This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, core164 has been updated via ead01caeb87f4eb56abb2fc63cea38ea74b16274 (commit) via e895c2de72a79feda5a653bf4fd569c36c2d94da (commit) via de686e49e2a7c12c4b3c46931ecd9d9635565357 (commit) via b69659af02d65f982a2d8fd443f02950593d28fe (commit) via c7e0d73e7cfd7be95db9d0a5f3392b8241813d5b (commit) via 3f8e70f6b34ee085cb0a5ad22792e521cd867c1c (commit) via ca1fdb69549b282c9c67b4cf385eda725ed1c366 (commit) via fc717041c4b1af09c4345650ad4b346bb33ae216 (commit) via 18f0991c353b9b96062d71a3237e5447231a467b (commit) via dcacf03e80d714bd120a877d16a862ffce47dd26 (commit) via 85b1d83b2a6fe2beb8169f3e810e915c4ad54036 (commit) via da3611b2767298e3f300b12b6ae03958a193c871 (commit) via 9106bfca42a86f9720c4e2f5d0d166832cac6454 (commit) from 6e2c8f48182c169edb177526d7f639b0631d57cc (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit ead01caeb87f4eb56abb2fc63cea38ea74b16274 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Feb 27 09:16:21 2022 +0000
rtl8189fs: add realtek wlan driver
this chip is the successor of the rtl8189es look some boards has silently switched to the new chip.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e895c2de72a79feda5a653bf4fd569c36c2d94da Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Mar 5 19:13:39 2022 +0100
optionsfw.cgi: Add default settings for newly added options.
If no settings for those features can be obtained from the settings file, set them to the following defaults.
* DROPSPOOFEDMARTIAN -> on (yes) * DROPHOSTILE -> off (no - because only fresh installed systems should do this) * LOGDROPCTINVALID -> on (yes)
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit de686e49e2a7c12c4b3c46931ecd9d9635565357 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 8 09:59:43 2022 +0000
linux: Fix for CVE-2022-0847 aka Dirty Pipe
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b69659af02d65f982a2d8fd443f02950593d28fe Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 7 18:53:09 2022 +0000
core164: Ship backup exclude file
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c7e0d73e7cfd7be95db9d0a5f3392b8241813d5b Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 4 10:41:30 2022 +0000
backup: Make include/exclude files relative
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3f8e70f6b34ee085cb0a5ad22792e521cd867c1c Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 4 10:29:23 2022 +0000
backup: Don't restore excluded files
Sometimes, we restore a backup that has been created earlier before exclude files have been changed. To avoid overwriting those files, we will consider the exlude list upon restore.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ca1fdb69549b282c9c67b4cf385eda725ed1c366 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 4 10:27:01 2022 +0000
backup: Exclude oinkmaster.conf
This file is a system configuration file and does not contain any configruation from the user.
Since it can be overwritten in a backup and restored to an older state, this can cause problems such as #12788.
Fixes: #12788 Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit fc717041c4b1af09c4345650ad4b346bb33ae216 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 4 10:18:25 2022 +0000
backup: Abort when the backup could not be extracted
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 18f0991c353b9b96062d71a3237e5447231a467b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Mar 7 17:52:36 2022 +0100
ids.cgi: Only read-in ignored hosts, if the ignore file exists.
Otherwise the CGI will crash.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit dcacf03e80d714bd120a877d16a862ffce47dd26 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Mar 5 18:53:10 2022 +0100
ids-functions.pl: Do not create an empty ignored settings file.
The file will be created by the WUI, when adding the first host.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 85b1d83b2a6fe2beb8169f3e810e915c4ad54036 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Mar 3 05:49:43 2022 +0100
update-ids-ruleset: Always drop the lock file if it has been created during runtime.
In some situations or if an error happened, the lock file could be keep on the system. In such a case the IDS page would be locked forever until user interaction or reboot of the system.
Now the script checks if it has created such a lock and release it when the script exists.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit da3611b2767298e3f300b12b6ae03958a193c871 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Mar 3 19:55:59 2022 +0100
ids-functions.pl: Do not try to chown files while extracting them.
We are almost running as an unprivileged user and therfore have not the permissions to do this.
This will save us a lot of confusion error messages.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9106bfca42a86f9720c4e2f5d0d166832cac6454 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Mar 5 16:27:17 2022 +0100
ids-functions.pl: Merge same named rulefiles during extract.
