Hello community,
here is the log from the commit of package dracut for openSUSE:Factory checked in at 2016-11-12 12:58:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dracut (Old)
and /work/SRC/openSUSE:Factory/.dracut.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dracut"
Changes:
--------
--- /work/SRC/openSUSE:Factory/dracut/dracut.changes 2016-10-22 13:03:11.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.dracut.new/dracut.changes 2016-11-12 12:58:59.000000000 +0100
@@ -1,0 +2,23 @@
+Tue Nov 8 15:19:37 UTC 2016 - daniel@molkentin.de
+
+- systemd-initrd: Add initrd-root-device.target. Cherry-pick to get
+ systemd v230 into factory (bsc1009089)
+ * add 0451-systemd-initrd-add-initrd-root-device.target.patch
+
+-------------------------------------------------------------------
+Mon Nov 7 15:54:09 UTC 2016 - dmolkentin@suse.de
+
+- Bash cannot handle binary strigns with embedded NULs. This used
+ to work by accident, it no longer does starting from bash 4.4.
+ Strip NULs during all comparison operations as a workaround.
+ Addresses bsc989218.
+ * add 0450-Strip-NUL-bytes-in-stream-before-push-in-string.patch
+
+-------------------------------------------------------------------
+Mon Nov 7 12:06:51 UTC 2016 - astieger@suse.com
+
+- Do not create initramfs with world-readable permissions if
+ early microcode update is used bsc#1008340 CVE-2016-8637
+ 0503-dracut.sh-create-the-initramfs-non-world-readable-al.patch
+
+-------------------------------------------------------------------
New:
----
0450-Strip-NUL-bytes-in-stream-before-push-in-string.patch
0451-systemd-initrd-add-initrd-root-device.target.patch
0503-dracut.sh-create-the-initramfs-non-world-readable-al.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dracut.spec ++++++
--- /var/tmp/diff_new_pack.uEo2BS/_old 2016-11-12 12:59:01.000000000 +0100
+++ /var/tmp/diff_new_pack.uEo2BS/_new 2016-11-12 12:59:01.000000000 +0100
@@ -169,10 +169,15 @@
Patch403: 0403-95lunmask-Add-module-to-handle-LUN-masking.patch
Patch404: 0404-dracut-emergency-optionally-print-fs-help.patch
+# Workarounds/Patches no longer relevant in 045
+Patch450: 0450-Strip-NUL-bytes-in-stream-before-push-in-string.patch
+Patch451: 0451-systemd-initrd-add-initrd-root-device.target.patch
+
# On top patches/fixes which have to be applied late
Patch500: 0500-Reset-IFS-variable.patch
Patch501: 0501-dasd_fix_ssid_bigger_zero.patch
Patch502: 0502-persistent_device_policy_param_enhance.patch
+Patch503: 0503-dracut.sh-create-the-initramfs-non-world-readable-al.patch
BuildRequires: asciidoc
BuildRequires: bash
@@ -368,9 +373,13 @@
%patch403 -p1
%patch404 -p1
+%patch450 -p1
+%patch451 -p1
+
%patch500 -p1
%patch501 -p1
%patch502 -p1
+%patch503 -p1
%build
%configure\
++++++ 0450-Strip-NUL-bytes-in-stream-before-push-in-string.patch ++++++
From 8ebcb9c3ded888ecd5c6fc0bbf4c9f490c3cdb56 Mon Sep 17 00:00:00 2001
From: Daniel Molkentin
Date: Tue, 1 Mar 2016 21:03:18 +0100
Subject: [PATCH] Strip NUL bytes in stream before push in string
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Based on a patch by Tomasz Paweł Gajc
Workaround for bsc989218, the next upstream release
fixes this properly.
