[arch-commits] Commit in ecryptfs-utils/trunk (CVE-2016-1572.patch PKGBUILD)
Date: Monday, December 12, 2016 @ 16:43:24 Author: tredaelli Revision: 199038 upgpkg: ecryptfs-utils 111-1 Modified: ecryptfs-utils/trunk/PKGBUILD Deleted: ecryptfs-utils/trunk/CVE-2016-1572.patch -+ CVE-2016-1572.patch | 101 -- PKGBUILD| 17 ++-- 2 files changed, 5 insertions(+), 113 deletions(-) Deleted: CVE-2016-1572.patch === --- CVE-2016-1572.patch 2016-12-12 15:45:01 UTC (rev 199037) +++ CVE-2016-1572.patch 2016-12-12 16:43:24 UTC (rev 199038) @@ -1,101 +0,0 @@ -From 8fcdb9ef8406cd05c45acef6210a3bfa0831e857 Mon Sep 17 00:00:00 2001 -From: Tyler Hicks-Date: Thu, 7 Jan 2016 19:39:14 -0600 -Subject: [PATCH] mount.ecryptfs_private: Validate mount destination fs type - -Refuse to mount over non-standard filesystems. Mounting over -certain types filesystems is a red flag that the user is doing -something devious, such as mounting over the /proc/self symlink -target with malicious content in order to confuse programs that may -attempt to parse those files. (LP: #1530566) - -https://launchpad.net/bugs/1530566 - debian/changelog | 8 + - src/utils/mount.ecryptfs_private.c | 61 ++ - 2 files changed, 69 insertions(+) - a/src/utils/mount.ecryptfs_private.c -+++ b/src/utils/mount.ecryptfs_private.c -@@ -30,6 +30,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -220,6 +221,62 @@ err: - return NULL; - } - -+static int check_cwd_f_type() -+{ -+ /** -+ * This is *not* a list of compatible lower filesystems list for -+ * eCryptfs. This is a list of filesystems that we reasonably expect to -+ * see mount.ecryptfs_private users mounting on top of. In other words, -+ * the filesystem type of the 'target' parameter of mount(2). -+ * -+ * This whitelist is to prevent malicious mount.ecryptfs_private users -+ * from mounting over filesystem types such as PROC_SUPER_MAGIC to -+ * deceive other programs with a crafted /proc/self/*. See -+ * https://launchpad.net/bugs/1530566 for more details. -+ */ -+ __SWORD_TYPE f_type_whitelist[] = { -+ 0x61756673 /* AUFS_SUPER_MAGIC */, -+ 0x9123683E /* BTRFS_SUPER_MAGIC */, -+ 0x00C36400 /* CEPH_SUPER_MAGIC */, -+ 0xFF534D42 /* CIFS_MAGIC_NUMBER */, -+ 0xF15F /* ECRYPTFS_SUPER_MAGIC */, -+ 0xEF53 /* EXT[234]_SUPER_MAGIC */, -+ 0xF2F52010 /* F2FS_SUPER_MAGIC */, -+ 0x65735546 /* FUSE_SUPER_MAGIC */, -+ 0x01161970 /* GFS2_MAGIC */, -+ 0x3153464A /* JFS_SUPER_MAGIC */, -+ 0x564C /* NCP_SUPER_MAGIC */, -+ 0x6969 /* NFS_SUPER_MAGIC */, -+ 0x3434 /* NILFS_SUPER_MAGIC */, -+ 0x5346544E /* NTFS_SB_MAGIC */, -+ 0x794C7630 /* OVERLAYFS_SUPER_MAGIC */, -+ 0x52654973 /* REISERFS_SUPER_MAGIC */, -+ 0x73717368 /* SQUASHFS_MAGIC */, -+ 0x01021994 /* TMPFS_MAGIC */, -+ 0x58465342 /* XFS_SB_MAGIC */, -+ 0x2FC12FC1 /* ZFS_SUPER_MAGIC */, -+ }; -+ struct statfs buf; -+ size_t i, whitelist_len; -+ -+ if (statfs(".", ) != 0) { -+ fprintf(stderr, "Failed to check filesystem type: %m\n"); -+ return 1; -+ } -+ -+ whitelist_len = sizeof(f_type_whitelist) / sizeof(*f_type_whitelist); -+ for (i = 0; i < whitelist_len; i++) { -+ if (buf.f_type == f_type_whitelist[i]) { -+ return 0; -+ } -+ } -+ -+ fprintf(stderr, -+ "Refusing to mount over an unapproved filesystem type: %#lx\n", -+ buf.f_type); -+ return 1; -+} -+ - int check_ownership_mnt(uid_t uid, char **mnt) { - /* Check ownership of mount point, chdir into it, and - * canonicalize the path for use in mtab updating. -@@ -629,6 +686,10 @@ int main(int argc, char *argv[]) { - goto fail; - } - -+ if (check_cwd_f_type() != 0) { -+ goto fail; -+ } -+ - if (mounting == 1) { - /* Increment mount counter, errors non-fatal */ - if (increment(fh_counter) < 0) { Modified: PKGBUILD === --- PKGBUILD2016-12-12 15:45:01 UTC (rev 199037) +++ PKGBUILD2016-12-12 16:43:24 UTC (rev 199038) @@ -4,8 +4,8 @@ # Contributor: Michal Krenek pkgname=ecryptfs-utils -pkgver=108 -pkgrel=2 +pkgver=111 +pkgrel=1 arch=('i686' 'x86_64') pkgdesc="Enterprise-class stacked cryptographic filesystem for Linux" url="https://launchpad.net/ecryptfs; @@ -14,18 +14,11 @@ depends=('nss' 'pam') optdepends=('python2: for python module')
