diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 13:14:45 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 13:14:45 +0000 |
commit | 1ceecc69711e82bee12203b95ac8fccfaad58b2d (patch) | |
tree | ef6b46cbd3d743073ea886c5d1eea074a0a2e295 /debian/patches | |
parent | Adding upstream version 2.36.1. (diff) | |
download | util-linux-debian.tar.xz util-linux-debian.zip |
Adding debian version 2.36.1-8+deb11u1.debian/2.36.1-8+deb11u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches')
13 files changed, 745 insertions, 0 deletions
diff --git a/debian/patches/debian/backport-ul_strtou64-function.patch b/debian/patches/debian/backport-ul_strtou64-function.patch new file mode 100644 index 0000000..94fca90 --- /dev/null +++ b/debian/patches/debian/backport-ul_strtou64-function.patch @@ -0,0 +1,38 @@ +Description: include/strutils: Add ul_strtou64() function +Origin: backport, https://github.com/util-linux/util-linux/commit/84825b161ba5d18da4142893b9789b3fc71284d9 +Author: Salvatore Bonaccorso <carnil@debian.org> + +--- a/include/strutils.h ++++ b/include/strutils.h +@@ -16,6 +16,8 @@ extern int parse_size(const char *str, u + extern int strtosize(const char *str, uintmax_t *res); + extern uintmax_t strtosize_or_err(const char *str, const char *errmesg); + ++extern int ul_strtou64(const char *str, uint64_t *num, int base); ++ + extern int16_t strtos16_or_err(const char *str, const char *errmesg); + extern uint16_t strtou16_or_err(const char *str, const char *errmesg); + extern uint16_t strtox16_or_err(const char *str, const char *errmesg); +--- a/lib/strutils.c ++++ b/lib/strutils.c +@@ -319,6 +319,20 @@ char *strndup(const char *s, size_t n) + } + #endif + ++int ul_strtou64(const char *str, uint64_t *num, int base) ++{ ++ char *end = NULL; ++ ++ errno = 0; ++ if (str == NULL || *str == '\0') ++ return -EINVAL; ++ *num = (uint64_t) strtoumax(str, &end, base); ++ ++ if (errno || str == end || (end && *end)) ++ return -EINVAL; ++ return 0; ++} ++ + static uint32_t _strtou32_or_err(const char *str, const char *errmesg, int base); + static uint64_t _strtou64_or_err(const char *str, const char *errmesg, int base); + diff --git a/debian/patches/debian/man-getopt-examples.patch b/debian/patches/debian/man-getopt-examples.patch new file mode 100644 index 0000000..171a996 --- /dev/null +++ b/debian/patches/debian/man-getopt-examples.patch @@ -0,0 +1,24 @@ +From: Matthew Vernon <matthew@debian.org> +Date: Tue, 6 Nov 2018 11:49:21 +0000 +Subject: util-linux: getopt(1) should point to where examples are on a Debian + system + +Debian BTS #913049 +--- + misc-utils/getopt.1 | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/misc-utils/getopt.1 b/misc-utils/getopt.1 +index 356e16a..e76cefa 100644 +--- a/misc-utils/getopt.1 ++++ b/misc-utils/getopt.1 +@@ -418,8 +418,7 @@ if it is called with + Example scripts for (ba)sh and (t)csh are provided with the + .BR getopt (1) + distribution, and are installed in +-.I /usr/share/doc/util-linux/getopt/ +-directory. ++.I /usr/share/doc/util-linux/examples/ . + .SH ENVIRONMENT + .IP POSIXLY_CORRECT + This environment variable is examined by the diff --git a/debian/patches/debian/verbose-tests.patch b/debian/patches/debian/verbose-tests.patch new file mode 100644 index 0000000..416d660 --- /dev/null +++ b/debian/patches/debian/verbose-tests.patch @@ -0,0 +1,45 @@ +From: Andreas Henriksson <andreas@fatal.se> +Date: Wed, 30 Jul 2014 14:28:17 +0200 +Subject: verbose-tests + +Enable verbose tests and print content of failing tests output file. +--- + tests/Makemodule.am | 2 +- + tests/functions.sh | 11 +++++++++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/tests/Makemodule.am b/tests/Makemodule.am +index 31cf70f..4001672 100644 +--- a/tests/Makemodule.am ++++ b/tests/Makemodule.am +@@ -13,7 +13,7 @@ clean-local-tests: + + CLEAN_LOCALS += clean-local-tests + +-TESTS_OPTIONS = --nonroot ++TESTS_OPTIONS = --nonroot --verbose --parallel=1 + TESTS_PARALLEL = --parallel + TESTS_COMMAND = $(top_srcdir)/tests/run.sh \ + --srcdir=$(abs_top_srcdir) \ +diff --git a/tests/functions.sh b/tests/functions.sh +index da6eac4..9ef8443 100644 +--- a/tests/functions.sh ++++ b/tests/functions.sh +@@ -148,6 +148,17 @@ function ts_failed_subtest { + ts_report " $msg ($1)" + fi + ++ if [ "$TS_VERBOSE" = "yes" ]; then ++ echo ========= script: $TS_SCRIPT ================= ++ echo ================= OUTPUT ===================== ++ cat -n $TS_OUTPUT ++ echo ================= EXPECTED =================== ++ cat -n $TS_EXPECTED ++ echo ================= O/E diff =================== ++ diff -u $TS_OUTPUT $TS_EXPECTED ++ echo ============================================== ++ fi ++ + return $ret + } + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..467522b --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,12 @@ +upstream/upstream_build-sys-do-not-build-plymouth-ctrl.c-w-disabled-pl.patch +upstream/upstream_hwclock-do-not-assume-__NR_settimeofday_time32.patch +upstream/0001-libmount-don-t-use-symfollow-for-helpers-on-user-mou.patch +upstream/Manual-pages-document-the-resize-command.patch +debian/man-getopt-examples.patch +debian/verbose-tests.patch +upstream/libmount-do-not-canonicalize-ZFS-source-dataset.patch +upstream/libmount-allow-read-only-for-not-root-users.patch +upstream/CVE-2021-37600-sys-utils-ipcutils-be-careful-when-call-calloc.patch +debian/backport-ul_strtou64-function.patch +upstream/libmount-fix-UID-check-for-FUSE-umount-CVE-2021-3995.patch +upstream/libmount-fix-deleted-suffix-issue-CVE-2021-3996.patch diff --git a/debian/patches/upstream/0001-libmount-don-t-use-symfollow-for-helpers-on-user-mou.patch b/debian/patches/upstream/0001-libmount-don-t-use-symfollow-for-helpers-on-user-mou.patch new file mode 100644 index 0000000..19c9491 --- /dev/null +++ b/debian/patches/upstream/0001-libmount-don-t-use-symfollow-for-helpers-on-user-mou.patch @@ -0,0 +1,36 @@ +From: Karel Zak <kzak@redhat.com> +Date: Thu, 19 Nov 2020 09:49:16 +0100 +Subject: [PATCH] libmount: don't use "symfollow" for helpers on user mounts + +Addresses: https://github.com/karelzak/util-linux/issues/1193 +Signed-off-by: Karel Zak <kzak@redhat.com> +--- + libmount/src/context_mount.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/libmount/src/context_mount.c b/libmount/src/context_mount.c +index 8c394c1..dd17861 100644 +--- a/libmount/src/context_mount.c ++++ b/libmount/src/context_mount.c +@@ -415,6 +415,9 @@ static int generate_helper_optstr(struct libmnt_context *cxt, char **optstr) + * string, because there is nothing like MS_EXEC (we only have + * MS_NOEXEC in mount flags and we don't care about the original + * mount string in libmount for VFS options). ++ * ++ * This use-case makes sense for MS_SECURE flags only (see ++ * mnt_optstr_get_flags() and mnt_context_merge_mflags()). + */ + if (!(cxt->mountflags & MS_NOEXEC)) + mnt_optstr_append_option(optstr, "exec", NULL); +@@ -422,11 +425,8 @@ static int generate_helper_optstr(struct libmnt_context *cxt, char **optstr) + mnt_optstr_append_option(optstr, "suid", NULL); + if (!(cxt->mountflags & MS_NODEV)) + mnt_optstr_append_option(optstr, "dev", NULL); +- if (!