From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, core164, updated. ead01caeb87f4eb56abb2fc63cea38ea74b16274 Date: Wed, 09 Mar 2022 15:26:36 +0000 Message-ID: <4KDGJF1pDfz2xhs@people01.haj.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2511560899933493562==" List-Id: --===============2511560899933493562== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, core164 has been updated via ead01caeb87f4eb56abb2fc63cea38ea74b16274 (commit) via e895c2de72a79feda5a653bf4fd569c36c2d94da (commit) via de686e49e2a7c12c4b3c46931ecd9d9635565357 (commit) via b69659af02d65f982a2d8fd443f02950593d28fe (commit) via c7e0d73e7cfd7be95db9d0a5f3392b8241813d5b (commit) via 3f8e70f6b34ee085cb0a5ad22792e521cd867c1c (commit) via ca1fdb69549b282c9c67b4cf385eda725ed1c366 (commit) via fc717041c4b1af09c4345650ad4b346bb33ae216 (commit) via 18f0991c353b9b96062d71a3237e5447231a467b (commit) via dcacf03e80d714bd120a877d16a862ffce47dd26 (commit) via 85b1d83b2a6fe2beb8169f3e810e915c4ad54036 (commit) via da3611b2767298e3f300b12b6ae03958a193c871 (commit) via 9106bfca42a86f9720c4e2f5d0d166832cac6454 (commit) from 6e2c8f48182c169edb177526d7f639b0631d57cc (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit ead01caeb87f4eb56abb2fc63cea38ea74b16274 Author: Arne Fitzenreiter Date: Sun Feb 27 09:16:21 2022 +0000 rtl8189fs: add realtek wlan driver =20 this chip is the successor of the rtl8189es look some boards has silently switched to the new chip. =20 Signed-off-by: Arne Fitzenreiter Reviewed-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit e895c2de72a79feda5a653bf4fd569c36c2d94da Author: Stefan Schantl Date: Sat Mar 5 19:13:39 2022 +0100 optionsfw.cgi: Add default settings for newly added options. =20 If no settings for those features can be obtained from the settings file, set them to the following defaults. =20 * DROPSPOOFEDMARTIAN -> on (yes) * DROPHOSTILE -> off (no - because only fresh installed systems should do this) * LOGDROPCTINVALID -> on (yes) =20 Signed-off-by: Stefan Schantl Reviewed-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit de686e49e2a7c12c4b3c46931ecd9d9635565357 Author: Michael Tremer Date: Tue Mar 8 09:59:43 2022 +0000 linux: Fix for CVE-2022-0847 aka Dirty Pipe =20 https://dirtypipe.cm4all.com =20 Signed-off-by: Michael Tremer commit b69659af02d65f982a2d8fd443f02950593d28fe Author: Michael Tremer Date: Mon Mar 7 18:53:09 2022 +0000 core164: Ship backup exclude file =20 Signed-off-by: Michael Tremer commit c7e0d73e7cfd7be95db9d0a5f3392b8241813d5b Author: Michael Tremer Date: Fri Mar 4 10:41:30 2022 +0000 backup: Make include/exclude files relative =20 Signed-off-by: Michael Tremer commit 3f8e70f6b34ee085cb0a5ad22792e521cd867c1c Author: Michael Tremer Date: Fri Mar 4 10:29:23 2022 +0000 backup: Don't restore excluded files =20 Sometimes, we restore a backup that has been created earlier before exclude files have been changed. To avoid overwriting those files, we will consider the exlude list upon restore. =20 Signed-off-by: Michael Tremer commit ca1fdb69549b282c9c67b4cf385eda725ed1c366 Author: Michael Tremer Date: Fri Mar 4 10:27:01 2022 +0000 backup: Exclude oinkmaster.conf =20 This file is a system configuration file and does not contain any configruation from the user. =20 Since it can be overwritten in a backup and restored to an older state, this can cause problems such as #12788. =20 Fixes: #12788 Signed-off-by: Michael Tremer commit fc717041c4b1af09c4345650ad4b346bb33ae216 Author: Michael Tremer Date: Fri Mar 4 10:18:25 2022 +0000 backup: Abort