In case a rulestarball contains several same-named rulefiles they have been overwritten each time and so only contained the content from the last extracted one.
Now the content of those files will be merged by appending the content to the first extracted one for each time.
Fixes #12792.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/backup/backup.pl | 18 +++- config/backup/exclude | 17 ++-- config/backup/include | 126 ++++++++++++++-------------- config/cfgroot/ids-functions.pl | 38 ++++++++- config/rootfiles/core/164/filelists/files | 1 + html/cgi-bin/ids.cgi | 8 +- html/cgi-bin/optionsfw.cgi | 9 ++ lfs/linux | 3 + lfs/{rtl8812au => rtl8189fs} | 13 ++- make.sh | 1 + src/installer/hw.c | 4 +- src/patches/kernel-5.15-CVE-2022-0847.patch | 46 ++++++++++ src/patches/rtl8189fs/disable_debug.patch | 11 +++ src/scripts/update-ids-ruleset | 19 ++++- 14 files changed, 221 insertions(+), 93 deletions(-) copy lfs/{rtl8812au => rtl8189fs} (90%) create mode 100644 src/patches/kernel-5.15-CVE-2022-0847.patch create mode 100644 src/patches/rtl8189fs/disable_debug.patch
Difference in files: diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 63004491c..a2337cf23 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -39,7 +39,7 @@ process_includes() { local file while read -r file; do for file in ${file}; do - if [ -e "${file}" ]; then + if [ -e "/${file}" ]; then echo "${file}" fi done @@ -58,7 +58,7 @@ make_backup() { done
# Backup using global exclude/include definitions - tar cvfz "${filename}" \ + tar cvfz "${filename}" -C / \ --exclude-from="/var/ipfire/backup/exclude" \ --exclude-from="/var/ipfire/backup/exclude.user" \ $(process_includes "/var/ipfire/backup/include") \ @@ -71,7 +71,13 @@ make_backup() { restore_backup() { local filename="${1}"
- tar xvzpf "${filename}" -C / + # Extract backup + if ! tar xvzpf "${filename}" -C / \ + --exclude-from="/var/ipfire/backup/exclude" \ + --exclude-from="/var/ipfire/backup/exclude.user"; then + echo "Could not extract backup" >&2 + return 1 + fi
# Restart syslogd, httpd and suricata in case we've just loaded old logs apachectl -k graceful @@ -202,7 +208,11 @@ restore_addon_backup() { mv "/tmp/${name}.ipf" "/var/ipfire/backup/addons/backup/${name}.ipf" fi
- tar xvzpf "/var/ipfire/backup/addons/backup/${name}.ipf" -C / + # Extract backup + if ! tar xvzpf "/var/ipfire/backup/addons/backup/${name}.ipf" -C /; then + echo "Could not extract backup" >&2 + return 1 + fi }
main() { diff --git a/config/backup/exclude b/config/backup/exclude index 68c37de48..0131a87fd 100644 --- a/config/backup/exclude +++ b/config/backup/exclude @@ -1,9 +1,10 @@ -/etc/sysconfig/lm_sensors -/etc/unbound/unbound.conf +etc/sysconfig/lm_sensors +etc/unbound/unbound.conf *.tmp -/var/ipfire/ethernet/settings -/var/ipfire/firewall/bin/* -/var/ipfire/ovpn/openssl/* -/var/ipfire/proxy/calamaris/bin/* -/var/ipfire/qos/bin/qos.pl -/var/ipfire/urlfilter/blacklists/*/*.db +var/ipfire/ethernet/settings +var/ipfire/firewall/bin/* +var/ipfire/ovpn/openssl/* +var/ipfire/proxy/calamaris/bin/* +var/ipfire/qos/bin/qos.pl +var/ipfire/suricata/oinkmaster.conf +var/ipfire/urlfilter/blacklists/*/*.db diff --git a/config/backup/include b/config/backup/include index 3b96b1d62..809a49601 100644 --- a/config/backup/include +++ b/config/backup/include @@ -1,63 +1,63 @@ -/etc/conntrackd/conntrackd.conf -/etc/group -/etc/hosts* -/etc/httpd/server.crt -/etc/httpd/server.csr -/etc/httpd/server-ecdsa.crt -/etc/httpd/server-ecdsa.csr -/etc/httpd/server-ecdsa.key -/etc/httpd/server.key -/etc/ipsec.user.