Accepting request 541775 from security

- The license is GPL-2.0 (without + / or later) - Update to 111 * upstream provides no changelog - add ecryptfs-utils-openssl11.patch to support build with OpenSSL 1.1 (bsc#1066937) - drop validate-mount-destination-fs-type.patch (upstream) OBS-URL: https://build.opensuse.org/request/show/541775 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ecryptfs-utils?expand=0&rev=49
2017-11-15 15:59:05 +00:00 · 2017-11-15 15:59:05 +00:00 · 14f154f14c
commit 14f154f14c
parent e25f415e9b 40edd8d6ae
6 changed files with 191 additions and 110 deletions
--- a/ecryptfs-utils-openssl11.patch
+++ b/ecryptfs-utils-openssl11.patch
@ -0,0 +1,166 @@
+=== modified file 'src/key_mod/ecryptfs_key_mod_openssl.c'
+--- src/key_mod/ecryptfs_key_mod_openssl.c	2013-10-25 19:45:09 +0000
+++ src/key_mod/ecryptfs_key_mod_openssl.c	2017-06-02 18:27:28 +0000
+@@ -41,6 +41,7 @@
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <libgen.h>
+#include <openssl/bn.h>
+ #include <openssl/pem.h>
+ #include <openssl/rsa.h>
+ #include <openssl/err.h>
+@@ -55,6 +56,19 @@
+ 	char *passphrase;
+ };
+ 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+static void RSA_get0_key(const RSA *r,
+                 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
+{
+   if (n != NULL)
+       *n = r->n;
+   if (e != NULL)
+       *e = r->e;
+   if (d != NULL)
+       *d = r->d;
+}
+#endif
+
+ static void
+ ecryptfs_openssl_destroy_openssl_data(struct openssl_data *openssl_data)
+ {
+@@ -142,6 +156,7 @@
+ {
+ 	int len, nbits, ebits, i;
+ 	int nbytes, ebytes;
+	const BIGNUM *key_n, *key_e;
+ 	unsigned char *hash;
+ 	unsigned char *data = NULL;
+ 	int rc = 0;
+@@ -152,11 +167,13 @@
+ 		rc = -ENOMEM;
+ 		goto out;
+ 	}
+-	nbits = BN_num_bits(key->n);
+	RSA_get0_key(key, &key_n, NULL, NULL);
+	nbits = BN_num_bits(key_n);
+ 	nbytes = nbits / 8;
+ 	if (nbits % 8)
+ 		nbytes++;
+-	ebits = BN_num_bits(key->e);
+	RSA_get0_key(key, NULL, &key_e, NULL);
+	ebits = BN_num_bits(key_e);
+ 	ebytes = ebits / 8;
+ 	if (ebits % 8)
+ 		ebytes++;
+@@ -179,11 +196,13 @@
+ 	data[i++] = '\02';
+ 	data[i++] = (nbits >> 8);
+ 	data[i++] = nbits;
+-	BN_bn2bin(key->n, &(data[i]));
+	RSA_get0_key(key, &key_n, NULL, NULL);
+	BN_bn2bin(key_n, &(data[i]));
+ 	i += nbytes;
+ 	data[i++] = (ebits >> 8);
+ 	data[i++] = ebits;
+-	BN_bn2bin(key->e, &(data[i]));
+	RSA_get0_key(key, NULL, &key_e, NULL);
+	BN_bn2bin(key_e, &(data[i]));
+ 	i += ebytes;
+ 	SHA1(data, len + 3, hash);
+ 	to_hex(sig, (char *)hash, ECRYPTFS_SIG_SIZE);
+@@ -278,7 +297,9 @@
+ 	BIO *in = NULL;
+ 	int rc;
+ 
+	#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	CRYPTO_malloc_init();
+	#endif
+ 	ERR_load_crypto_strings();
+ 	OpenSSL_add_all_algorithms();
+ 	ENGINE_load_builtin_engines();
+
+=== modified file 'src/key_mod/ecryptfs_key_mod_pkcs11_helper.c'
+--- src/key_mod/ecryptfs_key_mod_pkcs11_helper.c	2013-10-25 19:45:09 +0000
+++ src/key_mod/ecryptfs_key_mod_pkcs11_helper.c	2017-06-02 18:27:28 +0000
+@@ -41,6 +41,7 @@
+ #include <errno.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+#include <openssl/bn.h>
+ #include <openssl/err.h>
+ #include <openssl/pem.h>
+ #include <openssl/x509.h>
+@@ -77,6 +78,19 @@
+ typedef const unsigned char *__pkcs11_openssl_d2i_t;
+ #endif
+ 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+static void RSA_get0_key(const RSA *r,