---
dracut.sh | 2 +-
modules.d/50drm/module-setup.sh | 6 +++---
modules.d/90kernel-modules/module-setup.sh | 6 +++---
modules.d/90kernel-network-modules/module-setup.sh | 6 +++---
modules.d/90multipath/module-setup.sh | 6 +++---
modules.d/95iscsi/module-setup.sh | 6 +++---
6 files changed, 16 insertions(+), 16 deletions(-)
Index: dracut-044/dracut.sh
===================================================================
--- dracut-044.orig/dracut.sh
+++ dracut-044/dracut.sh
@@ -1641,7 +1641,7 @@ if [[ $do_strip = yes ]] && ! [[ $DRACUT
# strip kernel modules, but do not touch signed modules
find "$initdir" -type f -path '*/lib/modules/*.ko' -print0 \
| while read -r -d $'\0' f || [ -n "$f" ]; do
- SIG=$(tail -c 28 "$f")
+ SIG=$(tail -c 28 "$f" | tr -d '\000')
[[ $SIG == '~Module signature appended~' ]] || { printf "%s\000" "$f"; }
done | xargs -r -0 strip -g
Index: dracut-044/modules.d/50drm/module-setup.sh
===================================================================
--- dracut-044.orig/modules.d/50drm/module-setup.sh
+++ dracut-044/modules.d/50drm/module-setup.sh
@@ -24,9 +24,9 @@ installkernel() {
local _fname _fcont
while read _fname || [ -n "$_fname" ]; do
case "$_fname" in
- *.ko) _fcont="$(< $_fname)" ;;
- *.ko.gz) _fcont="$(gzip -dc $_fname)" ;;
- *.ko.xz) _fcont="$(xz -dc $_fname)" ;;
+ *.ko) _fcont="$(cat "$_fname" | tr -cd '[:print:]')" ;;
+ *.ko.gz) _fcont="$(gzip -dc "$_fname" | tr -cd '[:print:]')" ;;
+ *.ko.xz) _fcont="$(xz -dc "$_fname" | tr -cd '[:print:]')" ;;
esac
[[ $_fcont =~ $_drm_drivers
&& ! $_fcont =~ iw_handler_get_spy ]] \
Index: dracut-044/modules.d/90kernel-modules/module-setup.sh
===================================================================
--- dracut-044.orig/modules.d/90kernel-modules/module-setup.sh
+++ dracut-044/modules.d/90kernel-modules/module-setup.sh
@@ -10,9 +10,9 @@ installkernel() {
function bmf1() {
local _f
while read _f || [ -n "$_f" ]; do case "$_f" in
- *.ko) [[ $(< $_f) =~ $_blockfuncs ]] && echo "$_f" ;;
- *.ko.gz) [[ $(gzip -dc <$_f) =~ $_blockfuncs ]] && echo "$_f" ;;
- *.ko.xz) [[ $(xz -dc <$_f) =~ $_blockfuncs ]] && echo "$_f" ;;
+ *.ko) [[ $(cat "$_f" | tr -cd '[:print:]') =~ $_blockfuncs ]] && echo "$_f" ;;
+ *.ko.gz) [[ $(gzip -dc <"$_f" | tr -cd '[:print:]') =~ $_blockfuncs ]] && echo "$_f" ;;
+ *.ko.xz) [[ $(xz -dc <"$_f" | tr -cd '[:print:]') =~ $_blockfuncs ]] && echo "$_f" ;;
esac
done
return 0
Index: dracut-044/modules.d/90kernel-network-modules/module-setup.sh
===================================================================
--- dracut-044.orig/modules.d/90kernel-network-modules/module-setup.sh
+++ dracut-044/modules.d/90kernel-network-modules/module-setup.sh
@@ -45,9 +45,9 @@ installkernel() {
while read _fname; do
[[ $_fname =~ $_unwanted_drivers ]] && continue
case "$_fname" in
- *.ko) _fcont="$(< $_fname)" ;;
- *.ko.gz) _fcont="$(gzip -dc $_fname)" ;;
- *.ko.xz) _fcont="$(xz -dc $_fname)" ;;
+ *.ko) _fcont="$(cat "$_fname" | tr -cd '[:print:]')" ;;
+ *.ko.gz) _fcont="$(gzip -dc "$_fname" | tr -cd '[:print:]')" ;;
+ *.ko.xz) _fcont="$(xz -dc "$_fname" | tr -cd '[:print:]')" ;;
esac
[[ $_fcont =~ $_net_drivers
&& ! $_fcont =~ iw_handler_get_spy ]] \
Index: dracut-044/modules.d/90multipath/module-setup.sh
===================================================================
