Hello community, here is the log from the commit of package util-linux for openSUSE:Factory checked in at 2019-03-08 12:00:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/util-linux (Old) and /work/SRC/openSUSE:Factory/.util-linux.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "util-linux" Fri Mar 8 12:00:32 2019 rev:236 rq:681652 version:2.33.1 Changes: -------- --- /work/SRC/openSUSE:Factory/util-linux/python3-libmount.changes 2019-01-29 14:39:12.243494222 +0100 +++ /work/SRC/openSUSE:Factory/.util-linux.new.28833/python3-libmount.changes 2019-03-08 12:00:39.387962465 +0100 @@ -1,0 +2,19 @@ +Mon Mar 4 15:23:27 CET 2019 - sbra...@suse.com + +- Integrate pam_keyinit pam module to login + (boo#1081947, login.pamd, remote.pamd). + +------------------------------------------------------------------- +Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck <mwi...@suse.com> + +- libmount: remove jffs2 and ubifs from blacklist (jsc#SLE-4085). + +------------------------------------------------------------------- +Thu Feb 7 14:28:37 UTC 2019 - Martin Wilck <mwi...@suse.com> + +- libmount: print a blacklist hint for "unknown filesystem type" + (jsc#SLE-4085, fate#326832), and add documentation + * add libmount-print-a-blacklist-hint-for-unknown-filesyst.patch + * add Add-documentation-on-blacklisted-modules-to-mount-8-.patch + +------------------------------------------------------------------- util-linux-systemd.changes: same change --- /work/SRC/openSUSE:Factory/util-linux/util-linux.changes 2019-01-29 14:39:15.183490637 +0100 +++ /work/SRC/openSUSE:Factory/.util-linux.new.28833/util-linux.changes 2019-03-08 12:00:40.715962240 +0100 @@ -1,0 +2,24 @@ +Mon Mar 4 15:23:27 CET 2019 - sbra...@suse.com + +- Integrate pam_keyinit pam module to login + (boo#1081947, login.pamd, remote.pamd). + +------------------------------------------------------------------- +Mon Mar 4 13:00:08 UTC 2019 - Dominique Leuenberger <dims...@opensuse.org> + +- Drop bc BuildRequires: not needed. + +------------------------------------------------------------------- +Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck <mwi...@suse.com> + +- libmount: remove jffs2 and ubifs from blacklist (jsc#SLE-4085). + +------------------------------------------------------------------- +Thu Feb 7 14:28:37 UTC 2019 - Martin Wilck <mwi...@suse.com> + +- libmount: print a blacklist hint for "unknown filesystem type" + (jsc#SLE-4085, fate#326832), and add documentation + * add libmount-print-a-blacklist-hint-for-unknown-filesyst.patch + * add Add-documentation-on-blacklisted-modules-to-mount-8-.patch + +------------------------------------------------------------------- New: ---- Add-documentation-on-blacklisted-modules-to-mount-8-.patch libmount-print-a-blacklist-hint-for-unknown-filesyst.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python3-libmount.spec ++++++ --- /var/tmp/diff_new_pack.DUU8zX/_old 2019-03-08 12:00:44.599961583 +0100 +++ /var/tmp/diff_new_pack.DUU8zX/_new 2019-03-08 12:00:44.631961577 +0100 @@ -143,6 +143,8 @@ Source51: blkid.conf # PATCH-EXTEND-UPSTREAM: Let `su' handle /sbin and /usr/sbin in path Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff +Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch +Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # %if %build_util_linux @@ -379,6 +381,8 @@ %prep %setup -q -n %{_name}-%{version} %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build %if %build_util_linux util-linux-systemd.spec: same change ++++++ util-linux.spec ++++++ --- /var/tmp/diff_new_pack.DUU8zX/_old 2019-03-08 12:00:45.563961419 +0100 +++ /var/tmp/diff_new_pack.DUU8zX/_new 2019-03-08 12:00:45.595961414 +0100 @@ -75,7 +75,6 @@ License: GPL-2.0-or-later Group: %main_group BuildRequires: audit-devel -BuildRequires: bc BuildRequires: binutils-devel BuildRequires: fdupes BuildRequires: gettext-devel @@ -143,6 +142,8 @@ Source51: blkid.conf # PATCH-EXTEND-UPSTREAM: Let `su' handle /sbin and /usr/sbin in path Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff +Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch +Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # %if %build_util_linux @@ -379,6 +380,8 @@ %prep %setup -q -n %{_name}-%{version} %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build %if %build_util_linux ++++++ Add-documentation-on-blacklisted-modules-to-mount-8-.patch ++++++ >From 1ade50a36f23fc35abb465aa5b7cfc73b2476328 Mon Sep 17 00:00:00 2001 From: Martin Wilck <mwi...@suse.com> Date: Fri, 1 Feb 2019 12:09:11 +0100 Subject: [PATCH] Add documentation on blacklisted modules to mount(8) man page Signed-off-by: Martin Wilck <mwi...