* [git.ipfire.org] IPFire 2.x development tree branch, core164, updated. ead01caeb87f4eb56abb2fc63cea38ea74b16274
@ 2022-03-09 15:26 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2022-03-09 15:26 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 29011 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, core164 has been updated
via ead01caeb87f4eb56abb2fc63cea38ea74b16274 (commit)
via e895c2de72a79feda5a653bf4fd569c36c2d94da (commit)
via de686e49e2a7c12c4b3c46931ecd9d9635565357 (commit)
via b69659af02d65f982a2d8fd443f02950593d28fe (commit)
via c7e0d73e7cfd7be95db9d0a5f3392b8241813d5b (commit)
via 3f8e70f6b34ee085cb0a5ad22792e521cd867c1c (commit)
via ca1fdb69549b282c9c67b4cf385eda725ed1c366 (commit)
via fc717041c4b1af09c4345650ad4b346bb33ae216 (commit)
via 18f0991c353b9b96062d71a3237e5447231a467b (commit)
via dcacf03e80d714bd120a877d16a862ffce47dd26 (commit)
via 85b1d83b2a6fe2beb8169f3e810e915c4ad54036 (commit)
via da3611b2767298e3f300b12b6ae03958a193c871 (commit)
via 9106bfca42a86f9720c4e2f5d0d166832cac6454 (commit)
from 6e2c8f48182c169edb177526d7f639b0631d57cc (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit ead01caeb87f4eb56abb2fc63cea38ea74b16274
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sun Feb 27 09:16:21 2022 +0000
rtl8189fs: add realtek wlan driver
this chip is the successor of the rtl8189es look some boards has
silently switched to the new chip.
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit e895c2de72a79feda5a653bf4fd569c36c2d94da
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Mar 5 19:13:39 2022 +0100
optionsfw.cgi: Add default settings for newly added options.
If no settings for those features can be obtained from the settings
file, set them to the following defaults.
* DROPSPOOFEDMARTIAN -> on (yes)
* DROPHOSTILE -> off (no - because only fresh installed systems should
do this)
* LOGDROPCTINVALID -> on (yes)
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit de686e49e2a7c12c4b3c46931ecd9d9635565357
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Mar 8 09:59:43 2022 +0000
linux: Fix for CVE-2022-0847 aka Dirty Pipe
https://dirtypipe.cm4all.com
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit b69659af02d65f982a2d8fd443f02950593d28fe
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Mar 7 18:53:09 2022 +0000
core164: Ship backup exclude file
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit c7e0d73e7cfd7be95db9d0a5f3392b8241813d5b
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Mar 4 10:41:30 2022 +0000
backup: Make include/exclude files relative
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3f8e70f6b34ee085cb0a5ad22792e521cd867c1c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Mar 4 10:29:23 2022 +0000
backup: Don't restore excluded files
Sometimes, we restore a backup that has been created earlier before
exclude files have been changed. To avoid overwriting those files, we
will consider the exlude list upon restore.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit ca1fdb69549b282c9c67b4cf385eda725ed1c366
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Mar 4 10:27:01 2022 +0000
backup: Exclude oinkmaster.conf
This file is a system configuration file and does not contain any
configruation from the user.
Since it can be overwritten in a backup and restored to an older state,
this can cause problems such as #12788.
Fixes: #12788
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit fc717041c4b1af09c4345650ad4b346bb33ae216
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Mar 4 10:18:25 2022 +0000
backup: Abort when the backup could not be extracted
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 18f0991c353b9b96062d71a3237e5447231a467b
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Mar 7 17:52:36 2022 +0100
ids.cgi: Only read-in ignored hosts, if the ignore file exists.
Otherwise the CGI will crash.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit dcacf03e80d714bd120a877d16a862ffce47dd26
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Mar 5 18:53:10 2022 +0100
ids-functions.pl: Do not create an empty ignored settings file.
