Accepting request 645684 from security

OBS-URL: https://build.opensuse.org/request/show/645684 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=103
2018-11-06 14:25:37 +00:00 · 2018-11-06 14:25:37 +00:00 · 96adeab889
commit 96adeab889
parent 873a55aadc 3dd02a4dcc
6 changed files with 136 additions and 55 deletions
--- a/cryptsetup-2.0.4.tar.sign
+++ b/cryptsetup-2.0.4.tar.sign
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAltkMxMACgkQ2bBXe9k+
-mPwN2hAAvJwEaj1rfAUVhwZ21wMx7wDezI0OLamKAtKKP8saYjH9GA8HpfikGhHD
-/LqcM31dacsyFP2iK+qj5GuS8aPm9HqePkXa0sqBcWw7Bsr4a091HYtReT3+bG8j
-zIZtTzsjapZ425/nVB9ClJcEES8N3OpW+zhamv84T1zDwbVtC5x1wiMtsvdM6Rhg
-bz7R7kam/OPIxgfSWVufVUaMGWDO6zPwND1Wn7ZVm6UNsTPLV/M3/H+uPm4y+jaW
-In+eDhb05eNcY94dBVhRdqd/72CJ1OXUMEo8GEtmVPljvCDI2ljZ4LEoBUve323f
-/kzjzZZqljaVoQOl3pT+d7jqvg5EybM6crV8E++VJO3mVSAd5CZhk4LV/HsrnDuy
-4XtZLSPSQQkyhcezZ0+8EmGzzXVlBMfg6o/Jsnao5DKuIoea78mmH1DX6XnEjFoI
-MeM+W+3A1scK05LYeo6ZhtGvwlVxUOfsrl5zDp1X+kTT94zPvjmsY2xa0cP3eXZ3
-vxSI1dosbmL91tE65gEVa1dGEYWMWYeR8K8ZqwVhxsg3QJInOM+sh/KdWQP1o/Lp
-S1D5zi/8gi9R43K7Nd3Xi027d02gOkwvowie1leXBXdNYrAZIeQJbcdXiXbSAOiD
-NTjKDPwGZbXmPcQckF1er9nd821ofxbnGEM6jBzCEprEX3YSf3M=
-=V9r2
-----END PGP SIGNATURE-----
--- a/cryptsetup-2.0.4.tar.xz
+++ b/cryptsetup-2.0.4.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9d3a3c7033293e0c97f0ad0501fd5b4d4913ae497cbf70cca06633ccc54b5734
-size 10444544
--- a/cryptsetup-2.0.5.tar.sign
+++ b/cryptsetup-2.0.5.tar.sign
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAlvVz2sACgkQ2bBXe9k+
+mPyYuQ//fNwPronpHFrOzmv277cfzVT6zrgLKOaf/YlqA0h5XmBVX9xcOD9rXhda
+ld9rumIQn9s8G8HLavxxxhnciqeNOS0T/1ry3NVpxYdfF1FptIjchH/Lo697P5dX
+C1oAqchOqfxjm6dwmbllvXTgoHV657JUC5tuaL6Wl26DrhImmAgNi42yZehNtHZz
+8FN0Fc0muU06LUmKR2a4P5xj2SvlNntMnvld+qLHf+k+bBrcJyu2cqaBNns45mXy
+uDHXclP+8ofXW3mELmSBJ89GzLkr8Zpxp2dITv2GqtewX1MH5b8cMUwIVsCClqHl
+2YNGhMqRkDDj0C8u8JpYvmmZxcMUaKr5EMze18NeqPXpZCBoW5nvEtsS7hWbCdyu
+VPqdP4mHfHeQtZkk3U4SZLEU7xFzcTwhgpxRQPe6ujyz+PlrOLk0Z9js9WgOJZ1U
+7a9YNnXWlNIcVqOoYm9SPBo9nj+eoVUr2GG3lT02udj5YhGZjDG0gbjgtM99jg+T
+Bcv/h9abx6a2TmPIRW9Pa98ggIaeY3HbAK4D4xBritrfhvtyXMAYWbwj8ZkyCsCX
+41I10Eh3dNXR6/OJQFjKv7RCqGzanyCzEG0F+G4mw5xqPx5jhowmjI7GaC54X7UZ
+7RWYt1pl8F+UGIbBRl3BWuI+cHM0RBJ4Jx53f6zpqDP9hL58RbA=
+=o3rq
+-----END PGP SIGNATURE-----
--- a/cryptsetup-2.0.5.tar.xz
+++ b/cryptsetup-2.0.5.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a0f72ca2c824a5a555dc8924413dfe947eca23ab2e30bcff54eaafefe5fe301d
+size 10476304
--- a/cryptsetup.changes
+++ b/cryptsetup.changes
@ -1,3 +1,71 @@
+-------------------------------------------------------------------
+Tue Oct 30 10:10:35 UTC 2018 - lnussel@suse.de
+
+- Suggest hmac package (boo#1090768)
+- remove old upgrade hack for upgrades from 12.1
+- New version 2.0.5
+
+  Changes since version 2.0.4
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+  * Wipe full header areas (including unused) during LUKS format.
+
+    Since this version, the whole area up to the data offset is zeroed,
+    and subsequently, all keyslots areas are wiped with random data.
+    This ensures that no remaining old data remains in the LUKS header
+    areas, but it could slow down format operation on some devices.
+    Previously only first 4k (or 32k for LUKS2) and the used keyslot
+    was overwritten in the format operation.
+
+  * Several fixes to error messages that were unintentionally replaced
+    in previous versions with a silent exit code.
+    More descriptive error messages were added, including error
+    messages if
+     - a device is unusable (not a block device, no access, etc.),
+     - a LUKS device is not detected,
+     - LUKS header load code detects unsupported version,
+     - a keyslot decryption fails (also happens in the cipher check),
+     - converting an inactive keyslot.
+
+  * Device activation fails if data area overlaps with LUKS header.
+
+  * Code now uses explicit_bzero to wipe memory if available
+    (instead of own implementation).
+
+  * Additional VeraCrypt modes are now supported, including Camellia
+    and Kuznyechik symmetric ciphers (and cipher chains) and Streebog
+    hash function. These were introduced in a recent VeraCrypt upstream.
+
+    Note that Kuznyechik requires out-of-tree kernel module and
+    Streebog hash function is available only with the gcrypt cryptographic
+    backend for now.
+
+  * Fixes static build for integritysetup if the pwquality library is used.
+
+  * Allows passphrase change for unbound keyslots.
+
+  * Fixes removed keyslot number in verbose message for luksKillSlot,
+    luksRemoveKey and erase command.
+
+  * Adds blkid scan when attempting to open a plain device and warn the user
+    about existing device signatures in a ciphertext device.
+
+  * Remove LUKS header signature if luksFormat fails to add the first keyslot.
+
+  * Remove O_SYNC from device open and use fsync() to speed up
+    wipe operation considerably.
+
+  * Create --master-key-file in luksDump and fail if the file already exists.
+
+  * Fixes a bug when LUKS2 authenticated encryption with a detached header
+    wiped the header device instead of dm-integrity data device area (causing
+    unnecessary LUKS2 header auto recovery).
+
+-------------------------------------------------------------------
+Tue Oct 30 09:55:50 UTC 2018 - lnussel@suse.de
+
+- make parallell installable version for SLE12
+
 -------------------------------------------------------------------
 Tue Aug 21 07:40:54 UTC 2018 - lnussel@suse.de