* -/etc/ipsec.user-post.conf -/etc/logrotate.d -/etc/passwd -/etc/shadow -/etc/ssh/sshd_config -/etc/ssh/ssh_host* -/etc/squid/squid.conf.local -/etc/squid/squid.conf.pre.local -/etc/sysconfig/* -/etc/sysconfig/firewall.local -/etc/sysconfig/rc.local -/etc/unbound -/root/.bash_history -/root/.gitconfig -/root/.ssh -/var/ipfire/auth/users -/var/ipfire/backup/addons/backup -/var/ipfire/backup/exclude.user -/var/ipfire/backup/include.user -/var/ipfire/captive/* -/var/ipfire/*/*.conf -/var/ipfire/*/config -/var/ipfire/dhcp/* -/var/ipfire/dns -/var/ipfire/dnsforward/* -/var/ipfire/*/enable -/var/ipfire/*/*enable* -/var/ipfire/ethernet/aliases -/var/ipfire/ethernet/wireless -/var/ipfire/firewall -/var/ipfire/fwhosts -/var/ipfire/main/* -/var/ipfire/ovpn -/var/ipfire/ovpn/collectd.vpn -/var/ipfire/*/*.pem -/var/ipfire/ppp -/var/ipfire/proxy -/var/ipfire/qos/* -/var/ipfire/qos/bin/qos.sh -/var/ipfire/suricata/*.conf -/var/ipfire/suricata/*.yaml -/var/ipfire/suricata/providers-settings -/var/ipfire/*/settings -/var/ipfire/time/ -/var/ipfire/urlfilter -/var/ipfire/vpn -/var/lib/suricata -/var/log/ip-acct/* -/var/log/rrd/* -/var/log/rrd/collectd -/var/log/vnstat -/var/tmp/idsrules-*.tar.gz -/var/tmp/idsrules-*.rules +etc/conntrackd/conntrackd.conf +etc/group +etc/hosts* +etc/httpd/server.crt +etc/httpd/server.csr +etc/httpd/server-ecdsa.crt +etc/httpd/server-ecdsa.csr +etc/httpd/server-ecdsa.key +etc/httpd/server.key +etc/ipsec.user.* +etc/ipsec.user-post.conf +etc/logrotate.d +etc/passwd +etc/shadow +etc/ssh/sshd_config +etc/ssh/ssh_host* +etc/squid/squid.conf.local +etc/squid/squid.conf.pre.local +etc/sysconfig/* +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/unbound +root/.bash_history +root/.gitconfig +root/.ssh +var/ipfire/auth/users +var/ipfire/backup/addons/backup +var/ipfire/backup/exclude.user +var/ipfire/backup/include.user +var/ipfire/captive/* +var/ipfire/*/*.conf +var/ipfire/*/config +var/ipfire/dhcp/* +var/ipfire/dns +var/ipfire/dnsforward/* +var/ipfire/*/enable +var/ipfire/*/*enable* +var/ipfire/ethernet/aliases +var/ipfire/ethernet/wireless +var/ipfire/firewall +var/ipfire/fwhosts +var/ipfire/main/* +var/ipfire/ovpn +var/ipfire/ovpn/collectd.vpn +var/ipfire/*/*.pem +var/ipfire/ppp +var/ipfire/proxy +var/ipfire/qos/* +var/ipfire/qos/bin/qos.sh +var/ipfire/suricata/*.conf +var/ipfire/suricata/*.yaml +var/ipfire/suricata/providers-settings +var/ipfire/*/settings +var/ipfire/time/ +var/ipfire/urlfilter +var/ipfire/vpn +var/lib/suricata +var/log/ip-acct/* +var/log/rrd/* +var/log/rrd/collectd +var/log/vnstat +var/tmp/idsrules-*.tar.gz +var/tmp/idsrules-*.rules diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 74d55def6..37dd42b03 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -153,7 +153,6 @@ sub check_and_create_filelayout() { unless (-f "$suricata_default_rulefiles_file") { &create_empty_file($suricata_default_rulefiles_file); } unless (-f "$ids_settings_file") { &create_empty_file($ids_settings_file); } unless (-f "$providers_settings_file") { &create_empty_file($providers_settings_file); } - unless (-f "$ignored_file") { &create_empty_file($ignored_file); } unless (-f "$whitelist_file" ) { &create_empty_file($whitelist_file); } }
@@ -475,6 +474,9 @@ sub extractruleset ($) { # Load perl module to deal with archives. use Archive::Tar;
