Accepting request 329788 from home:adra:branches:security

Update to 1.6.8 OBS-URL: https://build.opensuse.org/request/show/329788 OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=124
2015-10-12 09:14:03 +00:00 · 2015-10-12 09:14:03 +00:00 · ce789c545b
commit ce789c545b
parent 2ebbcc2226
6 changed files with 56 additions and 24 deletions
--- a/cryptsetup-1.6.7.tar.sign
+++ b/cryptsetup-1.6.7.tar.sign
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQIbBAABCAAGBQJVEE3fAAoJENmwV3vZPpj8ql4P9ijvmO15ur4wpcGFkNYyzfuA
-Y17yaTT6Nde8cGLUCpw7rPBoxL/b4ZArJnNk9UP73MyycxfVijaX5XxxoQbpL8n0
-cn1vdXTFzqXGBTJkjO0uQor1szQbvaz7xbk7LeBgG+j/zZGRa/0AKs42qvTaWzHu
-G50AqksMGFV1ih+d4wYdD+AqcUf6h+1HQRjq/DqEurg1EHQ+iMqem1htvrzTq8+V
-ym3xHM+JxJ04syzPb92VntSmyfX6ztmh+61cflQiOrIbTw+MFeGmYMOTufkWmQFi
-gFC+7mXTjO1YkmN+RFYZ52WY3shk3BLhAXT/pFlGFjwfHqrvFgfj+Iu9STVs2du2
-LLa+xF5yxaKyHHKkw2wn7edeepzfwSp0+lmDy8B0SGXh5wGNreNSX3IMAdJeJztM
-7EyJa5JUSMfKWPHzy1gGYZRN/NQGGqG3c1+Sw5hy/ukFtLC4DSu5OtJNOt2c8MNw
-+XPXh+Ssy+ma9e0E+pnmRYQ/nY2BWuN/gFB5Gvr08d4hifP9+LzI+bgQx4gNjB5Y
-9py0moXVOxn/TICXSFgjDmvYgw7BZRVtaHFfkiKA5DrBeS07MROKzL59ykiuU7HW
-HvCs3icShV+oSt79bMa7E+QhKRsBicS30QyLecttHkxbLxSg55qFpMa7m8+6VG2Y
-LsfZNLwWJmf8jU9YUY0=
-=jDZw
-----END PGP SIGNATURE-----
--- a/cryptsetup-1.6.7.tar.xz
+++ b/cryptsetup-1.6.7.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c23c24c8d662032da8650c1c84985221be8bbedf4737c1540bba7e4517dfe820
-size 1188876
--- a/cryptsetup-1.6.8.tar.sign
+++ b/cryptsetup-1.6.8.tar.sign
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQIcBAABCAAGBQJV7r+oAAoJENmwV3vZPpj8KEsP/2BTTiaXCzwvqupSAo7dFpET
+Tugtc99Nzrv8Yc4nNvboxXSD7/TOZYAEWz787KPANJo3Ks46F3BB9KjeqRxhnGAX
+Ce9wi8ufdjECSZjNDxl5tcJrmrmftAgBbZhPIaYE7wZuxF71Cl769XHdgVvSV2w
+pyGbiqXdcnMVw1q4npndZNsVoMZ4vB1bEfz8AAgC6idF/yiAw2tI7VjUZfrNDd0b
+mc6IOmDslyGxA1565w/HSiZqxqaZTsVGfwfluxTwpu+Du9eMHeViJV/4Z1Aka5lF
+wNxnJZro9UlGkRCWXR6zZYXPrHEHGaNlwObUpWcfHSLNTP9ulgPY0tkVnXuY7uom
+JGtGCdVPsqxCaBg8fd+QQRbPZqrIZGw+wgjikqTs9gnd+LdUBxHDuseRuE+mkk0w
+cZW2RQf9f4nYj7LUvLuY0NBQ9brHsrU/IqjWQWnPrzmdCh2pdnb6UmOyWH0dcYcB
+ldReYWbbCBO132QZuT53VJv/c4XATnEQLIgOaT3AUddVUAEvkNephesN1/rjuAKG
+OwTVelvo4gp0ncYPZiQHzkVe5mTt/7JVyuXYDO/tnm4JYn9ZFQj00ZoGTeywWAGR
+5xNH7Gjo8JGNm9oI358jfQw6zLBWn3FdyDgoxxvupNC6wi/O+7Gb86PxyMFn7Lii
+sF1YN0no4oN+OyCDU17N
+=apNw
+-----END PGP SIGNATURE-----
--- a/cryptsetup-1.6.8.tar.xz
+++ b/cryptsetup-1.6.8.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:45a6ccd3c65b7d904e58e1cb3656a7e997190b6a05b5ff7c6887e4a41c5f19bc
+size 1221232
--- a/cryptsetup.changes
+++ b/cryptsetup.changes
@ -1,3 +1,35 @@
+-------------------------------------------------------------------
+Tue Sep  8 20:19:34 UTC 2015 - asterios.dramis@gmail.com
+
+- Update to 1.6.8
+  * If the null cipher (no encryption) is used, allow only empty
+    password for LUKS. (Previously cryptsetup accepted any password
+    in this case.)
+    The null cipher can be used only for testing and it is used
+    temporarily during offline encrypting not yet encrypted device
+    (cryptsetup-reencrypt tool).
+    Accepting only empty password prevents situation when someone
+    adds another LUKS device using the same UUID (UUID of existing
+    LUKS device) with faked header containing null cipher.
+    This could force user to use different LUKS device (with no
+    encryption) without noticing.
+    (IOW it prevents situation when attacker intentionally forces
+    user to boot into different system just by LUKS header
+    manipulation.)
+    Properly configured systems should have an additional integrity
+    protection in place here (LUKS here provides only
+    confidentiality) but it is better to not allow this situation
+    in the first place.
+    (For more info see QubesOS Security Bulletin QSB-019-2015.)
+  * Properly support stdin "-" handling for luksAddKey for both new
+    and old keyfile parameters.
+  * If encrypted device is file-backed (it uses underlying loop
+    device), cryptsetup resize will try to resize underlying loop
+    device as well. (It can be used to grow up file-backed device
+    in one step.)
+  * Cryptsetup now allows to use empty password through stdin pipe.
+    (Intended only for testing in scripts.)
+
 -------------------------------------------------------------------
 Sun Apr 12 18:45:26 UTC 2015 - crrodriguez@opensuse.org

