[arch-commits] Commit in ecryptfs-utils/trunk (CVE-2016-1572.patch PKGBUILD)

2016-12-12 Thread Timothy Redaelli 
Date: Monday, December 12, 2016 @ 16:43:24
  Author: tredaelli
Revision: 199038

upgpkg: ecryptfs-utils 111-1

Modified:
  ecryptfs-utils/trunk/PKGBUILD
Deleted:
  ecryptfs-utils/trunk/CVE-2016-1572.patch

-+
 CVE-2016-1572.patch |  101 --
 PKGBUILD|   17 ++--
 2 files changed, 5 insertions(+), 113 deletions(-)

Deleted: CVE-2016-1572.patch
===
--- CVE-2016-1572.patch 2016-12-12 15:45:01 UTC (rev 199037)
+++ CVE-2016-1572.patch 2016-12-12 16:43:24 UTC (rev 199038)
@@ -1,101 +0,0 @@
-From 8fcdb9ef8406cd05c45acef6210a3bfa0831e857 Mon Sep 17 00:00:00 2001
-From: Tyler Hicks 
-Date: Thu, 7 Jan 2016 19:39:14 -0600
-Subject: [PATCH] mount.ecryptfs_private: Validate mount destination fs type
-
-Refuse to mount over non-standard filesystems. Mounting over
-certain types filesystems is a red flag that the user is doing
-something devious, such as mounting over the /proc/self symlink
-target with malicious content in order to confuse programs that may
-attempt to parse those files. (LP: #1530566)
-
-https://launchpad.net/bugs/1530566

- debian/changelog   |  8 +
- src/utils/mount.ecryptfs_private.c | 61 ++
- 2 files changed, 69 insertions(+)
-
 a/src/utils/mount.ecryptfs_private.c
-+++ b/src/utils/mount.ecryptfs_private.c
-@@ -30,6 +30,7 @@
- #include 
- #include 
- #include 
-+#include 
- #include 
- #include 
- #include 
-@@ -220,6 +221,62 @@ err:
-   return NULL;
- }
- 
-+static int check_cwd_f_type()
-+{
-+  /**
-+   * This is *not* a list of compatible lower filesystems list for
-+   * eCryptfs. This is a list of filesystems that we reasonably expect to
-+   * see mount.ecryptfs_private users mounting on top of. In other words,
-+   * the filesystem type of the 'target' parameter of mount(2).
-+   *
-+   * This whitelist is to prevent malicious mount.ecryptfs_private users
-+   * from mounting over filesystem types such as PROC_SUPER_MAGIC to
-+   * deceive other programs with a crafted /proc/self/*. See
-+   * https://launchpad.net/bugs/1530566 for more details.
-+   */
-+  __SWORD_TYPE f_type_whitelist[] = {
-+  0x61756673 /* AUFS_SUPER_MAGIC */,
-+  0x9123683E /* BTRFS_SUPER_MAGIC */,
-+  0x00C36400 /* CEPH_SUPER_MAGIC */,
-+  0xFF534D42 /* CIFS_MAGIC_NUMBER */,
-+  0xF15F /* ECRYPTFS_SUPER_MAGIC */,
-+  0xEF53 /* EXT[234]_SUPER_MAGIC */,
-+  0xF2F52010 /* F2FS_SUPER_MAGIC */,
-+  0x65735546 /* FUSE_SUPER_MAGIC */,
-+  0x01161970 /* GFS2_MAGIC */,
-+  0x3153464A /* JFS_SUPER_MAGIC */,
-+  0x564C /* NCP_SUPER_MAGIC */,
-+  0x6969 /* NFS_SUPER_MAGIC */,
-+  0x3434 /* NILFS_SUPER_MAGIC */,
-+  0x5346544E /* NTFS_SB_MAGIC */,
-+  0x794C7630 /* OVERLAYFS_SUPER_MAGIC */,
-+  0x52654973 /* REISERFS_SUPER_MAGIC */,
-+  0x73717368 /* SQUASHFS_MAGIC */,
-+  0x01021994 /* TMPFS_MAGIC */,
-+  0x58465342 /* XFS_SB_MAGIC */,
-+  0x2FC12FC1 /* ZFS_SUPER_MAGIC */,
-+  };
-+  struct statfs buf;
-+  size_t i, whitelist_len;
-+
-+  if (statfs(".", ) != 0) {
-+  fprintf(stderr, "Failed to check filesystem type: %m\n");
-+  return 1;
-+  }
-+
-+  whitelist_len = sizeof(f_type_whitelist) / sizeof(*f_type_whitelist);
-+  for (i = 0; i < whitelist_len; i++) {
-+  if (buf.f_type == f_type_whitelist[i]) {
-+  return 0;
-+  }
-+  }
-+
-+  fprintf(stderr,
-+  "Refusing to mount over an unapproved filesystem type: %#lx\n",
-+  buf.f_type);
-+  return 1;
-+}
-+
- int check_ownership_mnt(uid_t uid, char **mnt) {
- /* Check ownership of mount point, chdir into it, and
-  * canonicalize the path for use in mtab updating.
-@@ -629,6 +686,10 @@ int main(int argc, char *argv[]) {
-   goto fail;
-   }
- 
-+  if (check_cwd_f_type() != 0) {
-+  goto fail;
-+  }
-+
-   if (mounting == 1) {
-   /* Increment mount counter, errors non-fatal */
-   if (increment(fh_counter) < 0) {