--- a/cryptsetup.spec
+++ b/cryptsetup.spec
@ -17,8 +17,12 @@


 %define so_ver 12
+%if 0%{?is_backports}
+Name:           cryptsetup2
+%else
 Name:           cryptsetup
-Version:        2.0.4
+%endif
+Version:        2.0.5
 Release:        0
 Summary:        Set Up dm-crypt Based Encrypted Block Devices
 License:        SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0-or-later
@ -28,7 +32,7 @@ Source0:        https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetu
 # GPG signature of the uncompressed tarball.
 Source1:        https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{version}.tar.sign
 Source2:        baselibs.conf
-Source3:        %{name}.keyring
+Source3:        cryptsetup.keyring
 BuildRequires:  device-mapper-devel
 BuildRequires:  fipscheck
 BuildRequires:  fipscheck-devel
@ -44,6 +48,11 @@ BuildRequires:  popt-devel
 BuildRequires:  suse-module-tools
 BuildRequires:  pkgconfig(blkid)
 BuildRequires:  pkgconfig(libargon2)
+%if 0%{?is_backports}
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool
+%endif
 Requires(post): coreutils
 Requires(postun): coreutils

@ -57,6 +66,7 @@ time via the config file %{_sysconfdir}/crypttab.
 %package -n libcryptsetup%{so_ver}
 Summary:        Set Up dm-crypt Based Encrypted Block Devices
 Group:          System/Libraries
+Suggests:       libcryptsetup%{so_ver}-hmac

 %description -n libcryptsetup%{so_ver}
 cryptsetup is used to conveniently set up dm-crypt based device-mapper
@ -73,7 +83,7 @@ Group:          System/Base
 This package contains HMAC checksums for integrity checking of libcryptsetup4,
 used for FIPS.

-%package -n libcryptsetup-devel
+%package -n lib%{name}-devel
 Summary:        Set Up dm-crypt Based Encrypted Block Devices
 Group:          Development/Libraries/C and C++
 Requires:       glibc-devel
@ -81,8 +91,12 @@ Requires:       libcryptsetup%{so_ver} = %{version}
 # cryptsetup-devel last used 11.1
 Provides:       cryptsetup-devel = %{version}
 Obsoletes:      cryptsetup-devel < %{version}
+%if 0%{?is_backports}
+# have to conflict with main package that is in SLE
+Conflicts:      cryptsetup-devel < %{version}
+%endif

-%description -n libcryptsetup-devel
+%description -n lib%{name}-devel
 cryptsetup is used to conveniently set up dm-crypt based device-mapper
 targets. It allows to set up targets to read cryptoloop compatible
 volumes as well as LUKS formatted ones. The package additionally
@ -90,7 +104,11 @@ includes support for automatically setting up encrypted volumes at boot
 time via the config file %{_sysconfdir}/crypttab.