The file will be created by the WUI, when adding the first host.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 85b1d83b2a6fe2beb8169f3e810e915c4ad54036
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Mar 3 05:49:43 2022 +0100
update-ids-ruleset: Always drop the lock file if it has been created during runtime.
In some situations or if an error happened, the lock file could be
keep on the system. In such a case the IDS page would be locked forever
until user interaction or reboot of the system.
Now the script checks if it has created such a lock and release it when
the script exists.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit da3611b2767298e3f300b12b6ae03958a193c871
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Mar 3 19:55:59 2022 +0100
ids-functions.pl: Do not try to chown files while extracting them.
We are almost running as an unprivileged user and therfore have not
the permissions to do this.
This will save us a lot of confusion error messages.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 9106bfca42a86f9720c4e2f5d0d166832cac6454
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Mar 5 16:27:17 2022 +0100
ids-functions.pl: Merge same named rulefiles during extract.
In case a rulestarball contains several same-named rulefiles
they have been overwritten each time and so only contained the content
from the last extracted one.
Now the content of those files will be merged by appending the content
to the first extracted one for each time.
Fixes #12792.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/backup/backup.pl | 18 +++-
config/backup/exclude | 17 ++--
config/backup/include | 126 ++++++++++++++--------------
config/cfgroot/ids-functions.pl | 38 ++++++++-
config/rootfiles/core/164/filelists/files | 1 +
html/cgi-bin/ids.cgi | 8 +-
html/cgi-bin/optionsfw.cgi | 9 ++
lfs/linux | 3 +
lfs/{rtl8812au => rtl8189fs} | 13 ++-
make.sh | 1 +
src/installer/hw.c | 4 +-
src/patches/kernel-5.15-CVE-2022-0847.patch | 46 ++++++++++
src/patches/rtl8189fs/disable_debug.patch | 11 +++
src/scripts/update-ids-ruleset | 19 ++++-
14 files changed, 221 insertions(+), 93 deletions(-)
copy lfs/{rtl8812au => rtl8189fs} (90%)
create mode 100644 src/patches/kernel-5.15-CVE-2022-0847.patch
create mode 100644 src/patches/rtl8189fs/disable_debug.patch
Difference in files:
diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index 63004491c..a2337cf23 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -39,7 +39,7 @@ process_includes() {
local file
while read -r file; do
for file in ${file}; do
- if [ -e "${file}" ]; then
+ if [ -e "/${file}" ]; then
echo "${file}"
fi
done
@@ -58,7 +58,7 @@ make_backup() {
done
# Backup using global exclude/include definitions
- tar cvfz "${filename}" \
+ tar cvfz "${filename}" -C / \
--exclude-from="/var/ipfire/backup/exclude" \
--exclude-from="/var/ipfire/backup/exclude.user" \
$(process_includes "/var/ipfire/backup/include") \
@@ -71,7 +71,13 @@ make_backup() {
restore_backup() {
local filename="${1}"
- tar xvzpf "${filename}" -C /
+ # Extract backup
+ if ! tar xvzpf "${filename}" -C / \
+ --exclude-from="/var/ipfire/backup/exclude" \