Modified: PKGBUILD
===
--- PKGBUILD2016-12-12 15:45:01 UTC (rev 199037)
+++ PKGBUILD2016-12-12 16:43:24 UTC (rev 199038)
@@ -4,8 +4,8 @@
 # Contributor: Michal Krenek 
 
 pkgname=ecryptfs-utils
-pkgver=108
-pkgrel=2
+pkgver=111
+pkgrel=1
 arch=('i686' 'x86_64')
 pkgdesc="Enterprise-class stacked cryptographic filesystem for Linux"
 url="https://launchpad.net/ecryptfs;
@@ -14,18 +14,11 @@
 depends=('nss' 'pam')
 optdepends=('python2: for python module')

[arch-commits] Commit in ecryptfs-utils/trunk (CVE-2016-1572.patch PKGBUILD)

2016-01-22 Thread Timothy Redaelli 
Date: Friday, January 22, 2016 @ 12:41:47
  Author: tredaelli
Revision: 158553

upgpkg: ecryptfs-utils 108-2

Fix for CVE-2016-1572 (FS#47844)

Added:
  ecryptfs-utils/trunk/CVE-2016-1572.patch
Modified:
  ecryptfs-utils/trunk/PKGBUILD

-+
 CVE-2016-1572.patch |  101 ++
 PKGBUILD|   17 +---
 2 files changed, 113 insertions(+), 5 deletions(-)