+ # Disable chown functionality when uncompressing files. + $Archive::Tar::CHOWN = "0"; + # Load perl module to deal with files and path. use File::Basename;
@@ -572,8 +574,38 @@ sub extractruleset ($) { next; }
- # Extract the file to the temporary directory. - $tar->extract_file("$packed_file", "$destination"); + # Check if the destination file exists. + unless(-e "$destination") { + # Extract the file to the temporary directory. + $tar->extract_file("$packed_file", "$destination"); + } else { + # Load perl module to deal with temporary files. + use File::Temp; + + # Generate temporary file name, located in the temporary rules directory and a suffix of ".tmp". + my $tmp = File::Temp->new( SUFFIX => ".tmp", DIR => "$tmp_rules_directory", UNLINK => 0 ); + my $tmpfile = $tmp->filename(); + + # Extract the file to the new temporary file name. + $tar->extract_file("$packed_file", "$tmpfile"); + + # Open the the existing file. + open(DESTFILE, ">>", "$destination") or die "Could not open $destination. $!\n"; + open(TMPFILE, "<", "$tmpfile") or die "Could not open $tmpfile. $!\n"; + + # Loop through the content of the temporary file. + while (<TMPFILE>) { + # Append the content line by line to the destination file. + print DESTFILE "$_"; + } + + # Close the file handles. + close(TMPFILE); + close(DESTFILE); + + # Remove the temporary file. + unlink("$tmpfile"); + } } } } diff --git a/config/rootfiles/core/164/filelists/files b/config/rootfiles/core/164/filelists/files index 89118ae62..86921fca4 100644 --- a/config/rootfiles/core/164/filelists/files +++ b/config/rootfiles/core/164/filelists/files @@ -15,6 +15,7 @@ srv/web/ipfire/html/include/pakfire.js usr/sbin/convert-ids-multiple-providers usr/sbin/convert-snort var/ipfire/backup/bin/backup.pl +var/ipfire/backup/exclude var/ipfire/backup/include var/ipfire/graphs.pl var/ipfire/ids-functions.pl diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 27e61e9bb..722715667 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -103,7 +103,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq my $new_entry_remark = $cgiparams{'IGNORE_ENTRY_REMARK'};
# Read-in ignoredfile. - &General::readhasharray($IDS::ignored_file, %ignored); + &General::readhasharray($IDS::ignored_file, %ignored) if (-e $IDS::ignored_file);
# Check if we should edit an existing entry and got an ID. if (($cgiparams{'WHITELIST'} eq $Lang::tr{'update'}) && ($cgiparams{'ID'})) { @@ -165,7 +165,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq undef($cgiparams{'ID'});
# Read-in ignoredfile. - &General::readhasharray($IDS::ignored_file, %ignored); + &General::readhasharray($IDS::ignored_file, %ignored) if (-e $IDS::ignored_file);
# Grab the configured status of the corresponding entry. my $status = $ignored{$id}[2]; @@ -199,7 +199,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq my %ignored = ();
# Read-in ignoredfile. - &General::readhasharray($IDS::ignored_file, %ignored); + &General::readhasharray($IDS::ignored_file, %ignored) if (-e $IDS::ignored_file);
# Drop entry from the hash. delete($ignored{$cgiparams{'ID'}}); @@ -1071,7 +1071,7 @@ sub show_mainpage() { }
# Read-in ignored hosts. - &General::readhasharray("$IDS::settingsdir/ignored", %ignored); + &General::readhasharray("$IDS::ignored_file", %ignored) if (-e $IDS::ignored_file);
$checked{'ENABLE_IDS'}{'off'} = ''; $checked{'ENABLE_IDS'}{'on'} = ''; diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 5611b71b7..fbff67b2f 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -88,6 +88,15 @@ if (!$settings{'MASQUERADE_ORANGE'}) { if (!$settings{'MASQUERADE_BLUE'}) { $settings{'MASQUERADE_BLUE'} = 'on'; } +if (!$settings{'DROPSPOOFEDMARTIAN'}) { + $settings{'DROPSPOOFEDMARTIAN'} = 'on'; +} +if (!$settings{'DROPHOSTILE'}) { + $settings{'DROPHOSTILE'} = 'off'; +} +if (!$settings{'LOGDROPCTINVALID'}) { + $settings{'LOGDROPCTINVALID'} = 'on'; +}