+ --exclude-from="/var/ipfire/backup/exclude.user"; then
+ echo "Could not extract backup" >&2
+ return 1
+ fi
# Restart syslogd, httpd and suricata in case we've just loaded old logs
apachectl -k graceful
@@ -202,7 +208,11 @@ restore_addon_backup() {
mv "/tmp/${name}.ipf" "/var/ipfire/backup/addons/backup/${name}.ipf"
fi
- tar xvzpf "/var/ipfire/backup/addons/backup/${name}.ipf" -C /
+ # Extract backup
+ if ! tar xvzpf "/var/ipfire/backup/addons/backup/${name}.ipf" -C /; then
+ echo "Could not extract backup" >&2
+ return 1
+ fi
}
main() {
diff --git a/config/backup/exclude b/config/backup/exclude
index 68c37de48..0131a87fd 100644
--- a/config/backup/exclude
+++ b/config/backup/exclude
@@ -1,9 +1,10 @@
-/etc/sysconfig/lm_sensors
-/etc/unbound/unbound.conf
+etc/sysconfig/lm_sensors
+etc/unbound/unbound.conf
*.tmp
-/var/ipfire/ethernet/settings
-/var/ipfire/firewall/bin/*
-/var/ipfire/ovpn/openssl/*
-/var/ipfire/proxy/calamaris/bin/*
-/var/ipfire/qos/bin/qos.pl
-/var/ipfire/urlfilter/blacklists/*/*.db
+var/ipfire/ethernet/settings
+var/ipfire/firewall/bin/*
+var/ipfire/ovpn/openssl/*
+var/ipfire/proxy/calamaris/bin/*
+var/ipfire/qos/bin/qos.pl
+var/ipfire/suricata/oinkmaster.conf
+var/ipfire/urlfilter/blacklists/*/*.db
diff --git a/config/backup/include b/config/backup/include
index 3b96b1d62..809a49601 100644
--- a/config/backup/include
+++ b/config/backup/include
@@ -1,63 +1,63 @@
-/etc/conntrackd/conntrackd.conf
-/etc/group
-/etc/hosts*
-/etc/httpd/server.crt
-/etc/httpd/server.csr
-/etc/httpd/server-ecdsa.crt
-/etc/httpd/server-ecdsa.csr
-/etc/httpd/server-ecdsa.key
-/etc/httpd/server.key
-/etc/ipsec.user.*
-/etc/ipsec.user-post.conf
-/etc/logrotate.d
-/etc/passwd
-/etc/shadow
-/etc/ssh/sshd_config
-/etc/ssh/ssh_host*
-/etc/squid/squid.conf.local
-/etc/squid/squid.conf.pre.local
-/etc/sysconfig/*
-/etc/sysconfig/firewall.local
-/etc/sysconfig/rc.local
-/etc/unbound
-/root/.bash_history
-/root/.gitconfig
-/root/.ssh
-/var/ipfire/auth/users
-/var/ipfire/backup/addons/backup
-/var/ipfire/backup/exclude.user
-/var/ipfire/backup/include.user
-/var/ipfire/captive/*
-/var/ipfire/*/*.conf
-/var/ipfire/*/config
-/var/ipfire/dhcp/*
-/var/ipfire/dns
-/var/ipfire/dnsforward/*
-/var/ipfire/*/enable
-/var/ipfire/*/*enable*
-/var/ipfire/ethernet/aliases
-/var/ipfire/ethernet/wireless
-/var/ipfire/firewall
-/var/ipfire/fwhosts
-/var/ipfire/main/*
-/var/ipfire/ovpn
-/var/ipfire/ovpn/collectd.vpn
-/var/ipfire/*/*.pem
-/var/ipfire/ppp
-/var/ipfire/proxy
-/var/ipfire/qos/*
-/var/ipfire/qos/bin/qos.sh
-/var/ipfire/suricata/*.conf
-/var/ipfire/suricata/*.yaml
-/var/ipfire/suricata/providers-settings
-/var/ipfire/*/settings
-/var/ipfire/time/
-/var/ipfire/urlfilter
-/var/ipfire/vpn
-/var/lib/suricata
-/var/log/ip-acct/*
-/var/log/rrd/*
-/var/log/rrd/collectd
-/var/log/vnstat
-/var/tmp/idsrules-*.tar.gz
-/var/tmp/idsrules-*.rules
+etc/conntrackd/conntrackd.conf
+etc/group
+etc/hosts*
+etc/httpd/server.crt
+etc/httpd/server.csr
+etc/httpd/server-ecdsa.crt
+etc/httpd/server-ecdsa.csr
+etc/httpd/server-ecdsa.key
+etc/httpd/server.key
+etc/ipsec.user.*
+etc/ipsec.user-post.conf
+etc/logrotate.d
+etc/passwd
+etc/shadow