--- dracut-044.orig/modules.d/90multipath/module-setup.sh
+++ dracut-044/modules.d/90multipath/module-setup.sh
@@ -49,9 +49,9 @@ installkernel() {
local _f
while read _f || [ -n "$_f" ]; do
case "$_f" in
- *.ko) [[ $(< $_f) =~ $_funcs ]] && echo "$_f" ;;
- *.ko.gz) [[ $(gzip -dc <$_f) =~ $_funcs ]] && echo "$_f" ;;
- *.ko.xz) [[ $(xz -dc <$_f) =~ $_funcs ]] && echo "$_f" ;;
+ *.ko) [[ $(cat "$_f" | tr -cd '[:print:]') =~ $_funcs ]] && echo "$_f" ;;
+ *.ko.gz) [[ $(gzip -dc <"$_f" | tr -cd '[:print:]') =~ $_funcs ]] && echo "$_f" ;;
+ *.ko.xz) [[ $(xz -dc <"$_f" | tr -cd '[:print:]') =~ $_funcs ]] && echo "$_f" ;;
esac
done
return 0
Index: dracut-044/modules.d/95iscsi/module-setup.sh
===================================================================
--- dracut-044.orig/modules.d/95iscsi/module-setup.sh
+++ dracut-044/modules.d/95iscsi/module-setup.sh
@@ -189,9 +189,9 @@ installkernel() {
local _f
while read _f || [ -n "$_f" ]; do
case "$_f" in
- *.ko) [[ $(< $_f) =~ $_funcs ]] && echo "$_f" ;;
- *.ko.gz) [[ $(gzip -dc <$_f) =~ $_funcs ]] && echo "$_f" ;;
- *.ko.xz) [[ $(xz -dc <$_f) =~ $_funcs ]] && echo "$_f" ;;
+ *.ko) [[ $(< "$_f" | tr -cd '[:print:]') =~ $_funcs ]] && echo "$_f" ;;
+ *.ko.gz) [[ $(gzip -dc <"$_f" | tr -cd '[:print:]') =~ $_funcs ]] && echo "$_f" ;;
+ *.ko.xz) [[ $(xz -dc <"$_f" | tr -cd '[:print:]') =~ $_funcs ]] && echo "$_f" ;;
esac
done
return 0
++++++ 0451-systemd-initrd-add-initrd-root-device.target.patch ++++++
From d4efc0aeeecc470d9a267b7f3c130f472488905c Mon Sep 17 00:00:00 2001
From: Harald Hoyer
Date: Wed, 25 May 2016 15:06:29 +0200
Subject: [PATCH] systemd-initrd: add initrd-root-device.target
---
modules.d/01systemd-initrd/module-setup.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules.d/01systemd-initrd/module-setup.sh b/modules.d/01systemd-initrd/module-setup.sh
index fb6a9ea..c1ccd2a 100755
--- a/modules.d/01systemd-initrd/module-setup.sh
+++ b/modules.d/01systemd-initrd/module-setup.sh
@@ -28,6 +28,7 @@ install() {
inst_multiple -o \
$systemdsystemunitdir/initrd.target \
$systemdsystemunitdir/initrd-fs.target \
+ $systemdsystemunitdir/initrd-root-device.target \
$systemdsystemunitdir/initrd-root-fs.target \
$systemdsystemunitdir/initrd-switch-root.target \
$systemdsystemunitdir/initrd-switch-root.service \
--
2.10.0
++++++ 0503-dracut.sh-create-the-initramfs-non-world-readable-al.patch ++++++
From 0db98910a11c12a454eac4c8e86dc7a7bbc764a4 Mon Sep 17 00:00:00 2001
From: Andreas Stieger
Date: Mon, 7 Nov 2016 10:37:22 +0100
Subject: [PATCH] dracut.sh: create the initramfs non-world readable also if
early cpio is used
Fixes: 5f2c30d9bcd614d546d5c55c6897e33f88b9ab90
Previously fixed CVE-2012-4453: e1b48995c26c4f06d1a718539cb1bd5b0179af91
Signed-off-by: Andreas Stieger
---
dracut.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dracut.sh b/dracut.sh
index 40ca08f..2d79bbc 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -1700,7 +1700,7 @@ if [[ $create_early_cpio = yes ]]; then
# The microcode blob is _before_ the initramfs blob, not after
if ! (
- cd "$early_cpio_dir/d"
+ umask 077; cd "$early_cpio_dir/d"
find . -print0 | sort -z \
| cpio ${CPIO_REPRODUCIBLE:+--reproducible} --null $cpio_owner_root -H newc -o --quiet > "${DRACUT_TMPDIR}/initramfs.img"
); then
--
2.10.2