Hello community,
here is the log from the commit of package util-linux for openSUSE:Factory
checked in at 2019-03-08 12:00:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/util-linux (Old)
and /work/SRC/openSUSE:Factory/.util-linux.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "util-linux"
Fri Mar 8 12:00:32 2019 rev:236 rq:681652 version:2.33.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/util-linux/python3-libmount.changes
2019-01-29 14:39:12.243494222 +0100
+++ /work/SRC/openSUSE:Factory/.util-linux.new.28833/python3-libmount.changes
2019-03-08 12:00:39.387962465 +0100
@@ -1,0 +2,19 @@
+Mon Mar 4 15:23:27 CET 2019 - sbra...@suse.com
+
+- Integrate pam_keyinit pam module to login
+ (boo#1081947, login.pamd, remote.pamd).
+
+-------------------------------------------------------------------
+Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck <mwi...@suse.com>
+
+- libmount: remove jffs2 and ubifs from blacklist (jsc#SLE-4085).
+
+-------------------------------------------------------------------
+Thu Feb 7 14:28:37 UTC 2019 - Martin Wilck <mwi...@suse.com>
+
+- libmount: print a blacklist hint for "unknown filesystem type"
+ (jsc#SLE-4085, fate#326832), and add documentation
+ * add libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
+ * add Add-documentation-on-blacklisted-modules-to-mount-8-.patch
+
+-------------------------------------------------------------------
util-linux-systemd.changes: same change
--- /work/SRC/openSUSE:Factory/util-linux/util-linux.changes 2019-01-29
14:39:15.183490637 +0100
+++ /work/SRC/openSUSE:Factory/.util-linux.new.28833/util-linux.changes
2019-03-08 12:00:40.715962240 +0100
@@ -1,0 +2,24 @@
+Mon Mar 4 15:23:27 CET 2019 - sbra...@suse.com
+
+- Integrate pam_keyinit pam module to login
+ (boo#1081947, login.pamd, remote.pamd).
+
+-------------------------------------------------------------------
+Mon Mar 4 13:00:08 UTC 2019 - Dominique Leuenberger <dims...@opensuse.org>
+
+- Drop bc BuildRequires: not needed.
+
+-------------------------------------------------------------------
+Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck <mwi...@suse.com>
+
+- libmount: remove jffs2 and ubifs from blacklist (jsc#SLE-4085).
+
+-------------------------------------------------------------------
+Thu Feb 7 14:28:37 UTC 2019 - Martin Wilck <mwi...@suse.com>
+
+- libmount: print a blacklist hint for "unknown filesystem type"
+ (jsc#SLE-4085, fate#326832), and add documentation
+ * add libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
+ * add Add-documentation-on-blacklisted-modules-to-mount-8-.patch
+
+-------------------------------------------------------------------
New:
----
Add-documentation-on-blacklisted-modules-to-mount-8-.patch
libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python3-libmount.spec ++++++
--- /var/tmp/diff_new_pack.DUU8zX/_old 2019-03-08 12:00:44.599961583 +0100
+++ /var/tmp/diff_new_pack.DUU8zX/_new 2019-03-08 12:00:44.631961577 +0100
@@ -143,6 +143,8 @@
Source51: blkid.conf
# PATCH-EXTEND-UPSTREAM: Let `su' handle /sbin and /usr/sbin in path
Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
+Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
+Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#
%if %build_util_linux
@@ -379,6 +381,8 @@
%prep
%setup -q -n %{_name}-%{version}
%patch0 -p1
+%patch1 -p1
+%patch2 -p1
%build
%if %build_util_linux
util-linux-systemd.spec: same change
++++++ util-linux.spec ++++++
--- /var/tmp/diff_new_pack.DUU8zX/_old 2019-03-08 12:00:45.563961419 +0100
+++ /var/tmp/diff_new_pack.DUU8zX/_new 2019-03-08 12:00:45.595961414 +0100
@@ -75,7 +75,6 @@
License: GPL-2.0-or-later
Group: %main_group
BuildRequires: audit-devel
-BuildRequires: bc
BuildRequires: binutils-devel
BuildRequires: fdupes
BuildRequires: gettext-devel
@@ -143,6 +142,8 @@
Source51: blkid.conf
# PATCH-EXTEND-UPSTREAM: Let `su' handle /sbin and /usr/sbin in path
Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
+Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
+Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#
%if %build_util_linux
@@ -379,6 +380,8 @@
%prep
%setup -q -n %{_name}-%{version}
%patch0 -p1
+%patch1 -p1
+%patch2 -p1
%build
%if %build_util_linux
++++++ Add-documentation-on-blacklisted-modules-to-mount-8-.patch ++++++
>From 1ade50a36f23fc35abb465aa5b7cfc73b2476328 Mon Sep 17 00:00:00 2001
From: Martin Wilck <mwi...@suse.com>
Date: Fri, 1 Feb 2019 12:09:11 +0100
Subject: [PATCH] Add documentation on blacklisted modules to mount(8) man page
Signed-off-by: Martin Wilck <mwi...@suse.com>
---
sys-utils/mount.8 | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/sys-utils/mount.8 b/sys-utils/mount.8
index da0ac5b..c231e12 100644
--- a/sys-utils/mount.8
+++ b/sys-utils/mount.8
@@ -338,6 +338,32 @@ The
option is similar, with the restriction that the user must be
member of the group of the special file.