Added: CVE-2016-1572.patch
===
--- CVE-2016-1572.patch (rev 0)
+++ CVE-2016-1572.patch 2016-01-22 11:41:47 UTC (rev 158553)
@@ -0,0 +1,101 @@
+From 8fcdb9ef8406cd05c45acef6210a3bfa0831e857 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks 
+Date: Thu, 7 Jan 2016 19:39:14 -0600
+Subject: [PATCH] mount.ecryptfs_private: Validate mount destination fs type
+
+Refuse to mount over non-standard filesystems. Mounting over
+certain types filesystems is a red flag that the user is doing
+something devious, such as mounting over the /proc/self symlink
+target with malicious content in order to confuse programs that may
+attempt to parse those files. (LP: #1530566)
+
+https://launchpad.net/bugs/1530566
+---
+ debian/changelog   |  8 +
+ src/utils/mount.ecryptfs_private.c | 61 ++
+ 2 files changed, 69 insertions(+)
+
+--- a/src/utils/mount.ecryptfs_private.c
 b/src/utils/mount.ecryptfs_private.c
+@@ -30,6 +30,7 @@
+ #include 
+ #include 
+ #include 
++#include 
+ #include 
+ #include 
+ #include 
+@@ -220,6 +221,62 @@ err:
+   return NULL;
+ }
+ 
++static int check_cwd_f_type()
++{
++  /**
++   * This is *not* a list of compatible lower filesystems list for
++   * eCryptfs. This is a list of filesystems that we reasonably expect to
++   * see mount.ecryptfs_private users mounting on top of. In other words,
++   * the filesystem type of the 'target' parameter of mount(2).
++   *
++   * This whitelist is to prevent malicious mount.ecryptfs_private users
++   * from mounting over filesystem types such as PROC_SUPER_MAGIC to
++   * deceive other programs with a crafted /proc/self/*. See
++   * https://launchpad.net/bugs/1530566 for more details.
++   */
++  __SWORD_TYPE f_type_whitelist[] = {
++  0x61756673 /* AUFS_SUPER_MAGIC */,
++  0x9123683E /* BTRFS_SUPER_MAGIC */,
++  0x00C36400 /* CEPH_SUPER_MAGIC */,
++  0xFF534D42 /* CIFS_MAGIC_NUMBER */,
++  0xF15F /* ECRYPTFS_SUPER_MAGIC */,
++  0xEF53 /* EXT[234]_SUPER_MAGIC */,
++  0xF2F52010 /* F2FS_SUPER_MAGIC */,
++  0x65735546 /* FUSE_SUPER_MAGIC */,
++  0x01161970 /* GFS2_MAGIC */,
++  0x3153464A /* JFS_SUPER_MAGIC */,
++  0x564C /* NCP_SUPER_MAGIC */,
++  0x6969 /* NFS_SUPER_MAGIC */,
++  0x3434 /* NILFS_SUPER_MAGIC */,
++  0x5346544E /* NTFS_SB_MAGIC */,
++  0x794C7630 /* OVERLAYFS_SUPER_MAGIC */,
++  0x52654973 /* REISERFS_SUPER_MAGIC */,
++  0x73717368 /* SQUASHFS_MAGIC */,
++  0x01021994 /* TMPFS_MAGIC */,
++  0x58465342 /* XFS_SB_MAGIC */,
++  0x2FC12FC1 /* ZFS_SUPER_MAGIC */,
++  };
++  struct statfs buf;
++  size_t i, whitelist_len;
++
++  if (statfs(".", ) != 0) {
++  fprintf(stderr, "Failed to check filesystem type: %m\n");
++  return 1;
++  }
++
++  whitelist_len = sizeof(f_type_whitelist) / sizeof(*f_type_whitelist);
++  for (i = 0; i < whitelist_len; i++) {
++  if (buf.f_type == f_type_whitelist[i]) {
++  return 0;
++  }
++  }
++
++  fprintf(stderr,
++  "Refusing to mount over an unapproved filesystem type: %#lx\n",
++  buf.f_type);
++  return 1;
++}
++
+ int check_ownership_mnt(uid_t uid, char **mnt) {
+ /* Check ownership of mount point, chdir into it, and
+  * canonicalize the path for use in mtab updating.
+@@ -629,6 +686,10 @@ int main(int argc, char *argv[]) {
+   goto fail;
+   }
+ 
++  if (check_cwd_f_type() != 0) {
++  goto fail;
++  }
++
+   if (mounting == 1) {
+   /* Increment mount counter, errors non-fatal */
+   if (increment(fh_counter) < 0) {

Modified: PKGBUILD
===
--- PKGBUILD2016-01-22 10:50:21 UTC (rev 158552)
+++ PKGBUILD2016-01-22 11:41:47 UTC (rev 158553)
@@ -5,7 +5,7 @@
 
 pkgname=ecryptfs-utils
 pkgver=108
-pkgrel=1
+pkgrel=2
 arch=('i686' 'x86_64')
 pkgdesc="Enterprise-class stacked cryptographic filesystem for Linux"
 url="https://launchpad.net/ecryptfs;
@@ -14,19 +14,26 @@
 depends=('nss' 'pam')
 optdepends=('python2: for python module')