From: Andreas Stieger <[email protected]> Date: Mon, 7 Nov 2016 10:37:22 +0100 Subject: [PATCH] dracut.sh: create the initramfs non-world readable also if early cpio is used Fixes: 5f2c30d9bcd614d546d5c55c6897e33f88b9ab90 Previously fixed CVE-2012-4453: e1b48995c26c4f06d1a718539cb1bd5b0179af91 Signed-off-by: Andreas Stieger <[email protected]> --- dracut.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dracut.sh b/dracut.sh index 40ca08f..2d79bbc 100755 --- a/dracut.sh +++ b/dracut.sh @@ -1700,7 +1700,7 @@ if [[ $create_early_cpio = yes ]]; then # The microcode blob is _before_ the initramfs blob, not after if ! ( - cd "$early_cpio_dir/d" + umask 077; cd "$early_cpio_dir/d" find . -print0 | sort -z \ | cpio ${CPIO_REPRODUCIBLE:+--reproducible} --null $cpio_owner_root -H newc -o --quiet > "${DRACUT_TMPDIR}/initramfs.img" ); then -- 2.10.2
