[yocto] [meta-security][PATCH 2/2] ecryptfs-utils: add new recipe

Huang, Jie (Jackie) Jackie.Huang at windriver.com
Mon May 22 20:44:51 PDT 2017 

Hi Martin,

Thanks for the reference, but the one in meta-ivi is an older version and
also has the same pam issue, I will fix it with PACKAGECONFIG and
DISTRO_FEATURES check for PAM, and also add the systemd support.

Thanks,
Jackie

From: Martin Jansa [mailto:martin.jansa at gmail.com]
Sent: Friday, May 19, 2017 23:27
To: Huang, Jie (Jackie)
Cc: akuster808; yocto at yoctoproject.org
Subject: Re: [yocto] [meta-security][PATCH 2/2] ecryptfs-utils: add new recipe

How does this one relate to:
http://git.yoctoproject.org/cgit/cgit.cgi/meta-ivi/tree/meta-ivi/recipes-support-ivi/ecryptfs-utils/ecryptfs-utils_106.bb?h=master

the later has also support for systemd, not sure if it has the issue with pam or not.

On Fri, May 19, 2017 at 4:56 PM, Huang, Jie (Jackie) <Jackie.Huang at windriver.com<mailto:Jackie.Huang at windriver.com>> wrote:


> -----Original Message-----
> From: akuster808 [mailto:akuster808 at gmail.com<mailto:akuster808 at gmail.com>]
> Sent: Friday, May 19, 2017 22:50
> To: Huang, Jie (Jackie); yocto at yoctoproject.org<mailto:yocto at yoctoproject.org>
> Subject: Re: [yocto] [meta-security][PATCH 2/2] ecryptfs-utils: add new recipe
>
>
>
> On 05/17/2017 12:56 AM, jackie.huang at windriver.com<mailto:jackie.huang at windriver.com> wrote:
> > From: Jackie Huang <jackie.huang at windriver.com<mailto:jackie.huang at windriver.com>>
> >
> > eCryptfs is a stacked cryptographic filesystem that ships
> > in Linux kernel versions 2.6.19 and above. This package
> > provides the mount helper and supporting libraries to
> > perform key management and mount functions.
> >
> > Signed-off-by: Jackie Huang <jackie.huang at windriver.com<mailto:jackie.huang at windriver.com>>
>
> This has the following warning:
> WARNING: libpam-1.3.0-r5 do_pam_sanity: Building libpam but 'pam' isn't
> in DISTRO_FEATURES, PAM won't work correctly
>
> I noticed this package has the ability to disable-pam so maybe
> PACKAGECONFIG with the DISTRO_FEATURES check for PAM would be
> applicable
> in this case?
>
> please investigate.

I will investigate and fix the warning.