+etc/ssh/sshd_config
+etc/ssh/ssh_host*
+etc/squid/squid.conf.local
+etc/squid/squid.conf.pre.local
+etc/sysconfig/*
+etc/sysconfig/firewall.local
+etc/sysconfig/rc.local
+etc/unbound
+root/.bash_history
+root/.gitconfig
+root/.ssh
+var/ipfire/auth/users
+var/ipfire/backup/addons/backup
+var/ipfire/backup/exclude.user
+var/ipfire/backup/include.user
+var/ipfire/captive/*
+var/ipfire/*/*.conf
+var/ipfire/*/config
+var/ipfire/dhcp/*
+var/ipfire/dns
+var/ipfire/dnsforward/*
+var/ipfire/*/enable
+var/ipfire/*/*enable*
+var/ipfire/ethernet/aliases
+var/ipfire/ethernet/wireless
+var/ipfire/firewall
+var/ipfire/fwhosts
+var/ipfire/main/*
+var/ipfire/ovpn
+var/ipfire/ovpn/collectd.vpn
+var/ipfire/*/*.pem
+var/ipfire/ppp
+var/ipfire/proxy
+var/ipfire/qos/*
+var/ipfire/qos/bin/qos.sh
+var/ipfire/suricata/*.conf
+var/ipfire/suricata/*.yaml
+var/ipfire/suricata/providers-settings
+var/ipfire/*/settings
+var/ipfire/time/
+var/ipfire/urlfilter
+var/ipfire/vpn
+var/lib/suricata
+var/log/ip-acct/*
+var/log/rrd/*
+var/log/rrd/collectd
+var/log/vnstat
+var/tmp/idsrules-*.tar.gz
+var/tmp/idsrules-*.rules
diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 74d55def6..37dd42b03 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -153,7 +153,6 @@ sub check_and_create_filelayout() {
unless (-f "$suricata_default_rulefiles_file") { &create_empty_file($suricata_default_rulefiles_file); }
unless (-f "$ids_settings_file") { &create_empty_file($ids_settings_file); }
unless (-f "$providers_settings_file") { &create_empty_file($providers_settings_file); }
- unless (-f "$ignored_file") { &create_empty_file($ignored_file); }
unless (-f "$whitelist_file" ) { &create_empty_file($whitelist_file); }
}
@@ -475,6 +474,9 @@ sub extractruleset ($) {
# Load perl module to deal with archives.
use Archive::Tar;
+ # Disable chown functionality when uncompressing files.
+ $Archive::Tar::CHOWN = "0";
+
# Load perl module to deal with files and path.
use File::Basename;
@@ -572,8 +574,38 @@ sub extractruleset ($) {
next;
}
- # Extract the file to the temporary directory.
- $tar->extract_file("$packed_file", "$destination");
+ # Check if the destination file exists.
+ unless(-e "$destination") {
+ # Extract the file to the temporary directory.
+ $tar->extract_file("$packed_file", "$destination");
+ } else {
+ # Load perl module to deal with temporary files.
+ use File::Temp;
+
+ # Generate temporary file name, located in the temporary rules directory and a suffix of ".tmp".
+ my $tmp = File::Temp->new( SUFFIX => ".tmp", DIR => "$tmp_rules_directory", UNLINK => 0 );
+ my $tmpfile = $tmp->filename();
+
+ # Extract the file to the new temporary file name.
+ $tar->extract_file("$packed_file", "$tmpfile");
+
+ # Open the the existing file.
+ open(DESTFILE, ">>", "$destination") or die "Could not open $destination. $!\n";
+ open(TMPFILE, "<", "$tmpfile") or die "Could not open $tmpfile. $!\n";
+
+ # Loop through the content of the temporary file.
+ while (<TMPFILE>) {
+ # Append the content line by line to the destination file.
+ print DESTFILE "$_";
+ }
+
+ # Close the file handles.
+ close(TMPFILE);
+ close(DESTFILE);
+
+ # Remove the temporary file.