when the backup could not be extracted =20 Signed-off-by: Michael Tremer commit 18f0991c353b9b96062d71a3237e5447231a467b Author: Stefan Schantl Date: Mon Mar 7 17:52:36 2022 +0100 ids.cgi: Only read-in ignored hosts, if the ignore file exists. =20 Otherwise the CGI will crash. =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit dcacf03e80d714bd120a877d16a862ffce47dd26 Author: Stefan Schantl Date: Sat Mar 5 18:53:10 2022 +0100 ids-functions.pl: Do not create an empty ignored settings file. =20 The file will be created by the WUI, when adding the first host. =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 85b1d83b2a6fe2beb8169f3e810e915c4ad54036 Author: Stefan Schantl Date: Thu Mar 3 05:49:43 2022 +0100 update-ids-ruleset: Always drop the lock file if it has been created duri= ng runtime. =20 In some situations or if an error happened, the lock file could be keep on the system. In such a case the IDS page would be locked forever until user interaction or reboot of the system. =20 Now the script checks if it has created such a lock and release it when the script exists. =20 Signed-off-by: Stefan Schantl Reviewed-by: Michael Tremer Acked-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit da3611b2767298e3f300b12b6ae03958a193c871 Author: Stefan Schantl Date: Thu Mar 3 19:55:59 2022 +0100 ids-functions.pl: Do not try to chown files while extracting them. =20 We are almost running as an unprivileged user and therfore have not the permissions to do this. =20 This will save us a lot of confusion error messages. =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 9106bfca42a86f9720c4e2f5d0d166832cac6454 Author: Stefan Schantl Date: Sat Mar 5 16:27:17 2022 +0100 ids-functions.pl: Merge same named rulefiles during extract. =20 In case a rulestarball contains several same-named rulefiles they have been overwritten each time and so only contained the content from the last extracted one. =20 Now the content of those files will be merged by appending the content to the first extracted one for each time. =20 Fixes #12792. =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/backup/backup.pl | 18 +++- config/backup/exclude | 17 ++-- config/backup/include | 126 ++++++++++++++------------= -- config/cfgroot/ids-functions.pl | 38 ++++++++- config/rootfiles/core/164/filelists/files | 1 + html/cgi-bin/ids.cgi | 8 +- html/cgi-bin/optionsfw.cgi | 9 ++ lfs/linux | 3 + lfs/{rtl8812au =3D> rtl8189fs} | 13 ++- make.sh | 1 + src/installer/hw.c | 4 +- src/patches/kernel-5.15-CVE-2022-0847.patch | 46 ++++++++++ src/patches/rtl8189fs/disable_debug.patch | 11 +++ src/scripts/update-ids-ruleset | 19 ++++- 14 files changed, 221 insertions(+), 93 deletions(-) copy lfs/{rtl8812au =3D> rtl8189fs} (90%) create mode 100644 src/patches/kernel-5.15-CVE-2022-0847.patch create mode 100644 src/patches/rtl8189fs/disable_debug.patch Difference in files: diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 63004491c..a2337cf23 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -39,7 +39,7 @@ process_includes() { local file while read -r file; do for file in ${file}; do - if [ -e "${file}" ]; then + if [ -e "/${file}" ]; then echo "${file}" fi done @@ -58,7 +58,7 @@ make_backup() { done =20 # Backup using global exclude/include definitions - tar cvfz "${filename}" \ + tar cvfz "${filename}" -C / \ --exclude-from=3D"/var/ipfire/backup/exclude" \ --exclude-from=3D"/var/ipfire/backup/exclude.user" \ $(process_includes "/var/ipfire/backup/include") \ @@ -71,7 +71,13 @@ make_backup() { restore_backup() { local