+                 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
+{
+   if (n != NULL)
+       *n = r->n;
+   if (e != NULL)
+       *e = r->e;
+   if (d != NULL)
+       *d = r->d;
+}
+#endif
+
+ /**
+  * ecryptfs_pkcs11h_deserialize
+  * @pkcs11h_data: The deserialized version of the key module data;
+@@ -282,7 +296,11 @@
+ 		goto out;
+ 	}
+ 	
+	#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	if (pubkey->type != EVP_PKEY_RSA) {
+	#else
+	if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_RSA) {
+	#endif
+ 		syslog(LOG_ERR, "PKCS#11: Invalid public key algorithm");
+ 		rc = -EIO;
+ 		goto out;
+@@ -318,6 +336,7 @@
+ 	int nbytes, ebytes;
+ 	char *hash = NULL;
+ 	char *data = NULL;
+	const BIGNUM *rsa_n, *rsa_e;
+ 	int rc;
+ 
+ 	if ((rc = ecryptfs_pkcs11h_get_public_key(&rsa, blob))) {
+@@ -331,11 +350,13 @@
+ 		rc = -ENOMEM;
+ 		goto out;
+ 	}
+-	nbits = BN_num_bits(rsa->n);
+	RSA_get0_key(rsa, &rsa_n, NULL, NULL);
+	nbits = BN_num_bits(rsa_n);
+ 	nbytes = nbits / 8;
+ 	if (nbits % 8)
+ 		nbytes++;
+-	ebits = BN_num_bits(rsa->e);
+	RSA_get0_key(rsa, NULL, &rsa_e, NULL);
+	ebits = BN_num_bits(rsa_e);
+ 	ebytes = ebits / 8;
+ 	if (ebits % 8)
+ 		ebytes++;
+@@ -358,11 +379,13 @@
+ 	data[i++] = '\02';
+ 	data[i++] = (char)(nbits >> 8);
+ 	data[i++] = (char)nbits;
+-	BN_bn2bin(rsa->n, &(data[i]));
+	RSA_get0_key(rsa, &rsa_n, NULL, NULL);
+	BN_bn2bin(rsa_n, &(data[i]));
+ 	i += nbytes;
+ 	data[i++] = (char)(ebits >> 8);
+ 	data[i++] = (char)ebits;
+-	BN_bn2bin(rsa->e, &(data[i]));
+	RSA_get0_key(rsa, NULL, &rsa_e, NULL);
+	BN_bn2bin(rsa_e, &(data[i]));
+ 	i += ebytes;
+ 	SHA1(data, len + 3, hash);
+ 	to_hex(sig, hash, ECRYPTFS_SIG_SIZE);
+
--- a/ecryptfs-utils.changes
+++ b/ecryptfs-utils.changes
@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Tue Nov 14 10:25:45 UTC 2017 - meissner@suse.com
+
+- The license is GPL-2.0 (without + / or later)
+
+-------------------------------------------------------------------
+Tue Nov  7 14:27:25 UTC 2017 - vcizek@suse.com
+
+- Update to 111
+  * upstream provides no changelog
+- add ecryptfs-utils-openssl11.patch to support build with
+  OpenSSL 1.1 (bsc#1066937)
+
+-------------------------------------------------------------------
+Tue Nov  7 14:18:15 UTC 2017 - vcizek@suse.com
+
+- drop validate-mount-destination-fs-type.patch (upstream)
+
 -------------------------------------------------------------------
 Thu Mar  9 18:47:05 UTC 2017 - sfalken@opensuse.org

--- a/ecryptfs-utils.spec
+++ b/ecryptfs-utils.spec
@ -18,10 +18,10 @@

 %define lname   libecryptfs1
 Name:           ecryptfs-utils
-Version:        108
+Version:        111
 Release:        0
 Summary:        Userspace Utilities for ecryptfs
-License:        GPL-2.0+
+License:        GPL-2.0
 Group:          Productivity/Security
 Url:            http://ecryptfs.org/
 Source0:        http://launchpad.net/ecryptfs/trunk/%{version}/+download/ecryptfs-utils_%{version}.orig.tar.gz
@ -31,7 +31,7 @@ Source2:        ecryptfs-mount-private.png
 Patch0:         ecryptfs-setup-swap-SuSE.patch
 # PATCH-FIX-OPENSUSE build with -fpie/-pie
 Patch1:         ecryptfs-utils-src-utils-Makefile.patch
-Patch2:         validate-mount-destination-fs-type.patch
+Patch2:         ecryptfs-utils-openssl11.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  fdupes
@ -77,7 +77,7 @@ A stacked cryptographic filesystem for Linux.