[arch-commits] Commit in ecryptfs-utils/trunk (CVE-2016-1572.patch PKGBUILD)
Date: Friday, January 22, 2016 @ 12:41:47 Author: tredaelli Revision: 158553 upgpkg: ecryptfs-utils 108-2 Fix for CVE-2016-1572 (FS#47844) Added: ecryptfs-utils/trunk/CVE-2016-1572.patch Modified: ecryptfs-utils/trunk/PKGBUILD -+ CVE-2016-1572.patch | 101 ++ PKGBUILD| 17 +--- 2 files changed, 113 insertions(+), 5 deletions(-) Added: CVE-2016-1572.patch === --- CVE-2016-1572.patch (rev 0) +++ CVE-2016-1572.patch 2016-01-22 11:41:47 UTC (rev 158553) @@ -0,0 +1,101 @@ +From 8fcdb9ef8406cd05c45acef6210a3bfa0831e857 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks+Date: Thu, 7 Jan 2016 19:39:14 -0600 +Subject: [PATCH] mount.ecryptfs_private: Validate mount destination fs type + +Refuse to mount over non-standard filesystems. Mounting over +certain types filesystems is a red flag that the user is doing +something devious, such as mounting over the /proc/self symlink +target with malicious content in order to confuse programs that may +attempt to parse those files. (LP: #1530566) + +https://launchpad.net/bugs/1530566 +--- + debian/changelog | 8 + + src/utils/mount.ecryptfs_private.c | 61 ++ + 2 files changed, 69 insertions(+) + +--- a/src/utils/mount.ecryptfs_private.c b/src/utils/mount.ecryptfs_private.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -220,6 +221,62 @@ err: + return NULL; + } + ++static int check_cwd_f_type() ++{ ++ /** ++ * This is *not* a list of compatible lower filesystems list for ++ * eCryptfs. This is a list of filesystems that we reasonably expect to ++ * see mount.ecryptfs_private users mounting on top of. In other words, ++ * the filesystem type of the 'target' parameter of mount(2). ++ * ++ * This whitelist is to prevent malicious mount.ecryptfs_private users ++ * from mounting over filesystem types such as PROC_SUPER_MAGIC to ++ * deceive other programs with a crafted /proc/self/*. See ++ * https://launchpad.net/bugs/1530566 for more details. ++ */ ++ __SWORD_TYPE f_type_whitelist[] = { ++ 0x61756673 /* AUFS_SUPER_MAGIC */, ++ 0x9123683E /* BTRFS_SUPER_MAGIC */, ++ 0x00C36400 /* CEPH_SUPER_MAGIC */, ++ 0xFF534D42 /* CIFS_MAGIC_NUMBER */, ++ 0xF15F /* ECRYPTFS_SUPER_MAGIC */, ++ 0xEF53 /* EXT[234]_SUPER_MAGIC */, ++ 0xF2F52010 /* F2FS_SUPER_MAGIC */, ++ 0x65735546 /* FUSE_SUPER_MAGIC */, ++ 0x01161970 /* GFS2_MAGIC */, ++ 0x3153464A /* JFS_SUPER_MAGIC */, ++ 0x564C /* NCP_SUPER_MAGIC */, ++ 0x6969 /* NFS_SUPER_MAGIC */, ++ 0x3434 /* NILFS_SUPER_MAGIC */, ++ 0x5346544E /* NTFS_SB_MAGIC */, ++ 0x794C7630 /* OVERLAYFS_SUPER_MAGIC */, ++ 0x52654973 /* REISERFS_SUPER_MAGIC */, ++ 0x73717368 /* SQUASHFS_MAGIC */, ++ 0x01021994 /* TMPFS_MAGIC */, ++ 0x58465342 /* XFS_SB_MAGIC */, ++ 0x2FC12FC1 /* ZFS_SUPER_MAGIC */, ++ }; ++ struct statfs buf; ++ size_t i, whitelist_len; ++ ++ if (statfs(".", ) != 0) { ++ fprintf(stderr, "Failed to check filesystem type: %m\n"); ++ return 1; ++ } ++ ++ whitelist_len = sizeof(f_type_whitelist) / sizeof(*f_type_whitelist); ++ for (i = 0; i < whitelist_len; i++) { ++ if (buf.f_type == f_type_whitelist[i]) { ++ return 0; ++ } ++ } ++ ++ fprintf(stderr, ++ "Refusing to mount over an unapproved filesystem type: %#lx\n", ++ buf.f_type); ++ return 1; ++} ++ + int check_ownership_mnt(uid_t uid, char **mnt) { + /* Check ownership of mount point, chdir into it, and + * canonicalize the path for use in mtab updating. +@@ -629,6 +686,10 @@ int main(int argc, char *argv[]) { + goto fail; + } + ++ if (check_cwd_f_type() != 0) { ++ goto fail; ++ } ++ + if (mounting == 1) { + /* Increment mount counter, errors non-fatal */ + if (increment(fh_counter) < 0) { Modified: PKGBUILD === --- PKGBUILD2016-01-22 10:50:21 UTC (rev 158552) +++ PKGBUILD2016-01-22 11:41:47 UTC (rev 158553) @@ -5,7 +5,7 @@ pkgname=ecryptfs-utils pkgver=108 -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64') pkgdesc="Enterprise-class stacked cryptographic filesystem for Linux" url="https://launchpad.net/ecryptfs; @@ -14,19 +14,26 @@ depends=('nss' 'pam') optdepends=('python2: for python module')