--- a/cryptsetup.spec
+++ b/cryptsetup.spec
@ -18,12 +18,12 @@

 %define so_ver 4
 Name:           cryptsetup
-Version:        1.6.7
+Version:        1.6.8
 Release:        0
 Summary:        Set Up dm-crypt Based Encrypted Block Devices
 License:        SUSE-GPL-2.0-with-openssl-exception and LGPL-2.0+
 Group:          System/Base
-Url:            http://code.google.com/p/cryptsetup/
+Url:            https://gitlab.com/cryptsetup/cryptsetup/
 Source0:        https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-%{version}.tar.xz
 # GPG signature of the uncompressed tarball.
 Source1:        https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-%{version}.tar.sign
@ -61,11 +61,11 @@ volumes as well as LUKS formatted ones. The package additionally
 includes support for automatically setting up encrypted volumes at boot
 time via the config file %{_sysconfdir}/crypttab.

-%package -n libcryptsetup4-hmac
+%package -n libcryptsetup%{so_ver}-hmac
 Summary:        Checksums for libcryptsetup4
 Group:          System/Base

-%description -n libcryptsetup4-hmac
+%description -n libcryptsetup%{so_ver}-hmac
 This package contains HMAC checksums for integrity checking of libcryptsetup4,
 used for FIPS.