(cxt->mountflags & MS_NOSYMFOLLOW)) +- mnt_optstr_append_option(optstr, "symfollow", NULL); + } + +- + if (cxt->flags & MNT_FL_SAVED_USER) + rc = mnt_optstr_set_option(optstr, "user", cxt->orig_user); + if (rc) diff --git a/debian/patches/upstream/CVE-2021-37600-sys-utils-ipcutils-be-careful-when-call-calloc.patch b/debian/patches/upstream/CVE-2021-37600-sys-utils-ipcutils-be-careful-when-call-calloc.patch new file mode 100644 index 0000000..51ef5ce --- /dev/null +++ b/debian/patches/upstream/CVE-2021-37600-sys-utils-ipcutils-be-careful-when-call-calloc.patch @@ -0,0 +1,23 @@ +From: Karel Zak <kzak@redhat.com> +Date: Tue, 27 Jul 2021 11:58:31 +0200 +Subject: sys-utils/ipcutils: be careful when call calloc() for uint64 nmembs + +Fix: https://github.com/karelzak/util-linux/issues/1395 +Signed-off-by: Karel Zak <kzak@redhat.com> +--- + sys-utils/ipcutils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sys-utils/ipcutils.c b/sys-utils/ipcutils.c +index 674b612..f2b04dd 100644 +--- a/sys-utils/ipcutils.c ++++ b/sys-utils/ipcutils.c +@@ -218,7 +218,7 @@ static void get_sem_elements(struct sem_data *p) + { + size_t i; + +- if (!p || !p->sem_nsems || p->sem_perm.id < 0) ++ if (!p || !p->sem_nsems || p->sem_nsems > SIZE_MAX || p->sem_perm.id < 0) + return; + + p->elements = xcalloc(p->sem_nsems, sizeof(struct sem_elem)); diff --git a/debian/patches/upstream/Manual-pages-document-the-resize-command.patch b/debian/patches/upstream/Manual-pages-document-the-resize-command.patch new file mode 100644 index 0000000..9bb0390 --- /dev/null +++ b/debian/patches/upstream/Manual-pages-document-the-resize-command.patch @@ -0,0 +1,31 @@ +From: Vincent McIntyre <vincent.mcintyre@csiro.au> +Date: Fri, 1 Jan 2021 13:37:52 +1100 +Subject: Manual pages: document the 'resize' command + +Reported in https://bugs.debian.org/906918, https://bugs.debian.org/915971. + +Signed-off-by: Vincent McIntyre <vincent.mcintyre@csiro.au> +--- + disk-utils/cfdisk.8 | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/disk-utils/cfdisk.8 b/disk-utils/cfdisk.8 +index a61aad7..4e3dfca 100644 +--- a/disk-utils/cfdisk.8 ++++ b/disk-utils/cfdisk.8 +@@ -115,6 +115,15 @@ MiB (=1024*1024), and so on for GiB, TiB, PiB, EiB, ZiB and YiB + Quit the program. This will exit the program without writing any data to + the disk. + .TP ++.B r ++Reduce or enlarge the current partition. ++.B cfdisk ++then prompts you for the new size of the partition. ++The default size is the current size. ++A partition marked as free space or marked as unusable cannot be resized. ++ ++Note that reducing the size of a partition might destroy data on that partition. ++.TP + .B s + Sort the partitions in ascending start-sector order. When deleting and + adding partitions, it is likely that the numbering of the partitions will diff --git a/debian/patches/upstream/libmount-allow-read-only-for-not-root-users.patch b/debian/patches/upstream/libmount-allow-read-only-for-not-root-users.patch new file mode 100644 index 0000000..9929f7e --- /dev/null +++ b/debian/patches/upstream/libmount-allow-read-only-for-not-root-users.patch @@ -0,0 +1,102 @@ +From: Karel Zak <kzak@redhat.com> +Date: Mon, 25 Jan 2021 11:11:05 +0100 +Subject: libmount: allow --read-only for not-root users + +The command "mount -r" was supported for non-root users in very old +mount(8) versions. Unfortunately, in this case libmount replaces all +mount options from command line by options from fstab. We need +exception for MS_RDONLY. + +Fixes: https://github.com/karelzak/util-linux/issues/1235 +Signed-off-by: Karel Zak <kzak@redhat.com> +--- + libmount/src/context.c | 31 ++++++++++++++++++++++++------- + 1 file changed, 24 insertions(+), 7 deletions(-) + +diff --git a/libmount/src/context.c b/libmount/src/context.c +index 46e2010..e4e9f8f 100644 +--- a/libmount/src/context.c ++++ b/libmount/src/context.c +@@ -2319,9 +2319,12 @@ end: + return rc; + } + +-/* apply @fs to @cxt -- use mnt_context_apply_fstab() if not sure ++/* apply @fs to @cxt; ++ * ++ * @mflags are mount flags as specified on command-line -- used only to save ++ * MS_RDONLY which is allowed for non-root users. + */ +-int mnt_context_apply_fs(struct libmnt_context *cxt, struct libmnt_fs *fs) ++static int apply_fs(struct libmnt_context *cxt, struct libmnt_fs *fs, unsigned long mflags) + { + int rc; + +@@ -2333,6 +2336,7 @@ int mnt_context_apply_fs(struct libmnt_context *cxt, struct libmnt_fs *fs) + DBG(CXT, ul_debugobj(cxt, "use default optsmode")); + cxt->optsmode = MNT_OMODE_AUTO; + } ++ + } + + DBG(CXT, ul_debugobj(cxt, "apply entry:")); +@@ -2360,9 +2364,15 @@ int mnt_context_apply_fs(struct libmnt_context *cxt, struct libmnt_fs *fs) + + if (cxt->optsmode & MNT_OMODE_IGNORE) + ; +- else if (cxt->optsmode & MNT_OMODE_REPLACE) ++ else if (cxt->optsmode & MNT_OMODE_REPLACE) { + rc = mnt_fs_set_options(cxt->fs, mnt_fs_get_options(fs)); + ++ /* mount --read-only for non-root users is allowed */ ++ if (rc == 0 && (mflags & MS_RDONLY) ++ && mnt_context_is_restricted(cxt) ++ && cxt->optsmode == MNT_OMODE_USER) ++ rc = mnt_fs_append_options(cxt->fs, "ro"); ++ } + else if (cxt->optsmode & MNT_OMODE_APPEND) + rc = mnt_fs_append_options(cxt->fs, mnt_fs_get_options(fs)); + +@@ -2380,7 +2390,7 @@ done: + } + + static int apply_table(struct libmnt_context *cxt, struct libmnt_table *tb, +- int direction) ++ int direction, unsigned long mflags) + { + struct libmnt_fs *fs = NULL; + const char *src, *tgt; +@@ -2418,7 +2428,14 @@ static int apply_table(struct libmnt_context *cxt, struct libmnt_table *tb, + if (!fs) + return -MNT_ERR_NOFSTAB; /* not found */ + +- return mnt_context_apply_fs(cxt, fs); ++ return apply_fs(cxt, fs, mflags); ++} ++ ++/* apply @fs to @cxt -- use mnt_context_apply_fstab() if not sure ++ */ ++int mnt_context_apply_fs(struct libmnt_context *cxt, struct libmnt_fs *fs) ++{ ++ return apply_fs(cxt, fs, 0); + } + + /** +@@ -2498,7 +2515,7 @@ int mnt_context_apply_fstab(struct libmnt_context *cxt) + DBG(CXT, ul_debugobj(cxt, "trying to apply fstab (src=%s, target=%s)", src, tgt)); + rc = mnt_context_get_fstab(cxt, &tab); + if (!rc) +- rc = apply_table(cxt, tab, MNT_ITER_FORWARD); ++ rc = apply_table(cxt, tab, MNT_ITER_FORWARD, mflags); + } + + /* try mtab */ +@@ -2510,7 +2527,7 @@ int mnt_context_apply_fstab(struct libmnt_context *cxt) + else + rc = mnt_context_get_mtab(cxt, &tab); + if (!rc) +- rc = apply_table(cxt, tab, MNT_ITER_BACKWARD); ++ rc = apply_table(cxt, tab, MNT_ITER_BACKWARD, mflags); + } + + if (!mnt_context_switch_ns(cxt, ns_old)) diff --git a/debian/patches/upstream/libmount-do-not-canonicalize-ZFS-source-dataset.patch b/debian/patches/upstream/libmount-do-not-canonicalize-ZFS-source-dataset.patch new file mode 100644 index 0000000..6dd2fe4 --- /dev/null +++ b/debian/patches/upstream/libmount-do-not-canonicalize-ZFS-source-dataset.patch @@ -0,0 +1,37 @@ +From: Karel Zak <kzak@redhat.com> +Date: Thu, 14 Jan 2021 12:45:28 +0100 +Subject: libmount: do not canonicalize ZFS source dataset + +Fixes: https://github.com/karelzak/util-linux/issues/1231 +Addresses: https://github.com/systemd/systemd/issues/18188 +Addresses: https://github.com/openzfs/zfs/pull/11295 +Signed-off-by: Karel Zak <kzak@redhat.com> +--- + libmount/src/context.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libmount/src/context.c b/libmount/src/context.c +index 6196c71..46e2010 100644 +--- a/libmount/src/context.c ++++ b/libmount/src/context.c +@@ -1764,7 +1764,7 @@ int mnt_context_prepare_srcpath(struct libmnt_context *cxt) + { + const char *path = NULL; + struct libmnt_cache *cache; +- const char *t, *v, *src; ++ const char *t, *v, *src, *type; + int rc = 0; + struct libmnt_ns *ns_old; + +@@ -1786,6 +1786,11 @@ int mnt_context_prepare_srcpath(struct libmnt_context *cxt) + if (!src || mnt_fs_is_netfs(cxt->fs)) + return 0; + ++ /* ZFS source is always "dataset", not a real path */ ++ type = mnt_fs_get_fstype(cxt->fs); ++ if (type && strcmp(type, "zfs") == 0) ++ return 0; ++ + DBG(CXT, ul_debugobj(cxt, "srcpath '%s'", src)); + + ns_old = mnt_context_switch_target_ns(cxt); diff --git