 %prep
-%setup -q
+%setup -n cryptsetup-%{version} -q
+%if 0%{?is_backports}
+sed -i -e '/AC_INIT/s/cryptsetup/cryptsetup2/' configure.ac
+autoreconf -f -i
+%endif

 %build
 %configure \
@ -114,58 +132,53 @@ make %{?_smp_mflags} V=1
 %{nil}

 %make_install
+%if 0%{?is_backports}
+# need to rename a files to avoid file conflict
+for i in cryptsetup integritysetup veritysetup cryptsetup-reencrypt; do
+	mv %{buildroot}%{_sbindir}/$i %{buildroot}%{_sbindir}/${i}2
+	mv %{buildroot}%{_mandir}/man8/$i.8 %{buildroot}%{_mandir}/man8/${i}2.8
+done
+rm -f %{buildroot}%{_tmpfilesdir}/cryptsetup.conf
+%endif
 install -dm 0755 %{buildroot}/sbin
-ln -s ..%{_sbindir}/cryptsetup %{buildroot}/sbin
+ln -s ..%{_sbindir}/cryptsetup%{?is_backports:2} %{buildroot}/sbin
 # don't want this file in /lib (FHS compat check), and can't move it to /usr/lib
 find %{buildroot} -type f -name "*.la" -delete -print
 #
 %find_lang %{name} --all-name

+%if !0%{?is_backports}
+#
 %post
-test -n "$FIRST_ARG" || FIRST_ARG="$1"
-#
-# convert noauto to nofail and turn on fsck (bnc#724113)
-#
-marker="%{_localstatedir}/adm/crypsetup.fstab.noauto_converted"
-if [ "$FIRST_ARG" -gt 1 -a ! -e "$marker" ]; then
-	echo "updating %{_sysconfdir}/fstab ... "
-	tmpfstab="%{_sysconfdir}/fstab.cryptsetup.$$"
-	sed -e '/^\/dev\/mapper\/cr_.*,noauto\s/{s/,noauto\(\s\)/,nofail\1/;s/ 0 0$/ 0 2/}' < %{_sysconfdir}/fstab > "$tmpfstab"
-	if diff -u0 %{_sysconfdir}/fstab "$tmpfstab"; then
-		echo "no change"
-		rm -f "$tmpfstab"
-		> "$marker"
-	else
-		cp "$tmpfstab" "$marker"
-		mv "$tmpfstab" %{_sysconfdir}/fstab
-	fi
-fi
-
 %{?regenerate_initrd_post}
-%tmpfiles_create %{_tmpfilesdir}/%{name}.conf
+%tmpfiles_create %{_tmpfilesdir}/cryptsetup.conf

 %postun
 %{?regenerate_initrd_post}

 %posttrans
 %{?regenerate_initrd_posttrans}
+#
+%endif

 %post -n libcryptsetup%{so_ver} -p /sbin/ldconfig
 %postun -n libcryptsetup%{so_ver} -p /sbin/ldconfig

 %files -f %{name}.lang
 %doc AUTHORS COPYING* FAQ README TODO docs/ChangeLog.old docs/*ReleaseNotes
-/sbin/cryptsetup
-%{_sbindir}/cryptsetup
-%{_sbindir}/veritysetup
-%{_sbindir}/integritysetup
-%{_sbindir}/cryptsetup-reencrypt
-%{_mandir}/man8/cryptsetup.8%{ext_man}
-%{_mandir}/man8/cryptsetup-reencrypt.8%{ext_man}
-%{_mandir}/man8/veritysetup.8%{ext_man}
-%{_mandir}/man8/integritysetup.8%{ext_man}
+/sbin/cryptsetup%{?is_backports:2}
+%{_sbindir}/cryptsetup%{?is_backports:2}
+%{_sbindir}/veritysetup%{?is_backports:2}
+%{_sbindir}/integritysetup%{?is_backports:2}
+%{_sbindir}/cryptsetup-reencrypt%{?is_backports:2}
+%{_mandir}/man8/cryptsetup%{?is_backports:2}.8%{ext_man}
+%{_mandir}/man8/cryptsetup-reencrypt%{?is_backports:2}.8%{ext_man}
+%{_mandir}/man8/veritysetup%{?is_backports:2}.8%{ext_man}
+%{_mandir}/man8/integritysetup%{?is_backports:2}.8%{ext_man}
+%if !0%{?is_backports}
 %{_tmpfilesdir}/cryptsetup.conf
 %ghost %dir /run/cryptsetup
+%endif

 %files -n libcryptsetup%{so_ver}
 %{_libdir}/libcryptsetup.so.%{so_ver}*
@ -173,7 +186,7 @@ fi
 %files -n libcryptsetup%{so_ver}-hmac
 %{_libdir}/.libcryptsetup.so.%{so_ver}*hmac

-%files -n libcryptsetup-devel
+%files -n lib%{name}-devel
 %doc docs/examples/
 %{_includedir}/libcryptsetup.h
 %{_libdir}/libcryptsetup.so