Hi Martin, Thanks for the reference, but the one in meta-ivi is an older version and also has the same pam issue, I will fix it with PACKAGECONFIG and DISTRO_FEATURES check for PAM, and also add the systemd support.
Thanks, Jackie From: Martin Jansa [mailto:martin.ja...@gmail.com] Sent: Friday, May 19, 2017 23:27 To: Huang, Jie (Jackie) Cc: akuster808; yocto@yoctoproject.org Subject: Re: [yocto] [meta-security][PATCH 2/2] ecryptfs-utils: add new recipe How does this one relate to: http://git.yoctoproject.org/cgit/cgit.cgi/meta-ivi/tree/meta-ivi/recipes-support-ivi/ecryptfs-utils/ecryptfs-utils_106.bb?h=master the later has also support for systemd, not sure if it has the issue with pam or not. On Fri, May 19, 2017 at 4:56 PM, Huang, Jie (Jackie) <jackie.hu...@windriver.com<mailto:jackie.hu...@windriver.com>> wrote: > -----Original Message----- > From: akuster808 [mailto:akuster...@gmail.com<mailto:akuster...@gmail.com>] > Sent: Friday, May 19, 2017 22:50 > To: Huang, Jie (Jackie); yocto@yoctoproject.org<mailto:yocto@yoctoproject.org> > Subject: Re: [yocto] [meta-security][PATCH 2/2] ecryptfs-utils: add new recipe > > > > On 05/17/2017 12:56 AM, > jackie.hu...@windriver.com<mailto:jackie.hu...@windriver.com> wrote: > > From: Jackie Huang > > <jackie.hu...@windriver.com<mailto:jackie.hu...@windriver.com>> > > > > eCryptfs is a stacked cryptographic filesystem that ships > > in Linux kernel versions 2.6.19 and above. This package > > provides the mount helper and supporting libraries to > > perform key management and mount functions. > > > > Signed-off-by: Jackie Huang > > <jackie.hu...@windriver.com<mailto:jackie.hu...@windriver.com>> > > This has the following warning: > WARNING: libpam-1.3.0-r5 do_pam_sanity: Building libpam but 'pam' isn't > in DISTRO_FEATURES, PAM won't work correctly > > I noticed this package has the ability to disable-pam so maybe > PACKAGECONFIG with the DISTRO_FEATURES check for PAM would be > applicable > in this case? > > please investigate. I will investigate and fix the warning. Thanks, Jackie > > everything else looks fine for inclusion to meta-security. > > regards, > Armin > > > --- > > .../ecryptfs-utils/ecryptfs-utils_111.bb<http://ecryptfs-utils_111.bb> > > | 52 +++++++++++++++++ > > .../files/ecryptfs-utils-CVE-2016-6224.patch | 65 > ++++++++++++++++++++++ > > 2 files changed, 117 insertions(+) > > create mode 100644 > > recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb<http://ecryptfs-utils_111.bb> > > create mode 100644 > > recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE- > 2016-6224.patch > > > > diff --git > > a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb<http://ecryptfs-utils_111.bb> > > b/recipes- > security/ecryptfs-utils/ecryptfs-utils_111.bb<http://ecryptfs-utils_111.bb> > > new file mode 100644 > > index 0000000..49c2605 > > --- /dev/null > > +++ > > b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb<http://ecryptfs-utils_111.bb> > > @@ -0,0 +1,52 @@ > > +SUMMARY = "The eCryptfs mount helper and support libraries" > > +DESCRIPTION = "eCryptfs is a stacked cryptographic filesystem \ > > + that ships in Linux kernel versions 2.6.19 and above. This \ > > + package provides the mount helper and supporting libraries \ > > + to perform key management and mount functions." > > +HOMEPAGE = "https://launchpad.net/ecryptfs"; > > +SECTION = "base" > > + > > +LICENSE = "GPL-2.0" > > +LIC_FILES_CHKSUM = > "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b<file:///\\COPYING;md5=8ca43cbc842c2336e835926c2166c28b>" > > + > > +DEPENDS = "keyutils libgcrypt libpam nss intltool-native glib-2.0-native" > > + > > +inherit autotools pkgconfig > > + > > +SRC_URI = "\ > > + > https://launchpad.net/ecryptfs/trunk/${PV}/+download/${BPN}_${PV}.orig.tar<https://launchpad.net/ecryptfs/trunk/$%7bPV%7d/+download/$%7bBPN%7d_$%7bPV%7d.orig.tar>. > gz \ > > + > > file://ecryptfs-utils-CVE-2016-6224.patch<file:///\\ecryptfs-utils-CVE-2016-6224.patch> > > \ > > + " > > + > > +SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd" > > +SRC_URI[sha256sum] = > "112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f" > > + > > +PARALLEL_MAKEINST="" > > + > > +EXTRA_OECONF = "\ > > + --libdir=${base_libdir} \ > > + --disable-pywrap \ > > + --disable-nls \ > > + --enable-openssl=no \ > > + " > > + > > +do_configure_prepend() { > > + export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr4 - > I${STAGING_INCDIR}/nss3" > > + export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 - > lsoftokn3 -lnssutil3" > > + export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}" > > + export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils" > > +} > > + > > +do_install_append() { > > + chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private > > + mkdir -p ${D}/${libdir} > > + mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir} > > + sed -i -e 's:-I${STAGING_INCDIR}::' \ > > + -e 's:-L${STAGING_LIBDIR}::' > > ${D}/${libdir}/pkgconfig/libecryptfs.pc > > + sed -i -e "s: ${base_sbindir}/cryptsetup: ${sbindir}/cryptsetup:" > ${D}${bindir}/ecryptfs-setup-swap > > +} > > + > > +FILES_${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*" > > + > > +RDEPENDS_${PN} += "cryptsetup" > > +RRECOMMENDS_${PN} = "gettext-runtime" > > diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016- > 6224.patch b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016- > 6224.patch > > new file mode 100644 > > index 0000000..4252f97 > > --- /dev/null > > +++ > > b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch > > @@ -0,0 +1,65 @@ > > +From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 > 2001 > > +From: Li Zhou <li.z...@windriver.com<mailto:li.z...@windriver.com>> > > +Date: Mon, 5 Sep 2016 10:28:08 +0800 > > +Subject: [PATCH] ecryptfs-utils: CVE-2016-6224 > > + > > +src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from > > +being automatically enabled by systemd. This bug affected GPT partitioned > > +NVMe/MMC drives and resulted in the swap partition being used without > > +encryption. It also resulted in a usability issue in that users were > > +erroneously prompted to enter a pass-phrase to unlock their swap partition > > +at boot. (LP: #1597154) > > + > > +the patch comes from: > > +https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224 > > +https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882 > > + > > +Upstream-Status: backport > > + > > +Signed-off-by: Li Zhou > > <li.z...@windriver.com<mailto:li.z...@windriver.com>> > > +--- > > + ChangeLog | 9 +++++++++ > > + src/utils/ecryptfs-setup-swap | 10 ++++++++-- > > + 2 files changed, 17 insertions(+), 2 deletions(-) > > + > > +diff --git a/ChangeLog b/ChangeLog > > +index d255a94..2c9c73e 100644 > > +--- a/ChangeLog > > ++++ b/ChangeLog > > +@@ -1,3 +1,12 @@ > > ++ecryptfs-utils-112 > > ++ [ Jason Gerard DeRose ] > > ++ * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions > > from > > ++ being automatically enabled by systemd. This bug affected GPT > partitioned > > ++ NVMe/MMC drives and resulted in the swap partition being used without > > ++ encryption. It also resulted in a usability issue in that users were > > ++ erroneously prompted to enter a pass-phrase to unlock their swap > partition > > ++ at boot. (LP: #1597154) > > ++ > > + ecryptfs-utils-74 > > + [ Michal Hlavinka ] > > + * Changes for RH/Fedora release > > +diff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap > > +index 41cf18a..e4785d7 100755 > > +--- a/src/utils/ecryptfs-setup-swap > > ++++ b/src/utils/ecryptfs-setup-swap > > +@@ -166,8 +166,14 @@ for swap in $swaps; do > > + # If this is a GPT partition, mark it as no-auto mounting, to avoid > > + # auto-activating it on boot > > + if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; > then > > +- drive="${swap%[0-9]*}" > > +- partno="${swap#$drive}" > > ++ # Correctly handle NVMe/MMC drives, as well as any similar > physical > > ++ # block device that follow the "/dev/foo0p1" pattern (LP: > #1597154) > > ++ if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then > > ++ drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:") > > ++ else > > ++ drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:") > > ++ fi > > ++ partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:") > > + if [ -b "$drive" ]; then > > + if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* > GUID:.*\b63\b"; then > > + echo "$swap is already marked as no-auto" > > +-- > > +1.9.1 > > + -- _______________________________________________ yocto mailing list yocto@yoctoproject.org<mailto:yocto@yoctoproject.org> https://lists.yoctoproject.org/listinfo/yocto
-- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