+ unlink("$tmpfile");
+ }
}
}
}
diff --git a/config/rootfiles/core/164/filelists/files b/config/rootfiles/core/164/filelists/files
index 89118ae62..86921fca4 100644
--- a/config/rootfiles/core/164/filelists/files
+++ b/config/rootfiles/core/164/filelists/files
@@ -15,6 +15,7 @@ srv/web/ipfire/html/include/pakfire.js
usr/sbin/convert-ids-multiple-providers
usr/sbin/convert-snort
var/ipfire/backup/bin/backup.pl
+var/ipfire/backup/exclude
var/ipfire/backup/include
var/ipfire/graphs.pl
var/ipfire/ids-functions.pl
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 27e61e9bb..722715667 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -103,7 +103,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
my $new_entry_remark = $cgiparams{'IGNORE_ENTRY_REMARK'};
# Read-in ignoredfile.
- &General::readhasharray($IDS::ignored_file, \%ignored);
+ &General::readhasharray($IDS::ignored_file, \%ignored) if (-e $IDS::ignored_file);
# Check if we should edit an existing entry and got an ID.
if (($cgiparams{'WHITELIST'} eq $Lang::tr{'update'}) && ($cgiparams{'ID'})) {
@@ -165,7 +165,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
undef($cgiparams{'ID'});
# Read-in ignoredfile.
- &General::readhasharray($IDS::ignored_file, \%ignored);
+ &General::readhasharray($IDS::ignored_file, \%ignored) if (-e $IDS::ignored_file);
# Grab the configured status of the corresponding entry.
my $status = $ignored{$id}[2];
@@ -199,7 +199,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
my %ignored = ();
# Read-in ignoredfile.
- &General::readhasharray($IDS::ignored_file, \%ignored);
+ &General::readhasharray($IDS::ignored_file, \%ignored) if (-e $IDS::ignored_file);
# Drop entry from the hash.
delete($ignored{$cgiparams{'ID'}});
@@ -1071,7 +1071,7 @@ sub show_mainpage() {
}
# Read-in ignored hosts.
- &General::readhasharray("$IDS::settingsdir/ignored", \%ignored);
+ &General::readhasharray("$IDS::ignored_file", \%ignored) if (-e $IDS::ignored_file);
$checked{'ENABLE_IDS'}{'off'} = '';
$checked{'ENABLE_IDS'}{'on'} = '';
diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index 5611b71b7..fbff67b2f 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -88,6 +88,15 @@ if (!$settings{'MASQUERADE_ORANGE'}) {
if (!$settings{'MASQUERADE_BLUE'}) {
$settings{'MASQUERADE_BLUE'} = 'on';
}
+if (!$settings{'DROPSPOOFEDMARTIAN'}) {
+ $settings{'DROPSPOOFEDMARTIAN'} = 'on';
+}
+if (!$settings{'DROPHOSTILE'}) {
+ $settings{'DROPHOSTILE'} = 'off';
+}
+if (!$settings{'LOGDROPCTINVALID'}) {
+ $settings{'LOGDROPCTINVALID'} = 'on';
+}
$checked{'DROPNEWNOTSYN'}{'off'} = '';
$checked{'DROPNEWNOTSYN'}{'on'} = '';
diff --git a/lfs/linux b/lfs/linux
index 7a7236eab..0f8f2c184 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -141,6 +141,9 @@ ifeq "$(BUILD_ARCH)" "aarch64"
endif
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-3.14.79-amba-fix.patch
+ # Fix for CVE-2022-0847 aka Dirty Pipe
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/kernel-5.15-CVE-2022-0847.patch
+
ifeq "$(KCFG)" "-headers"
# Install the header files
cd $(DIR_APP) && make ARCH=$(HEADERS_ARCH) $(EXTRAMAKE) headers
diff --git a/lfs/rtl8189fs b/lfs/rtl8189fs
new file mode 100644
index 000000000..7a2b3dca0
--- /dev/null
+++ b/lfs/rtl8189fs
@@ -0,0 +1,95 @@
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2022 IPFire Team <info(a)ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VERSUFIX = ipfire$(KCFG)
+MODPATH = /lib/modules/$(KVER)-$(VERSUFIX)/extra/wlan
+
+VER = 3129a665f835ce0342f9a85a0ce14a556e656b8c
+
+THISAPP = rtl8189FS_linux-$(VER)
+DL_FILE = $(THISAPP).tar.xz
+DL_FROM = $(URL_IPFIRE)
+DIR_APP = $(DIR_SRC)/$(THISAPP)
+TARGET = $(DIR_INFO)/$(THISAPP)-kmod-$(KVER)-$(VERSUFIX)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = f7c817e89403b8a84a664f326f47c7d7
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+dist:
+ $(PAK)
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+ @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+ @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+ @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ @$(PREBUILD)
+ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/rtl8189fs/disable_debug.patch
+ cd $(DIR_APP) && CONFIG_RTL8189FS=m make $(MAKETUNING) \
+ -C /lib/modules/$(KVER)-$(VERSUFIX)/build/ M=$(DIR_APP)/ modules
+
+ # Install the built kernel modules.