a/debian/patches/upstream/libmount-fix-UID-check-for-FUSE-umount-CVE-2021-3995.patch b/debian/patches/upstream/libmount-fix-UID-check-for-FUSE-umount-CVE-2021-3995.patch new file mode 100644 index 0000000..a30d229 --- /dev/null +++ b/debian/patches/upstream/libmount-fix-UID-check-for-FUSE-umount-CVE-2021-3995.patch @@ -0,0 +1,136 @@ +From e9aa48581641cbbed91e4b9597061fa96e57d05b Mon Sep 17 00:00:00 2001 +From: Karel Zak <kzak@redhat.com> +Date: Wed, 24 Nov 2021 13:53:25 +0100 +Subject: [PATCH 1/2] libmount: fix UID check for FUSE umount [CVE-2021-3995] + +Improper UID check allows an unprivileged user to unmount FUSE +filesystems of users with similar UID. + +Signed-off-by: Karel Zak <kzak@redhat.com> +--- + include/strutils.h | 2 +- + libmount/src/context_umount.c | 14 +++--------- + libmount/src/mountP.h | 1 + + libmount/src/optstr.c | 42 +++++++++++++++++++++++++++++++++++ + 4 files changed, 47 insertions(+), 12 deletions(-) + +diff --git a/include/strutils.h b/include/strutils.h +index 6e95707ea..a84d29594 100644 +--- a/include/strutils.h ++++ b/include/strutils.h +@@ -106,8 +106,8 @@ static inline char *mem2strcpy(char *dest, const void *src, size_t n, size_t nma + if (n + 1 > nmax) + n = nmax - 1; + ++ memset(dest, '\0', nmax); + memcpy(dest, src, n); +- dest[nmax-1] = '\0'; + return dest; + } + +diff --git a/libmount/src/context_umount.c b/libmount/src/context_umount.c +index 173637a15..8773c65ff 100644 +--- a/libmount/src/context_umount.c ++++ b/libmount/src/context_umount.c +@@ -453,10 +453,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv) + struct libmnt_ns *ns_old; + const char *type = mnt_fs_get_fstype(cxt->fs); + const char *optstr; +- char *user_id = NULL; +- size_t sz; +- uid_t uid; +- char uidstr[sizeof(stringify_value(ULONG_MAX))]; ++ uid_t uid, entry_uid; + + *errsv = 0; + +@@ -473,11 +470,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv) + optstr = mnt_fs_get_fs_options(cxt->fs); + if (!optstr) + return 0; +- +- if (mnt_optstr_get_option(optstr, "user_id", &user_id, &sz) != 0) +- return 0; +- +- if (sz == 0 || user_id == NULL) ++ if (mnt_optstr_get_uid(optstr, "user_id", &entry_uid) != 0) + return 0; + + /* get current user */ +@@ -494,8 +487,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv) + return 0; + } + +- snprintf(uidstr, sizeof(uidstr), "%lu", (unsigned long) uid); +- return strncmp(user_id, uidstr, sz) == 0; ++ return uid == entry_uid; + } + + /* +diff --git a/libmount/src/mountP.h b/libmount/src/mountP.h +index d43a83541..22442ec55 100644 +--- a/libmount/src/mountP.h ++++ b/libmount/src/mountP.h +@@ -399,6 +399,7 @@ extern const struct libmnt_optmap *mnt_optmap_get_entry( + const struct libmnt_optmap **mapent); + + /* optstr.c */ ++extern int mnt_optstr_get_uid(const char *optstr, const char *name, uid_t *uid); + extern int mnt_optstr_remove_option_at(char **optstr, char *begin, char *end); + extern int mnt_optstr_fix_gid(char **optstr, char *value, size_t valsz, char **next); + extern int mnt_optstr_fix_uid(char **optstr, char *value, size_t valsz, char **next); +diff --git a/libmount/src/optstr.c b/libmount/src/optstr.c +index 921b9318e..16800f571 100644 +--- a/libmount/src/optstr.c ++++ b/libmount/src/optstr.c +@@ -1076,6 +1076,48 @@ int mnt_optstr_fix_user(char **optstr) + return rc; + } + ++/* ++ * Converts value from @optstr addressed by @name to uid. ++ * ++ * Returns: 0 on success, 1 if not found, <0 on error ++ */ ++int mnt_optstr_get_uid(const char *optstr, const char *name, uid_t *uid) ++{ ++ char *value = NULL; ++ size_t valsz = 0; ++ char buf[sizeof(stringify_value(UINT64_MAX))]; ++ int rc; ++ uint64_t num; ++ ++ assert(optstr); ++ assert(name); ++ assert(uid); ++ ++ rc = mnt_optstr_get_option(optstr, name, &value, &valsz); ++ if (rc != 0) ++ goto fail; ++ ++ if (valsz > sizeof(buf) - 1) { ++ rc = -ERANGE; ++ goto fail; ++ } ++ mem2strcpy(buf, value, valsz, sizeof(buf)); ++ ++ rc = ul_strtou64(buf, &num, 10); ++ if (rc != 0) ++ goto fail; ++ if (num > ULONG_MAX || (uid_t) num != num) { ++ rc = -ERANGE; ++ goto fail; ++ } ++ *uid = (uid_t) num; ++ ++ return 0; ++fail: ++ DBG(UTILS, ul_debug("failed to convert '%s'= to number [rc=%d]", name, rc)); ++ return rc; ++} ++ + /** + * mnt_match_options: + * @optstr: options string +-- +2.31.1 diff --git a/debian/patches/upstream/libmount-fix-deleted-suffix-issue-CVE-2021-3996.patch b/debian/patches/upstream/libmount-fix-deleted-suffix-issue-CVE-2021-3996.patch new file mode 100644 index 0000000..748dbeb --- /dev/null +++ b/debian/patches/upstream/libmount-fix-deleted-suffix-issue-CVE-2021-3996.patch @@ -0,0 +1,189 @@ +From 823f270e138d1f752f1acf4827847eab97b07a87 Mon Sep 17 00:00:00 2001 +From: Karel Zak <kzak@redhat.com> +Date: Tue, 4 Jan 2022 10:54:20 +0100 +Subject: [PATCH 2/2] libmount: fix (deleted) suffix issue [CVE-2021-3996] + +This issue is related to parsing the /proc/self/mountinfo file allows an +unprivileged user to unmount other user's filesystems that are either +world-writable themselves or mounted in a world-writable directory. + +The support for "(deleted)" is no more necessary as the Linux kernel does +not use it in /proc/self/mountinfo and /proc/self/mount files anymore. + +Signed-off-by: Karel Zak <kzak@redhat.com> +--- + libmount/src/tab_parse.c | 5 ----- + tests/expected/findmnt/filter-options | 1 - + tests/expected/findmnt/filter-options-nameval-neg | 3 +-- + tests/expected/findmnt/filter-types-neg | 1 - + tests/expected/findmnt/outputs-default | 3 +-- + tests/expected/findmnt/outputs-force-tree | 3 +-- + tests/expected/findmnt/outputs-kernel | 3 +-- + tests/expected/libmount/tabdiff-mount | 1 - + tests/expected/libmount/tabdiff-move | 1 - + tests/expected/libmount/tabdiff-remount | 1 - + tests/expected/libmount/tabdiff-umount | 1 - + tests/expected/libmount/tabfiles-parse-mountinfo | 11 ----------- + tests/expected/libmount/tabfiles-py-parse-mountinfo | 11 ----------- + tests/ts/findmnt/files/mountinfo | 1 - + tests/ts/findmnt/files/mountinfo-nonroot | 1 - + tests/ts/libmount/files/mountinfo | 1 - + 16 files changed, 4 insertions(+), 44 deletions(-) + +--- a/libmount/src/tab_parse.c ++++ b/libmount/src/tab_parse.c +@@ -225,11 +225,6 @@ static int mnt_parse_mountinfo_line(stru + goto fail; + } + +- /* remove "\040(deleted)" suffix */ +- p = (char *) endswith(fs->target, PATH_DELETED_SUFFIX); +- if (p && *p) +- *p = '\0'; +- + s = skip_separator(s); + + /* (6) vfs options (fs-independent) */ +--- a/tests/expected/findmnt/filter-options ++++ b/tests/expected/findmnt/filter-options +@@ -28,5 +28,4 @@ TARGET SOURCE + /home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500 + /var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime + /mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344 +-/mnt/foo /fooooo bar rw,relatime + rc=0 +--- a/tests/expected/findmnt/filter-options-nameval-neg ++++ b/tests/expected/findmnt/filter-options-nameval-neg +@@ -29,6 +29,5 @@ TARGET SOURCE + |-/home/kzak /dev/mapper/kzak-home ext4 rw,noatime,barrier=1,data=ordered + | `-/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500 + |-/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime +-|-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344 +-`-/mnt/foo /fooooo bar rw,relatime ++`-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344 + rc=0 +--- a/tests/expected/findmnt/filter-types-neg ++++ b/tests/expected/findmnt/filter-types-neg +@@ -28,5 +28,4 @@ TARGET SOURCE + /home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500 + /var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime + /mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344 +-/mnt/foo /fooooo bar