@suse.com> --- sys-utils/mount.8 | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/sys-utils/mount.8 b/sys-utils/mount.8 index da0ac5b..c231e12 100644 --- a/sys-utils/mount.8 +++ b/sys-utils/mount.8 @@ -338,6 +338,32 @@ The option is similar, with the restriction that the user must be member of the group of the special file. +.SS Blacklisted file systems +In the Linux kernel, file system types are implemented as kernel +modules. While many of these file systems are well maintained, +some of the older and less frequently used ones are not. This +poses a security risk, because maliciously crafted file system +images might open security holes when mounted either automatically +or by an inadvertent user. The +.B mount +command prints "unsupported file system type 'somefs'" in this case, +because it can't distinguish between a really unsupported file system +(kernel module non-existent) and a blacklisted file system. + +Users who need the blacklisted file systems and therefore want +to override the blacklisting can either load the blacklisted module +directly: +.RS + +.br +.BI "modprobe -v" " somefs" +.br + +.RE +or override the blacklist configuration by editing files under the +.I /etc/modprobe.d +directory. + .SS Bind mount operation Remount part of the file hierarchy somewhere else. The call is: -- 2.19.2 ++++++ libmount-print-a-blacklist-hint-for-unknown-filesyst.patch ++++++ >From 199ae08b4df09ec4ce9d82584664e61bcb7ab91a Mon Sep 17 00:00:00 2001 From: Martin Wilck <mwi...@suse.com> Date: Fri, 1 Feb 2019 11:36:42 +0100 Subject: [PATCH 1/2] libmount: print a blacklist hint for "unknown filesystem type" SUSE blacklists kernel modules for some old, poorly maintained file systems by default for security reasons. Provide a hopefully helpful message to users if mounting a possibly blacklisted file system fails. Signed-off-by: Martin Wilck <mwi...@suse.com> --- libmount/src/context_mount.c | 41 ++++++++++++++++++++++++++++++++---- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/libmount/src/context_mount.c b/libmount/src/context_mount.c index f914c9b..a48483f 100644 --- a/libmount/src/context_mount.c +++ b/libmount/src/context_mount.c @@ -1423,6 +1423,32 @@ done: return rc; } +/* + * SUSE blacklists kernel modules for some old, poorly maintained + * file systems by default for security reasons. + * A set of blacklist files is maintained under /etc/modprobe.d, + * in the suse-module-tools package. + * Blacklisted file system modules will cause mount(2) to fail + * with -ENODEV. + * If this happens for one of the blacklisted file systems, provide + * a hint to the user where to look. + */ +static int is_maybe_blacklisted(const char *fstype) +{ + static const char *const fs_blacklist[] = { + "adfs", "affs", "bfs", "befs", "cramfs", "efs", "erofs", + "exofs", "freevxfs", "f2fs", "hfs", "hpfs", + "jfs", "minix", "nilfs2", "ntfs", "omfs", "qnx4", "qnx6", + "sysv", "ufs" + }; + size_t i; + + for (i = 0; i < sizeof(fs_blacklist)/sizeof(*fs_blacklist); i++) + if (!strcmp(fs_blacklist[i], fstype)) + return 1; + return 0; +} + int mnt_context_get_mount_excode( struct libmnt_context *cxt, int rc, @@ -1670,10 +1696,17 @@ int mnt_context_get_mount_excode( case ENODEV: if (!buf) break; - if (mnt_context_get_fstype(cxt)) - snprintf(buf, bufsz, _("unknown filesystem type '%s'"), - mnt_context_get_fstype(cxt)); - else + if (mnt_context_get_fstype(cxt)) { + size_t n; + + n = snprintf(buf, bufsz, + _("unknown filesystem type '%s'"), + mnt_context_get_fstype(cxt)); + if (n < bufsz && + is_maybe_blacklisted(mnt_context_get_fstype(cxt))) + snprintf(buf + n, bufsz - n, + " (hint: possibly blacklisted, see mount(8))"); + } else snprintf(buf, bufsz, _("unknown filesystem type")); break; -- 2.19.2 ++++++ login.pamd ++++++ --- /var/tmp/diff_new_pack.DUU8zX/_old 2019-03-08 12:00:46.619961240 +0100 +++ /var/tmp/diff_new_pack.DUU8zX/_new 2019-03-08 12:00:46.647961235 +0100 @@ -4,6 +4,7 @@ account include common-account password include common-password session required pam_loginuid.so +session optional pam_keyinit.so force revoke session include common-session #session optional pam_lastlog.so nowtmp showfailed session optional pam_mail.so standard ++++++ remote.pamd ++++++ --- /var/tmp/diff_new_pack.DUU8zX/_old 2019-03-08 12:00:47.107961158 +0100 +++ /var/tmp/diff_new_pack.DUU8zX/_new 2019-03-08 12:00:47.135961153 +0100 @@ -7,6 +7,7 @@ account include common-account password include common-password session required pam_loginuid.so +session optional pam_keyinit.so force revoke session include common-session session optional pam_lastlog.so nowtmp showfailed session optional pam_mail.so standard