$checked{'DROPNEWNOTSYN'}{'off'} = ''; $checked{'DROPNEWNOTSYN'}{'on'} = ''; diff --git a/lfs/linux b/lfs/linux index 7a7236eab..0f8f2c184 100644 --- a/lfs/linux +++ b/lfs/linux @@ -141,6 +141,9 @@ ifeq "$(BUILD_ARCH)" "aarch64" endif cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-3.14.79-amba-fix.patch
+ # Fix for CVE-2022-0847 aka Dirty Pipe + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/kernel-5.15-CVE-2022-0847.patch + ifeq "$(KCFG)" "-headers" # Install the header files cd $(DIR_APP) && make ARCH=$(HEADERS_ARCH) $(EXTRAMAKE) headers diff --git a/lfs/rtl8189fs b/lfs/rtl8189fs new file mode 100644 index 000000000..7a2b3dca0 --- /dev/null +++ b/lfs/rtl8189fs @@ -0,0 +1,95 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VERSUFIX = ipfire$(KCFG) +MODPATH = /lib/modules/$(KVER)-$(VERSUFIX)/extra/wlan + +VER = 3129a665f835ce0342f9a85a0ce14a556e656b8c + +THISAPP = rtl8189FS_linux-$(VER) +DL_FILE = $(THISAPP).tar.xz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP)-kmod-$(KVER)-$(VERSUFIX) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = f7c817e89403b8a84a664f326f47c7d7 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + $(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/rtl8189fs/disable_debug.patch + cd $(DIR_APP) && CONFIG_RTL8189FS=m make $(MAKETUNING) \ + -C /lib/modules/$(KVER)-$(VERSUFIX)/build/ M=$(DIR_APP)/ modules + + # Install the built kernel modules. + mkdir -p $(MODPATH) + cd $(DIR_APP) && for f in $$(ls *.ko); do \ + /lib/modules/$$(uname -r)$(KCFG)/build/scripts/sign-file sha512 \ + /lib/modules/$$(uname -r)$(KCFG)/build/certs/signing_key.pem \ + /lib/modules/$$(uname -r)$(KCFG)/build/certs/signing_key.x509 \ + $$f; \ + xz $$f; \ + install -m 644 $$f.xz $(MODPATH); \ + done + + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 79798834a..6e84d8d1b 100755 --- a/make.sh +++ b/make.sh @@ -1181,6 +1181,7 @@ buildipfire() { # multi kernel builds so KCFG is empty lfsmake2 linux KCFG="" lfsmake2 rtl8189es KCFG="" + lfsmake2 rtl8189fs KCFG="" lfsmake2 rtl8812au KCFG="" lfsmake2 rtl8822bu KCFG="" lfsmake2 xradio KCFG="" diff --git a/src/installer/hw.c b/src/installer/hw.c index 17e0bbb01..5cba2a261 100644 --- a/src/installer/hw.c +++ b/src/installer/hw.c @@ -1204,7 +1204,9 @@ char* hw_find_backup_file(const char* output, const char* search_path) { int hw_restore_backup(const char* output, const char* backup_path, const char* destination) { char command[STRING_SIZE];
- snprintf(command, sizeof(command), "/bin/tar xzpf %s -C %s", backup_path, destination); + snprintf(command, sizeof(command), "/bin/tar xzpf %s -C %s " + "--exclude-from=%s/var/ipfire/backup/exclude --exclude-from=%s/var/ipfire/backup/exclude.user", + backup_path, destination, destination, destination); int rc = mysystem(output, command);
