aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2017-01-11 15:07:10 +0100
committerNatanael Copa <ncopa@alpinelinux.org>2017-01-11 15:08:30 +0100
commit9878b048b45f977e69527a88e7f4d205cabccc94 (patch)
tree2d8122c5a67d87aefd0f8069633a12a2a7f309e0
parente00ed3a09fe384a24ae88db54fcb81612c95a223 (diff)
downloadaports-9878b048b45f977e69527a88e7f4d205cabccc94.tar.bz2
main/cryptsetup: fix fd leak to child processes
-rw-r--r--main/cryptsetup/0001-Close-dev-random-urandom-on-exec.patch35
-rw-r--r--main/cryptsetup/APKBUILD6
2 files changed, 40 insertions, 1 deletions
diff --git a/main/cryptsetup/0001-Close-dev-random-urandom-on-exec.patch b/main/cryptsetup/0001-Close-dev-random-urandom-on-exec.patch
new file mode 100644
index 0000000..b250fd3
--- /dev/null
+++ b/main/cryptsetup/0001-Close-dev-random-urandom-on-exec.patch
@@ -0,0 +1,35 @@
+From 243fc987f15b4e280acb089b6f476de204cb7def Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Tue, 10 Jan 2017 20:06:08 +0100
+Subject: [PATCH] Close /dev/{random,urandom} on exec
+
+This prevents the descriptors to leak to programs that are executed.
+
+Fixes https://gitlab.com/cryptsetup/cryptsetup/issues/313
+---
+ lib/random.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/random.c b/lib/random.c
+index cb772f4..12040dc 100644
+--- a/lib/random.c
++++ b/lib/random.c
+@@ -152,13 +152,13 @@ int crypt_random_init(struct crypt_device *ctx)
+
+ /* Used for CRYPT_RND_NORMAL */
+ if(urandom_fd == -1)
+- urandom_fd = open(URANDOM_DEVICE, O_RDONLY);
++ urandom_fd = open(URANDOM_DEVICE, O_RDONLY | O_CLOEXEC);
+ if(urandom_fd == -1)
+ goto fail;
+
+ /* Used for CRYPT_RND_KEY */
+ if(random_fd == -1)
+- random_fd = open(RANDOM_DEVICE, O_RDONLY | O_NONBLOCK);
++ random_fd = open(RANDOM_DEVICE, O_RDONLY | O_NONBLOCK | O_CLOEXEC);
+ if(random_fd == -1)
+ goto fail;
+
+--
+2.11.0
+
diff --git a/main/cryptsetup/APKBUILD b/main/cryptsetup/APKBUILD
index abb3e4e..d6f174d 100644
--- a/main/cryptsetup/APKBUILD
+++ b/main/cryptsetup/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cryptsetup
pkgver=1.7.2
-pkgrel=1
+pkgrel=2
pkgdesc="Userspace setup tool for transparent encryption of block devices using the Linux 2.6 cryptoapi"
url="https://gitlab.com/cryptsetup/cryptsetup"
arch="all"
@@ -13,6 +13,7 @@ makedepends="$makedepends_build $makedepends_host"
subpackages="$pkgname-dev $pkgname-doc $pkgname-libs"
source="https://www.kernel.org/pub/linux/utils/cryptsetup/v${pkgver%.*}/cryptsetup-$pkgver.tar.gz
flush-stdout.patch
+ 0001-Close-dev-random-urandom-on-exec.patch
dmcrypt.confd
dmcrypt.initd
"
@@ -62,13 +63,16 @@ libs() {
md5sums="08c921620c88f4cf889fb29176845ca3 cryptsetup-1.7.2.tar.gz
7d5c8727ea417cabe86df67a9de1de16 flush-stdout.patch
+afc65179e77dc821297692fd757f7741 0001-Close-dev-random-urandom-on-exec.patch
8a64af270190d5ecd6e4084d6ccf81de dmcrypt.confd
058807d0516dec293d382ee27cc89fb8 dmcrypt.initd"
sha256sums="aaf10a8fede30521385bce8857f82d844bd33b487e00cef1d1777460e18eaa3b cryptsetup-1.7.2.tar.gz
6ac335bb14ff2f90de00769be20da4c5527101fab6593259a4d87be84904ae67 flush-stdout.patch
+ad4c0be2b3a3869fc4350f2d49534e41338ace813b7e8a86b230240880be57fc 0001-Close-dev-random-urandom-on-exec.patch
3d933a54abe62a547294b83208dbf5d7615d9c7f380d6504c91fff3620530803 dmcrypt.confd
a7a930cf14161a18c2ac6c3e7d4b2cf4ed03d9fcd77c89e7a6f6c60bad4bede8 dmcrypt.initd"
sha512sums="14fb14c82a02ea39d6ffa9532b859e19dd3c9dcff58dc64a8dfd16caed2a46c101df450185012642c03c0ded3c02d76dc0a54c30e78167af50df6999424e624b cryptsetup-1.7.2.tar.gz
301e3e3da5a899e0a6f01f44fbf37bb6a3f5b6a4fb41243bae6d3b7aea747276e784626cd1b19721cc264652c10ae8c560c4d20094e33bb82fb2fae0160682c0 flush-stdout.patch
+f1e4753ddc71910a23e0dbecaea2e2db924cb0bc2f012a9445b275c92df784969068d554d7f89e3ed77ea7ad54babd560da0a94563504b16ced2ec859848c6ec 0001-Close-dev-random-urandom-on-exec.patch
74422d5e1614b43af894ea01da1ea80d805ec7f77981cbb80a6b1a4becad737a8825d7269812499095a7f50d39fa7da5bf4e4edae63529b1fe87b9176943a733 dmcrypt.confd
81dad61cdecf1dc529b26eb3cdc15979a582c876b01268f88e7a71c8fae6911137c03bfa63fee64e064e5fb31f673610be27ecab9fc432229f13e7040698bd5c dmcrypt.initd"