filename=3D"${1}" =20 - tar xvzpf "${filename}" -C / + # Extract backup + if ! tar xvzpf "${filename}" -C / \ + --exclude-from=3D"/var/ipfire/backup/exclude" \ + --exclude-from=3D"/var/ipfire/backup/exclude.user"; then + echo "Could not extract backup" >&2 + return 1 + fi =20 # Restart syslogd, httpd and suricata in case we've just loaded old logs apachectl -k graceful @@ -202,7 +208,11 @@ restore_addon_backup() { mv "/tmp/${name}.ipf" "/var/ipfire/backup/addons/backup/${name}.ipf" fi =20 - tar xvzpf "/var/ipfire/backup/addons/backup/${name}.ipf" -C / + # Extract backup + if ! tar xvzpf "/var/ipfire/backup/addons/backup/${name}.ipf" -C /; then + echo "Could not extract backup" >&2 + return 1 + fi } =20 main() { diff --git a/config/backup/exclude b/config/backup/exclude index 68c37de48..0131a87fd 100644 --- a/config/backup/exclude +++ b/config/backup/exclude @@ -1,9 +1,10 @@ -/etc/sysconfig/lm_sensors -/etc/unbound/unbound.conf +etc/sysconfig/lm_sensors +etc/unbound/unbound.conf *.tmp -/var/ipfire/ethernet/settings -/var/ipfire/firewall/bin/* -/var/ipfire/ovpn/openssl/* -/var/ipfire/proxy/calamaris/bin/* -/var/ipfire/qos/bin/qos.pl -/var/ipfire/urlfilter/blacklists/*/*.db +var/ipfire/ethernet/settings +var/ipfire/firewall/bin/* +var/ipfire/ovpn/openssl/* +var/ipfire/proxy/calamaris/bin/* +var/ipfire/qos/bin/qos.pl +var/ipfire/suricata/oinkmaster.conf +var/ipfire/urlfilter/blacklists/*/*.db diff --git a/config/backup/include b/config/backup/include index 3b96b1d62..809a49601 100644 --- a/config/backup/include +++ b/config/backup/include @@ -1,63 +1,63 @@ -/etc/conntrackd/conntrackd.conf -/etc/group -/etc/hosts* -/etc/httpd/server.crt -/etc/httpd/server.csr -/etc/httpd/server-ecdsa.crt -/etc/httpd/server-ecdsa.csr -/etc/httpd/server-ecdsa.key -/etc/httpd/server.key -/etc/ipsec.user.* -/etc/ipsec.user-post.conf -/etc/logrotate.d -/etc/passwd -/etc/shadow -/etc/ssh/sshd_config -/etc/ssh/ssh_host* -/etc/squid/squid.conf.local -/etc/squid/squid.conf.pre.local -/etc/sysconfig/* -/etc/sysconfig/firewall.local -/etc/sysconfig/rc.local -/etc/unbound -/root/.bash_history -/root/.gitconfig -/root/.ssh -/var/ipfire/auth/users -/var/ipfire/backup/addons/backup -/var/ipfire/backup/exclude.user -/var/ipfire/backup/include.user -/var/ipfire/captive/* -/var/ipfire/*/*.conf -/var/ipfire/*/config -/var/ipfire/dhcp/* -/var/ipfire/dns -/var/ipfire/dnsforward/* -/var/ipfire/*/enable -/var/ipfire/*/*enable* -/var/ipfire/ethernet/aliases -/var/ipfire/ethernet/wireless -/var/ipfire/firewall -/var/ipfire/fwhosts -/var/ipfire/main/* -/var/ipfire/ovpn -/var/ipfire/ovpn/collectd.vpn -/var/ipfire/*/*.pem -/var/ipfire/ppp -/var/ipfire/proxy -/var/ipfire/qos/* -/var/ipfire/qos/bin/qos.sh -/var/ipfire/suricata/*.conf -/var/ipfire/suricata/*.yaml -/var/ipfire/suricata/providers-settings -/var/ipfire/*/settings -/var/ipfire/time/ -/var/ipfire/urlfilter -/var/ipfire/vpn -/var/lib/suricata -/var/log/ip-acct/* -/var/log/rrd/* -/var/log/rrd/collectd -/var/log/vnstat -/var/tmp/idsrules-*.tar.gz -/var/tmp/idsrules-*.rules +etc/conntrackd/conntrackd.conf +etc/group +etc/hosts* +etc/httpd/server.crt +etc/httpd/server.csr +etc/httpd/server-ecdsa.crt +etc/httpd/server-ecdsa.csr +etc/httpd/server-ecdsa.key +etc/httpd/server.key +etc/ipsec.user.