if (rc) diff --git a/src/patches/kernel-5.15-CVE-2022-0847.patch b/src/patches/kernel-5.15-CVE-2022-0847.patch new file mode 100644 index 000000000..5279916c2 --- /dev/null +++ b/src/patches/kernel-5.15-CVE-2022-0847.patch @@ -0,0 +1,46 @@ +From 114e9f141822e6977633d322c1b03e89bd209932 Mon Sep 17 00:00:00 2001 +From: Max Kellermann max.kellermann@ionos.com +Date: Mon, 21 Feb 2022 11:03:13 +0100 +Subject: [PATCH] lib/iov_iter: initialize "flags" in new pipe_buffer + +commit 9d2231c5d74e13b2a0546fee6737ee4446017903 upstream. + +The functions copy_page_to_iter_pipe() and push_pipe() can both +allocate a new pipe_buffer, but the "flags" member initializer is +missing. + +Fixes: 241699cd72a8 ("new iov_iter flavour: pipe-backed") +To: Alexander Viro viro@zeniv.linux.org.uk +To: linux-fsdevel@vger.kernel.org +To: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Max Kellermann max.kellermann@ionos.com +Signed-off-by: Al Viro viro@zeniv.linux.org.uk +Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org +--- + lib/iov_iter.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/iov_iter.c b/lib/iov_iter.c +index 60b5e6edfbaa..c5b2f0f4b8a8 100644 +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -416,6 +416,7 @@ static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t by + return 0; + + buf->ops = &page_cache_pipe_buf_ops; ++ buf->flags = 0; + get_page(page); + buf->page = page; + buf->offset = offset; +@@ -532,6 +533,7 @@ static size_t push_pipe(struct iov_iter *i, size_t size, + break; + + buf->ops = &default_pipe_buf_ops; ++ buf->flags = 0; + buf->page = page; + buf->offset = 0; + buf->len = min_t(ssize_t, left, PAGE_SIZE); +-- +2.30.2 + diff --git a/src/patches/rtl8189fs/disable_debug.patch b/src/patches/rtl8189fs/disable_debug.patch new file mode 100644 index 000000000..d29c55e6c --- /dev/null +++ b/src/patches/rtl8189fs/disable_debug.patch @@ -0,0 +1,11 @@ +diff -Naur rtl8189FS_linux-3129a665f835ce0342f9a85a0ce14a556e656b8c.org/include/autoconf.h rtl8189FS_linux-3129a665f835ce0342f9a85a0ce14a556e656b8c/include/autoconf.h +--- rtl8189FS_linux-3129a665f835ce0342f9a85a0ce14a556e656b8c.org/include/autoconf.h 2021-10-01 14:51:56.000000000 +0000 ++++ rtl8189FS_linux-3129a665f835ce0342f9a85a0ce14a556e656b8c/include/autoconf.h 2022-02-26 12:00:09.188965578 +0000 +@@ -224,7 +224,6 @@ + /* + * Debug Related Config + */ +-#define CONFIG_DEBUG /* DBG_871X, etc... */ + + #ifdef CONFIG_DEBUG + #define DBG 1 // for ODM & BTCOEX debug diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset index 10a270907..c2970d20b 100644 --- a/src/scripts/update-ids-ruleset +++ b/src/scripts/update-ids-ruleset @@ -26,6 +26,9 @@ require '/var/ipfire/general-functions.pl'; require "${General::swroot}/ids-functions.pl"; require "${General::swroot}/lang.pl";
+# Variable to store if the process has written a lockfile. +my $locked; + # Hash to store the configured providers. my %providers = ();
@@ -77,6 +80,9 @@ if(&IDS::checkdiskspace()) { # Lock the IDS page. &IDS::lock_ids_page();
+# The script has requested a lock, so set locket to "1". +$locked = "1"; + # Grab the configured providers. &General::readhasharray("$IDS::providers_settings_file", %providers);
@@ -114,13 +120,20 @@ foreach my $id (keys %providers) { # Set correct ownership for the rulesdir and files. &IDS::set_ownership("$IDS::rulespath");
-# Unlock the IDS page. -&IDS::unlock_ids_page(); - # Check if the IDS is running. if(&IDS::ids_is_running()) { # Call suricatactrl to perform a reload. &IDS::call_suricatactrl("reload"); }
+# Custom END declaration to release a IDS page lock +# when the script has created one. +END { + # Check if a lock has been requested. + if ($locked) { + # Unlock the IDS page. + &IDS::unlock_ids_page(); + } +} + 1;
hooks/post-receive -- IPFire 2.x development tree