+.SS Blacklisted file systems
+In the Linux kernel, file system types are implemented as kernel
+modules. While many of these file systems are well maintained,
+some of the older and less frequently used ones are not. This
+poses a security risk, because maliciously crafted file system
+images might open security holes when mounted either automatically
+or by an inadvertent user. The
+.B mount
+command prints "unsupported file system type 'somefs'" in this case,
+because it can't distinguish between a really unsupported file system
+(kernel module non-existent) and a blacklisted file system.
+
+Users who need the blacklisted file systems and therefore want
+to override the blacklisting can either load the blacklisted module
+directly:
+.RS
+
+.br
+.BI "modprobe -v" " somefs"
+.br
+
+.RE
+or override the blacklist configuration by editing files under the
+.I /etc/modprobe.d
+directory.
+
.SS Bind mount operation
Remount part of the file hierarchy somewhere else. The call is:
--
2.19.2
++++++ libmount-print-a-blacklist-hint-for-unknown-filesyst.patch ++++++
>From 199ae08b4df09ec4ce9d82584664e61bcb7ab91a Mon Sep 17 00:00:00 2001
From: Martin Wilck <mwi...@suse.com>
Date: Fri, 1 Feb 2019 11:36:42 +0100
Subject: [PATCH 1/2] libmount: print a blacklist hint for "unknown filesystem
type"
SUSE blacklists kernel modules for some old, poorly maintained
file systems by default for security reasons. Provide a hopefully
helpful message to users if mounting a possibly blacklisted file
system fails.
Signed-off-by: Martin Wilck <mwi...@suse.com>
---
libmount/src/context_mount.c | 41 ++++++++++++++++++++++++++++++++----
1 file changed, 37 insertions(+), 4 deletions(-)
diff --git a/libmount/src/context_mount.c b/libmount/src/context_mount.c
index f914c9b..a48483f 100644
--- a/libmount/src/context_mount.c
+++ b/libmount/src/context_mount.c
@@ -1423,6 +1423,32 @@ done:
return rc;
}
+/*
+ * SUSE blacklists kernel modules for some old, poorly maintained
+ * file systems by default for security reasons.
+ * A set of blacklist files is maintained under /etc/modprobe.d,
+ * in the suse-module-tools package.
+ * Blacklisted file system modules will cause mount(2) to fail
+ * with -ENODEV.
+ * If this happens for one of the blacklisted file systems, provide
+ * a hint to the user where to look.
+ */
+static int is_maybe_blacklisted(const char *fstype)
+{
+ static const char *const fs_blacklist[] = {
+ "adfs", "affs", "bfs", "befs", "cramfs", "efs", "erofs",
+ "exofs", "freevxfs", "f2fs", "hfs", "hpfs",
+ "jfs", "minix", "nilfs2", "ntfs", "omfs", "qnx4", "qnx6",
+ "sysv", "ufs"
+ };
+ size_t i;
+
+ for (i = 0; i < sizeof(fs_blacklist)/sizeof(*fs_blacklist); i++)
+ if (!strcmp(fs_blacklist[i], fstype))
+ return 1;
+ return 0;
+}
+
int mnt_context_get_mount_excode(
struct libmnt_context *cxt,
int rc,
@@ -1670,10 +1696,17 @@ int mnt_context_get_mount_excode(
case ENODEV:
if (!buf)
break;
- if (mnt_context_get_fstype(cxt))
- snprintf(buf, bufsz, _("unknown filesystem type '%s'"),
- mnt_context_get_fstype(cxt));
- else
+ if (mnt_context_get_fstype(cxt)) {
+ size_t n;
+
+ n = snprintf(buf, bufsz,
+ _("unknown filesystem type '%s'"),
+ mnt_context_get_fstype(cxt));
+ if (n < bufsz &&
+ is_maybe_blacklisted(mnt_context_get_fstype(cxt)))
+ snprintf(buf + n, bufsz - n,
+ " (hint: possibly blacklisted, see
mount(8))");
+ } else
snprintf(buf, bufsz, _("unknown filesystem type"));
break;
--
2.19.2
++++++ login.pamd ++++++
--- /var/tmp/diff_new_pack.DUU8zX/_old 2019-03-08 12:00:46.619961240 +0100
+++ /var/tmp/diff_new_pack.DUU8zX/_new 2019-03-08 12:00:46.647961235 +0100
@@ -4,6 +4,7 @@
account include common-account
password include common-password
session required pam_loginuid.so
+session optional pam_keyinit.so force revoke
session include common-session
#session optional pam_lastlog.so nowtmp showfailed
session optional pam_mail.so standard
++++++ remote.pamd ++++++
--- /var/tmp/diff_new_pack.DUU8zX/_old 2019-03-08 12:00:47.107961158 +0100
+++ /var/tmp/diff_new_pack.DUU8zX/_new 2019-03-08 12:00:47.135961153 +0100
@@ -7,6 +7,7 @@
account include common-account
password include common-password
session required pam_loginuid.so
+session optional pam_keyinit.so force revoke
session include common-session
session optional pam_lastlog.so nowtmp showfailed
session optional pam_mail.so standard