* +etc/ipsec.user-post.conf +etc/logrotate.d +etc/passwd +etc/shadow +etc/ssh/sshd_config +etc/ssh/ssh_host* +etc/squid/squid.conf.local +etc/squid/squid.conf.pre.local +etc/sysconfig/* +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/unbound +root/.bash_history +root/.gitconfig +root/.ssh +var/ipfire/auth/users +var/ipfire/backup/addons/backup +var/ipfire/backup/exclude.user +var/ipfire/backup/include.user +var/ipfire/captive/* +var/ipfire/*/*.conf +var/ipfire/*/config +var/ipfire/dhcp/* +var/ipfire/dns +var/ipfire/dnsforward/* +var/ipfire/*/enable +var/ipfire/*/*enable* +var/ipfire/ethernet/aliases +var/ipfire/ethernet/wireless +var/ipfire/firewall +var/ipfire/fwhosts +var/ipfire/main/* +var/ipfire/ovpn +var/ipfire/ovpn/collectd.vpn +var/ipfire/*/*.pem +var/ipfire/ppp +var/ipfire/proxy +var/ipfire/qos/* +var/ipfire/qos/bin/qos.sh +var/ipfire/suricata/*.conf +var/ipfire/suricata/*.yaml +var/ipfire/suricata/providers-settings +var/ipfire/*/settings +var/ipfire/time/ +var/ipfire/urlfilter +var/ipfire/vpn +var/lib/suricata +var/log/ip-acct/* +var/log/rrd/* +var/log/rrd/collectd +var/log/vnstat +var/tmp/idsrules-*.tar.gz +var/tmp/idsrules-*.rules diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 74d55def6..37dd42b03 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -153,7 +153,6 @@ sub check_and_create_filelayout() { unless (-f "$suricata_default_rulefiles_file") { &create_empty_file($surica= ta_default_rulefiles_file); } unless (-f "$ids_settings_file") { &create_empty_file($ids_settings_file); } unless (-f "$providers_settings_file") { &create_empty_file($providers_sett= ings_file); } - unless (-f "$ignored_file") { &create_empty_file($ignored_file); } unless (-f "$whitelist_file" ) { &create_empty_file($whitelist_file); } } =20 @@ -475,6 +474,9 @@ sub extractruleset ($) { # Load perl module to deal with archives. use Archive::Tar; =20 + # Disable chown functionality when uncompressing files. + $Archive::Tar::CHOWN =3D "0"; + # Load perl module to deal with files and path. use File::Basename; =20 @@ -572,8 +574,38 @@ sub extractruleset ($) { next; } =20 - # Extract the file to the temporary directory. - $tar->extract_file("$packed_file", "$destination"); + # Check if the destination file exists. + unless(-e "$destination") { + # Extract the file to the temporary directory. + $tar->extract_file("$packed_file", "$destination"); + } else { + # Load perl module to deal with temporary files. + use File::Temp; + + # Generate temporary file name, located in the temporary rules directory= and a suffix of ".tmp". + my $tmp =3D File::Temp->new( SUFFIX =3D> ".tmp", DIR =3D> "$tmp_rules_di= rectory", UNLINK =3D> 0 ); + my $tmpfile =3D $tmp->filename(); + + # Extract the file to the new temporary file name. + $tar->extract_file("$packed_file", "$tmpfile"); + + # Open the the existing file. + open(DESTFILE, ">>", "$destination") or die "Could not open $destination= . $!\n"; + open(TMPFILE, "<", "$tmpfile") or die "Could not open $tmpfile. $!\n"; + + # Loop through the content of the temporary file. + while () { + # Append the content line by line to the destination file. + print DESTFILE "$_"; + } + + # Close the file handles. + close(TMPFILE); + close(DESTFILE); + + # Remove the temporary file. + unlink("$tmpfile"); + } } } } diff --git a/config/rootfiles/core/164/filelists/files b/config/rootfiles/cor= e/164/filelists/files index 89118ae62..86921fca4 100644 --- a/config/rootfiles/core/164/filelists/files +++ b/config/rootfiles/core/164/filelists/files @@ -15,6 +15,7 @@ srv/web/ipfire/html/include/pakfire.js usr/sbin/convert-ids-multiple-providers usr/sbin/convert-snort var/ipfire/backup/bin/backup.pl +var/ipfire/backup/exclude var/ipfire/backup/include var/ipfire/graphs.pl var/ipfire/ids-functions.pl diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 27e61e9bb..722715667 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -103,7 +103,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cg= iparams{'WHITELIST'} eq my $new_entry_remark =3D $cgiparams{'IGNORE_ENTRY_REMARK'}; =20 # Read-in ignoredfile. - &General::readhasharray($IDS::ignored_file, \%ignored); + &General::readhasharray($IDS::ignored_file, \%ignored) if (-e $IDS::ignore= d_file); =20 # Check if we should edit an existing entry and got an ID. if (($cgiparams{'WHITELIST'} eq $Lang::tr{'update'}) && ($cgiparams{'ID'})= ) { @@ -165,7 +165,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cg= iparams{'WHITELIST'} eq undef($cgiparams{'ID'}); =20 # Read-in ignoredfile. - &General::readhasharray($IDS::ignored_file, \%ignored); + &General::readhasharray($IDS::ignored_file, \%ignored) if (-e $IDS::ignore= d_file); =20 # Grab the configured status of the corresponding entry. my $status =3D $ignored{$id}[2]; @@ -199,7 +199,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cg= iparams{'WHITELIST'} eq my %ignored =3D (); =20 # Read-in ignoredfile. - &General::readhasharray($IDS::ignored_file, \%ignored); + &General::readhasharray($IDS::ignored_file, \%ignored) if (-e $IDS::ignored= _file); =20 # Drop entry from the hash. delete($ignored{$cgiparams{'ID'}}); @@ -1071,7 +1071,7 @@ sub show_mainpage() { } =20 # Read-in ignored hosts. - &General::readhasharray("$IDS::settingsdir/ignored", \%ignored); + &General::readhasharray("$IDS::ignored_file", \%ignored) if (-e $IDS::ignor= ed_file); =20 $checked{'ENABLE_IDS'}{'off'} =3D ''; $checked{'ENABLE_IDS'}{'on'} =3D ''; diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 5611b71b7..fbff67b2f 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -88,6 +88,15 @@ if (!$settings{'MASQUERADE_ORANGE'}) { if (!$settings{'MASQUERADE_BLUE'}) { $settings{'MASQUERADE_BLUE'} =3D 'on'; } +if (!$settings{'DROPSPOOFEDMARTIAN'}) { + $settings{'DROPSPOOFEDMARTIAN'} =3D 'on'; +} +if (!$settings{'DROPHOSTILE'}) { + $settings{'DROPHOSTILE'} =3D 'off'; +} +if (!$settings{'LOGDROPCTINVALID'}) { + $settings{'LOGDROPCTINVALID'} =3D 'on'; +} =20 $checked{'DROPNEWNOTSYN'}{'off'} =3D ''; $checked{'DROPNEWNOTSYN'}{'on'} =3D ''; diff --git a/lfs/linux b/lfs/linux index 7a7236eab..0f8f2c184 100644 --- a/lfs/linux +++ b/lfs/linux @@ -141,6 +141,9 @@ ifeq "$(BUILD_ARCH)" "aarch64" endif cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-3.14.79-am= ba-fix.patch =20 + # Fix for CVE-2022-0847 aka Dirty Pipe + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/kernel-5.15-CVE-2022-0= 847.patch + ifeq "$(KCFG)" "-headers" # Install the header files cd $(DIR_APP) && make ARCH=3D$(HEADERS_ARCH) $(EXTRAMAKE) headers diff --git a/lfs/rtl8189fs b/lfs/rtl8189fs new file mode 100644 index 000000000..7a2b3dca0 --- /dev/null +++ b/lfs/rtl8189fs @@ -0,0 +1,95 @@ +############################################################################= ### +# = # +# IPFire.org - A linux based firewall = # +# Copyright (C) 2007-2022 IPFire Team = # +# = # +# This program is free software: you can redistribute it and/or modify = # +# it under the terms of the GNU General Public License as published by = # +# the Free Software Foundation, either version 3 of the License, or = # +# (at your option) any later version. = # +# = # +# This program is distributed in the hope that it will be useful, = # +# but WITHOUT ANY WARRANTY; without even the implied warranty of = # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the = # +# GNU General Public License for more details. = # +# = # +# You should have received a copy of the GNU General Public License = # +# along with this program. If not, see . = # +# = # +############################################################################= ### + +############################################################################= ### +# Definitions +############################################################################= ### + +include Config + +VERSUFIX =3D ipfire$(KCFG) +MODPATH =3D /lib/modules/$(KVER)-$(VERSUFIX)/extra/wlan + +VER =3D 3129a665f835ce0342f9a85a0ce14a556e656b8c + +THISAPP =3D rtl8189FS_linux-$(VER) +DL_FILE =3D $(THISAPP).tar.xz +DL_FROM =3D $(URL_IPFIRE) +DIR_APP =3D $(DIR_SRC)/$(THISAPP) +TARGET =3D $(DIR_INFO)/$(THISAPP)-kmod-$(KVER)-$(VERSUFIX) + +############################################################################= ### +# Top-level Rules +############################################################################= ### + +objects =3D $(DL_FILE) + +$(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 =3D f7c817e89403b8a84a664f326f47c7d7 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist:=20 + $(PAK) + +############################################################################= ### +# Downloading, checking, md5sum +############################################################################= ### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################= ### +# Installation Details +############################################################################= ### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/rtl8189fs/disable_debu= g.patch + cd $(DIR_APP) && CONFIG_RTL8189FS=3Dm make $(MAKETUNING) \ + -C /lib/modules/$(KVER)-$(VERSUFIX)/build/ M=3D$(DIR_APP)/ modules + + # Install the built kernel modules. + mkdir -p $(MODPATH) + cd $(DIR_APP) && for f in $$(ls *.ko); do \ + /lib/modules/$$(uname -r)$(KCFG)/build/scripts/sign-file sha512 \ + /lib/modules/$$(uname -r)$(KCFG)/build/certs/signing_key.pem \ + /lib/modules/$$(uname -r)$(KCFG)/build/certs/signing_key.x509 \ + $$f; \ + xz $$f; \ + install -m 644 $$f.xz $(MODPATH); \ + done + + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 79798834a..6e84d8d1b 100755 --- a/make.sh +++ b/make.sh @@ -1181,6 +1181,7 @@ buildipfire() { # multi kernel builds so KCFG is empty lfsmake2 linux KCFG=3D"" lfsmake2 rtl8189es KCFG=3D"" + lfsmake2 rtl8189fs KCFG=3D"" lfsmake2 rtl8812au KCFG=3D"" lfsmake2 rtl8822bu KCFG=3D"" lfsmake2 xradio KCFG=3D"" diff --git a/src/installer/hw.c b/src/installer/hw.c index 17e0bbb01..5cba2a261 100644 --- a/src/installer/hw.c +++ b/src/installer/hw.c @@ -1204,7 +1204,9 @@ char* hw_find_backup_file(const char* output, const cha= r* search_path) { int hw_restore_backup(const char* output, const char* backup_path, const cha= r* destination) { char command[STRING_SIZE]; =20 - snprintf(command, sizeof(command), "/bin/tar xzpf %s -C %s", backup_path, d= estination); + snprintf(command, sizeof(command), "/bin/tar xzpf %s -C %s " + "--exclude-from=3D%s/var/ipfire/backup/exclude --exclude-from=3D%s/var/ipf= ire/backup/exclude.user", + backup_path, destination, destination, destination); int rc =3D mysystem(output, command); =20 if (rc) diff --git a/src/patches/kernel-5.15-CVE-2022-0847.patch b/src/patches/kernel= -5.15-CVE-2022-0847.patch new file mode 100644 index 000000000..5279916c2 --- /dev/null +++ b/src/patches/kernel-5.15-CVE-2022-0847.patch @@ -0,0 +1,46 @@ +From 114e9f141822e6977633d322c1b03e89bd209932 Mon Sep 17 