 %setup -q
 %patch0 -p1
 %patch1 -p1
-%patch2 -p1
+%patch2 -p0

 %build
 export RPM_OPT_FLAGS="%{optflags} -fno-strict-aliasing"
--- a/ecryptfs-utils_108.orig.tar.gz
+++ b/ecryptfs-utils_108.orig.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:52838b1ad41113ba88a4318b19af10cf307100c6b3f62c608998d40312fbd7dd
-size 659465
--- a/ecryptfs-utils_111.orig.tar.gz
+++ b/ecryptfs-utils_111.orig.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f
+size 684115
--- a/validate-mount-destination-fs-type.patch
+++ b/validate-mount-destination-fs-type.patch
@ -1,103 +0,0 @@
-From 8fcdb9ef8406cd05c45acef6210a3bfa0831e857 Mon Sep 17 00:00:00 2001
-From: Tyler Hicks <tyhicks@canonical.com>
-Date: Thu, 7 Jan 2016 19:39:14 -0600
-Subject: [PATCH] mount.ecryptfs_private: Validate mount destination fs type
-
-Refuse to mount over non-standard filesystems. Mounting over
-certain types filesystems is a red flag that the user is doing
-something devious, such as mounting over the /proc/self symlink
-target with malicious content in order to confuse programs that may
-attempt to parse those files. (LP: #1530566)
-
-https://launchpad.net/bugs/1530566
---
- debian/changelog                   |  8 +++++
- src/utils/mount.ecryptfs_private.c | 61 ++++++++++++++++++++++++++++++++++++++
- 2 files changed, 69 insertions(+)
-
-Index: ecryptfs-utils-108/src/utils/mount.ecryptfs_private.c
-===================================================================
--- ecryptfs-utils-108.orig/src/utils/mount.ecryptfs_private.c
-+++ ecryptfs-utils-108/src/utils/mount.ecryptfs_private.c
-@@ -30,6 +30,7 @@
- #include <sys/param.h>
- #include <sys/stat.h>
- #include <sys/types.h>
-+#include <sys/vfs.h>
- #include <ctype.h>
- #include <errno.h>
- #include <keyutils.h>
-@@ -220,6 +221,62 @@ err:
- 	return NULL;
- }
- 
-+static int check_cwd_f_type()
-+{
-+	/**
-+	 * This is *not* a list of compatible lower filesystems list for
-+	 * eCryptfs. This is a list of filesystems that we reasonably expect to
-+	 * see mount.ecryptfs_private users mounting on top of. In other words,
-+	 * the filesystem type of the 'target' parameter of mount(2).
-+	 *
-+	 * This whitelist is to prevent malicious mount.ecryptfs_private users
-+	 * from mounting over filesystem types such as PROC_SUPER_MAGIC to
-+	 * deceive other programs with a crafted /proc/self/*. See
-+	 * https://launchpad.net/bugs/1530566 for more details.
-+	 */
-+	__SWORD_TYPE f_type_whitelist[] = {
-+		0x61756673 /* AUFS_SUPER_MAGIC */,
-+		0x9123683E /* BTRFS_SUPER_MAGIC */,
-+		0x00C36400 /* CEPH_SUPER_MAGIC */,
-+		0xFF534D42 /* CIFS_MAGIC_NUMBER */,
-+		0x0000F15F /* ECRYPTFS_SUPER_MAGIC */,
-+		0x0000EF53 /* EXT[234]_SUPER_MAGIC */,
-+		0xF2F52010 /* F2FS_SUPER_MAGIC */,
-+		0x65735546 /* FUSE_SUPER_MAGIC */,
-+		0x01161970 /* GFS2_MAGIC */,
-+		0x3153464A /* JFS_SUPER_MAGIC */,
-+		0x0000564C /* NCP_SUPER_MAGIC */,
-+		0x00006969 /* NFS_SUPER_MAGIC */,
-+		0x00003434 /* NILFS_SUPER_MAGIC */,
-+		0x5346544E /* NTFS_SB_MAGIC */,
-+		0x794C7630 /* OVERLAYFS_SUPER_MAGIC */,
-+		0x52654973 /* REISERFS_SUPER_MAGIC */,
-+		0x73717368 /* SQUASHFS_MAGIC */,
-+		0x01021994 /* TMPFS_MAGIC */,
-+		0x58465342 /* XFS_SB_MAGIC */,
-+		0x2FC12FC1 /* ZFS_SUPER_MAGIC */,
-+	};
-+	struct statfs buf;
-+	size_t i, whitelist_len;
-+
-+	if (statfs(".", &buf) != 0) {
-+		fprintf(stderr, "Failed to check filesystem type: %m\n");
-+		return 1;
-+	}
-+
-+	whitelist_len = sizeof(f_type_whitelist) / sizeof(*f_type_whitelist);
-+	for (i = 0; i < whitelist_len; i++) {
-+		if (buf.f_type == f_type_whitelist[i]) {
-+			return 0;
-+		}
-+	}
-+
-+	fprintf(stderr,
-+		"Refusing to mount over an unapproved filesystem type: %#lx\n",
-+		buf.f_type);
-+	return 1;
-+}
-+
- int check_ownership_mnt(uid_t uid, char **mnt) {
- /* Check ownership of mount point, chdir into it, and
-  * canonicalize the path for use in mtab updating.
-@@ -682,6 +739,10 @@ int main(int argc, char *argv[]) {
-  		goto fail;
-  	}
- 
-+	if (check_cwd_f_type() != 0) {
-+		goto fail;
-+	}
-+
- 	if (mounting == 1) {
- 		/* Increment mount counter, errors non-fatal */
- 		if (increment(fh_counter) < 0) {