rw,relatime + rc=0 +--- a/tests/expected/findmnt/outputs-default ++++ b/tests/expected/findmnt/outputs-default +@@ -30,6 +30,5 @@ TARGET SOURCE + |-/home/kzak /dev/mapper/kzak-home ext4 rw,noatime,barrier=1,data=ordered + | `-/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500 + |-/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime +-|-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344 +-`-/mnt/foo /fooooo bar rw,relatime ++`-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344 + rc=0 +--- a/tests/expected/findmnt/outputs-force-tree ++++ b/tests/expected/findmnt/outputs-force-tree +@@ -30,6 +30,5 @@ TARGET SOURCE + |-/home/kzak /dev/mapper/kzak-home ext4 rw,noatime,barrier=1,data=ordered + | `-/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500 + |-/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime +-|-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344 +-`-/mnt/foo /fooooo bar rw,relatime ++`-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344 + rc=0 +--- a/tests/expected/findmnt/outputs-kernel ++++ b/tests/expected/findmnt/outputs-kernel +@@ -30,6 +30,5 @@ TARGET SOURCE + |-/home/kzak /dev/mapper/kzak-home ext4 rw,noatime,barrier=1,data=ordered + | `-/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500 + |-/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime +-|-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344 +-`-/mnt/foo /fooooo bar rw,relatime ++`-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344 + rc=0 +--- a/tests/expected/libmount/tabdiff-mount ++++ b/tests/expected/libmount/tabdiff-mount +@@ -1,3 +1,2 @@ + /dev/mapper/kzak-home on /home/kzak: MOUNTED +-/fooooo on /mnt/foo: MOUNTED + tmpfs on /mnt/test/foo
bar: MOUNTED +--- a/tests/expected/libmount/tabdiff-move ++++ b/tests/expected/libmount/tabdiff-move +@@ -1,3 +1,2 @@ + //foo.home/bar/ on /mnt/music: MOVED to /mnt/music +-/fooooo on /mnt/foo: UMOUNTED + tmpfs on /mnt/test/foo
bar: UMOUNTED +--- a/tests/expected/libmount/tabdiff-remount ++++ b/tests/expected/libmount/tabdiff-remount +@@ -1,4 +1,3 @@ + /dev/mapper/kzak-home on /home/kzak: REMOUNTED from 'rw,noatime,barrier=1,data=ordered' to 'ro,noatime,barrier=1,data=ordered' + //foo.home/bar/ on /mnt/sounds: REMOUNTED from 'rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344' to 'ro,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344' +-/fooooo on /mnt/foo: UMOUNTED + tmpfs on /mnt/test/foo
bar: UMOUNTED +--- a/tests/expected/libmount/tabdiff-umount ++++ b/tests/expected/libmount/tabdiff-umount +@@ -1,3 +1,2 @@ + /dev/mapper/kzak-home on /home/kzak: UMOUNTED +-/fooooo on /mnt/foo: UMOUNTED + tmpfs on /mnt/test/foo
bar: UMOUNTED +--- a/tests/expected/libmount/tabfiles-parse-mountinfo ++++ b/tests/expected/libmount/tabfiles-parse-mountinfo +@@ -351,17 +351,6 @@ id: 47 + parent: 20 + devno: 0:38 + ------ fs: +-source: /fooooo +-target: /mnt/foo +-fstype: bar +-optstr: rw,relatime +-VFS-optstr: rw,relatime +-FS-opstr: rw +-root: / +-id: 48 +-parent: 20 +-devno: 0:39 +------- fs: + source: tmpfs + target: /mnt/test/foo
bar + fstype: tmpfs +--- a/tests/expected/libmount/tabfiles-py-parse-mountinfo ++++ b/tests/expected/libmount/tabfiles-py-parse-mountinfo +@@ -351,17 +351,6 @@ id: 47 + parent: 20 + devno: 0:38 + ------ fs: +-source: /fooooo +-target: /mnt/foo +-fstype: bar +-optstr: rw,relatime +-VFS-optstr: rw,relatime +-FS-opstr: rw +-root: / +-id: 48 +-parent: 20 +-devno: 0:39 +------- fs: + source: tmpfs + target: /mnt/test/foo