00:00:00 2001 +From: Max Kellermann +Date: Mon, 21 Feb 2022 11:03:13 +0100 +Subject: [PATCH] lib/iov_iter: initialize "flags" in new pipe_buffer + +commit 9d2231c5d74e13b2a0546fee6737ee4446017903 upstream. + +The functions copy_page_to_iter_pipe() and push_pipe() can both +allocate a new pipe_buffer, but the "flags" member initializer is +missing. + +Fixes: 241699cd72a8 ("new iov_iter flavour: pipe-backed") +To: Alexander Viro +To: linux-fsdevel(a)vger.kernel.org +To: linux-kernel(a)vger.kernel.org +Cc: stable(a)vger.kernel.org +Signed-off-by: Max Kellermann +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman +--- + lib/iov_iter.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/iov_iter.c b/lib/iov_iter.c +index 60b5e6edfbaa..c5b2f0f4b8a8 100644 +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -416,6 +416,7 @@ static size_t copy_page_to_iter_pipe(struct page *page, = size_t offset, size_t by + return 0; +=20 + buf->ops =3D &page_cache_pipe_buf_ops; ++ buf->flags =3D 0; + get_page(page); + buf->page =3D page; + buf->offset =3D offset; +@@ -532,6 +533,7 @@ static size_t push_pipe(struct iov_iter *i, size_t size, + break; +=20 + buf->ops =3D &default_pipe_buf_ops; ++ buf->flags =3D 0; + buf->page =3D page; + buf->offset =3D 0; + buf->len =3D min_t(ssize_t, left, PAGE_SIZE); +--=20 +2.30.2 + diff --git a/src/patches/rtl8189fs/disable_debug.patch b/src/patches/rtl8189f= s/disable_debug.patch new file mode 100644 index 000000000..d29c55e6c --- /dev/null +++ b/src/patches/rtl8189fs/disable_debug.patch @@ -0,0 +1,11 @@ +diff -Naur rtl8189FS_linux-3129a665f835ce0342f9a85a0ce14a556e656b8c.org/incl= ude/autoconf.h rtl8189FS_linux-3129a665f835ce0342f9a85a0ce14a556e656b8c/inclu= de/autoconf.h +--- rtl8189FS_linux-3129a665f835ce0342f9a85a0ce14a556e656b8c.org/include/aut= oconf.h 2021-10-01 14:51:56.000000000 +0000 ++++ rtl8189FS_linux-3129a665f835ce0342f9a85a0ce14a556e656b8c/include/autocon= f.h 2022-02-26 12:00:09.188965578 +0000 +@@ -224,7 +224,6 @@ + /* + * Debug Related Config + */ +-#define CONFIG_DEBUG /* DBG_871X, etc... */ +=20 + #ifdef CONFIG_DEBUG + #define DBG 1 // for ODM & BTCOEX debug diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset index 10a270907..c2970d20b 100644 --- a/src/scripts/update-ids-ruleset +++ b/src/scripts/update-ids-ruleset @@ -26,6 +26,9 @@ require '/var/ipfire/general-functions.pl'; require "${General::swroot}/ids-functions.pl"; require "${General::swroot}/lang.pl"; =20 +# Variable to store if the process has written a lockfile. +my $locked; + # Hash to store the configured providers. my %providers =3D (); =20 @@ -77,6 +80,9 @@ if(&IDS::checkdiskspace()) { # Lock the IDS page. &IDS::lock_ids_page(); =20 +# The script has requested a lock, so set locket to "1". +$locked =3D "1"; + # Grab the configured providers. &General::readhasharray("$IDS::providers_settings_file", \%providers); =20 @@ -114,13 +120,20 @@ foreach my $id (keys %providers) { # Set correct ownership for the rulesdir and files. &IDS::set_ownership("$IDS::rulespath"); =20 -# Unlock the IDS page. -&IDS::unlock_ids_page(); - # Check if the IDS is running. if(&IDS::ids_is_running()) { # Call suricatactrl to perform a reload. &IDS::call_suricatactrl("reload"); } =20 +# Custom END declaration to release a IDS page lock +# when the script has created one. +END { + # Check if a lock has been requested. + if ($locked) { + # Unlock the IDS page. + &IDS::unlock_ids_page(); + } +} + 1; hooks/post-receive -- IPFire 2.x development tree --===============2511560899933493562==--