Thanks,
Jackie

>
> everything else looks fine for inclusion to meta-security.
>
> regards,
> Armin
>
> > ---
> >   .../ecryptfs-utils/ecryptfs-utils_111.bb<http://ecryptfs-utils_111.bb>           | 52 +++++++++++++++++
> >   .../files/ecryptfs-utils-CVE-2016-6224.patch       | 65
> ++++++++++++++++++++++
> >   2 files changed, 117 insertions(+)
> >   create mode 100644 recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb<http://ecryptfs-utils_111.bb>
> >   create mode 100644 recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-
> 2016-6224.patch
> >
> > diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb<http://ecryptfs-utils_111.bb> b/recipes-
> security/ecryptfs-utils/ecryptfs-utils_111.bb<http://ecryptfs-utils_111.bb>
> > new file mode 100644
> > index 0000000..49c2605
> > --- /dev/null
> > +++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb<http://ecryptfs-utils_111.bb>
> > @@ -0,0 +1,52 @@
> > +SUMMARY = "The eCryptfs mount helper and support libraries"
> > +DESCRIPTION = "eCryptfs is a stacked cryptographic filesystem \
> > +    that ships in Linux kernel versions 2.6.19 and above. This \
> > +    package provides the mount helper and supporting libraries \
> > +    to perform key management and mount functions."
> > +HOMEPAGE = "https://launchpad.net/ecryptfs"
> > +SECTION = "base"
> > +
> > +LICENSE = "GPL-2.0"
> > +LIC_FILES_CHKSUM =
> "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b<file:///\\COPYING;md5=8ca43cbc842c2336e835926c2166c28b>"
> > +
> > +DEPENDS = "keyutils libgcrypt libpam nss intltool-native glib-2.0-native"
> > +
> > +inherit autotools pkgconfig
> > +
> > +SRC_URI = "\
> > +
> https://launchpad.net/ecryptfs/trunk/${PV}/+download/${BPN}_${PV}.orig.tar<https://launchpad.net/ecryptfs/trunk/$%7bPV%7d/+download/$%7bBPN%7d_$%7bPV%7d.orig.tar>.
> gz \
> > +    file://ecryptfs-utils-CVE-2016-6224.patch<file:///\\ecryptfs-utils-CVE-2016-6224.patch> \
> > +    "
> > +
> > +SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd"
> > +SRC_URI[sha256sum] =
> "112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f"
> > +
> > +PARALLEL_MAKEINST=""
> > +
> > +EXTRA_OECONF = "\
> > +    --libdir=${base_libdir} \
> > +    --disable-pywrap \
> > +    --disable-nls \
> > +    --enable-openssl=no \
> > +    "
> > +
> > +do_configure_prepend() {
> > +    export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr4 -
> I${STAGING_INCDIR}/nss3"
> > +    export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -
> lsoftokn3 -lnssutil3"
> > +    export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}"
> > +    export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils"
> > +}
> > +
> > +do_install_append() {
> > +    chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private
> > +    mkdir -p ${D}/${libdir}
> > +    mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir}
> > +    sed -i -e 's:-I${STAGING_INCDIR}::' \
> > +           -e 's:-L${STAGING_LIBDIR}::' ${D}/${libdir}/pkgconfig/libecryptfs.pc
> > +    sed -i -e "s: ${base_sbindir}/cryptsetup: ${sbindir}/cryptsetup:"
> ${D}${bindir}/ecryptfs-setup-swap
> > +}
> > +
> > +FILES_${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*"
> > +
> > +RDEPENDS_${PN} += "cryptsetup"
> > +RRECOMMENDS_${PN} = "gettext-runtime"
> > diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-
> 6224.patch b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-
> 6224.patch
> > new file mode 100644
> > index 0000000..4252f97
> > --- /dev/null
> > +++ b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
> > @@ -0,0 +1,65 @@
> > +From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00
> 2001
> > +From: Li Zhou <li.zhou at windriver.com<mailto:li.zhou at windriver.com>>
> > +Date: Mon, 5 Sep 2016 10:28:08 +0800
> > +Subject: [PATCH] ecryptfs-utils: CVE-2016-6224
> > +
> > +src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
> > +being automatically enabled by systemd. This bug affected GPT partitioned
> > +NVMe/MMC drives and resulted in the swap partition being used without
> > +encryption. It also resulted in a usability issue in that users were
> > +erroneously prompted to enter a pass-phrase to unlock their swap partition
> > +at boot. (LP: #1597154)
> > +
> > +the patch comes from:
> > +https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224
> > +https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882
> > +
> > +Upstream-Status: backport
> > +
> > +Signed-off-by: Li Zhou <li.zhou at windriver.com<mailto:li.zhou at windriver.com>>
> > +---
> > + ChangeLog                     |  9 +++++++++
> > + src/utils/ecryptfs-setup-swap | 10 ++++++++--
> > + 2 files changed, 17 insertions(+), 2 deletions(-)
> > +
> > +diff --git a/ChangeLog b/ChangeLog
> > +index d255a94..2c9c73e 100644
> > +--- a/ChangeLog
> > ++++ b/ChangeLog
> > +@@ -1,3 +1,12 @@
> > ++ecryptfs-utils-112
> > ++  [ Jason Gerard DeRose ]
> > ++  * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
> > ++    being automatically enabled by systemd. This bug affected GPT
> partitioned
> > ++    NVMe/MMC drives and resulted in the swap partition being used without
> > ++    encryption. It also resulted in a usability issue in that users were
> > ++    erroneously prompted to enter a pass-phrase to unlock their swap
> partition
> > ++    at boot. (LP: #1597154)
> > ++
> > + ecryptfs-utils-74
> > +   [ Michal Hlavinka ]
> > +   * Changes for RH/Fedora release
> > +diff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap
> > +index 41cf18a..e4785d7 100755
> > +--- a/src/utils/ecryptfs-setup-swap
> > ++++ b/src/utils/ecryptfs-setup-swap
> > +@@ -166,8 +166,14 @@ for swap in $swaps; do
> > +   # If this is a GPT partition, mark it as no-auto mounting, to avoid
> > +   # auto-activating it on boot
> > +   if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ];
> then
> > +-          drive="${swap%[0-9]*}"
> > +-          partno="${swap#$drive}"
> > ++          # Correctly handle NVMe/MMC drives, as well as any similar
> physical
> > ++          # block device that follow the "/dev/foo0p1" pattern (LP:
> #1597154)
> > ++          if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then
> > ++                  drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:")
> > ++          else
> > ++                  drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:")
> > ++          fi
> > ++          partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:")
> > +           if [ -b "$drive" ]; then
> > +                   if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .*
> GUID:.*\b63\b"; then
> > +                           echo "$swap is already marked as no-auto"
> > +--
> > +1.9.1
> > +

--
_______________________________________________
yocto mailing list
yocto at yoctoproject.org<mailto:yocto at yoctoproject.org>
https://lists.yoctoproject.org/listinfo/yocto

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20170523/ef3bcd47/attachment.html>

More information about the yocto mailing list