bar + fstype: tmpfs +--- a/tests/ts/findmnt/files/mountinfo ++++ b/tests/ts/findmnt/files/mountinfo +@@ -30,4 +30,3 @@ + 44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500 + 45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw + 47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344 +-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw +--- a/tests/ts/findmnt/files/mountinfo-nonroot ++++ b/tests/ts/findmnt/files/mountinfo-nonroot +@@ -29,4 +29,3 @@ + 44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500 + 45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw + 47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344 +-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw +--- a/tests/ts/libmount/files/mountinfo ++++ b/tests/ts/libmount/files/mountinfo +@@ -30,5 +30,4 @@ + 44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500 + 45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw + 47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344 +-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw + 49 20 0:56 / /mnt/test/foo
bar rw,relatime shared:323 - tmpfs tmpfs rw diff --git a/debian/patches/upstream/upstream_build-sys-do-not-build-plymouth-ctrl.c-w-disabled-pl.patch b/debian/patches/upstream/upstream_build-sys-do-not-build-plymouth-ctrl.c-w-disabled-pl.patch new file mode 100644 index 0000000..f9cd86b --- /dev/null +++ b/debian/patches/upstream/upstream_build-sys-do-not-build-plymouth-ctrl.c-w-disabled-pl.patch @@ -0,0 +1,47 @@ +From: Pino Toscano <toscano.pino@tiscali.it> +Date: Tue, 17 Nov 2020 11:27:48 +0100 +Subject: [PATCH] build-sys: do not build plymouth-ctrl.c w/ disabled plymouth + +Do not build plymouth-ctrl.c in agetty and sulogin in case the plymouth +support is disabled. + +Signed-off-by: Pino Toscano <toscano.pino@tiscali.it> +--- + login-utils/Makemodule.am | 6 ++++-- + term-utils/Makemodule.am | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/login-utils/Makemodule.am b/login-utils/Makemodule.am +index 3a1c272..37be1c4 100644 +--- a/login-utils/Makemodule.am ++++ b/login-utils/Makemodule.am +@@ -19,8 +19,10 @@ dist_man_MANS += login-utils/sulogin.8 + sulogin_SOURCES = \ + login-utils/sulogin.c \ + login-utils/sulogin-consoles.c \ +- login-utils/sulogin-consoles.h \ +- lib/plymouth-ctrl.c ++ login-utils/sulogin-consoles.h ++if USE_PLYMOUTH_SUPPORT ++sulogin_SOURCES += lib/plymouth-ctrl.c ++endif + sulogin_LDADD = $(LDADD) libcommon.la + + if HAVE_LIBCRYPT +diff --git a/term-utils/Makemodule.am b/term-utils/Makemodule.am +index 92df7db..c424dbd 100644 +--- a/term-utils/Makemodule.am ++++ b/term-utils/Makemodule.am +@@ -42,8 +42,10 @@ endif # BUILD_SCRIPTLIVE + if BUILD_AGETTY + sbin_PROGRAMS += agetty + dist_man_MANS += term-utils/agetty.8 +-agetty_SOURCES = term-utils/agetty.c \ +- lib/plymouth-ctrl.c ++agetty_SOURCES = term-utils/agetty.c ++if USE_PLYMOUTH_SUPPORT ++agetty_SOURCES += lib/plymouth-ctrl.c ++endif + agetty_LDADD = $(LDADD) libcommon.la + if BSD + agetty_LDADD += -lutil diff --git a/debian/patches/upstream/upstream_hwclock-do-not-assume-__NR_settimeofday_time32.patch b/debian/patches/upstream/upstream_hwclock-do-not-assume-__NR_settimeofday_time32.patch new file mode 100644 index 0000000..1a12f0f --- /dev/null +++ b/debian/patches/upstream/upstream_hwclock-do-not-assume-__NR_settimeofday_time32.patch @@ -0,0 +1,25 @@ +From: Pino Toscano <toscano.pino@tiscali.it> +Date: Tue, 17 Nov 2020 11:32:45 +0100 +Subject: [PATCH] hwclock: do not assume __NR_settimeofday_time32 + +Check that __NR_settimeofday_time32 exists before trying to use it as +syscall number. + +Signed-off-by: Pino Toscano <toscano.pino@tiscali.it> +--- + sys-utils/hwclock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sys-utils/hwclock.c b/sys-utils/hwclock.c +index c1cfbd3..e50432a 100644 +--- a/sys-utils/hwclock.c ++++ b/sys-utils/hwclock.c +@@ -678,7 +678,7 @@ display_time(struct timeval hwctime) + #ifndef SYS_settimeofday + # ifdef __NR_settimeofday + # define SYS_settimeofday __NR_settimeofday +-# else ++# elif defined(__NR_settimeofday_time32) + # define SYS_settimeofday __NR_settimeofday_time32 + # endif + #endif |