+ mkdir -p $(MODPATH)
+ cd $(DIR_APP) && for f in $$(ls *.ko); do \
+ /lib/modules/$$(uname -r)$(KCFG)/build/scripts/sign-file sha512 \
+ /lib/modules/$$(uname -r)$(KCFG)/build/certs/signing_key.pem \
+ /lib/modules/$$(uname -r)$(KCFG)/build/certs/signing_key.x509 \
+ $$f; \
+ xz $$f; \
+ install -m 644 $$f.xz $(MODPATH); \
+ done
+
+ @rm -rf $(DIR_APP)
+ @$(POSTBUILD)
diff --git a/make.sh b/make.sh
index 79798834a..6e84d8d1b 100755
--- a/make.sh
+++ b/make.sh
@@ -1181,6 +1181,7 @@ buildipfire() {
# multi kernel builds so KCFG is empty
lfsmake2 linux KCFG=""
lfsmake2 rtl8189es KCFG=""
+ lfsmake2 rtl8189fs KCFG=""
lfsmake2 rtl8812au KCFG=""
lfsmake2 rtl8822bu KCFG=""
lfsmake2 xradio KCFG=""
diff --git a/src/installer/hw.c b/src/installer/hw.c
index 17e0bbb01..5cba2a261 100644
--- a/src/installer/hw.c
+++ b/src/installer/hw.c
@@ -1204,7 +1204,9 @@ char* hw_find_backup_file(const char* output, const char* search_path) {
int hw_restore_backup(const char* output, const char* backup_path, const char* destination) {
char command[STRING_SIZE];
- snprintf(command, sizeof(command), "/bin/tar xzpf %s -C %s", backup_path, destination);
+ snprintf(command, sizeof(command), "/bin/tar xzpf %s -C %s "
+ "--exclude-from=%s/var/ipfire/backup/exclude --exclude-from=%s/var/ipfire/backup/exclude.user",
+ backup_path, destination, destination, destination);
int rc = mysystem(output, command);
if (rc)
diff --git a/src/patches/kernel-5.15-CVE-2022-0847.patch b/src/patches/kernel-5.15-CVE-2022-0847.patch
new file mode 100644
index 000000000..5279916c2
--- /dev/null
+++ b/src/patches/kernel-5.15-CVE-2022-0847.patch
@@ -0,0 +1,46 @@
+From 114e9f141822e6977633d322c1b03e89bd209932 Mon Sep 17 00:00:00 2001
+From: Max Kellermann <max.kellermann(a)ionos.com>
+Date: Mon, 21 Feb 2022 11:03:13 +0100
+Subject: [PATCH] lib/iov_iter: initialize "flags" in new pipe_buffer
+
+commit 9d2231c5d74e13b2a0546fee6737ee4446017903 upstream.
+
+The functions copy_page_to_iter_pipe() and push_pipe() can both
+allocate a new pipe_buffer, but the "flags" member initializer is
+missing.
+
+Fixes: 241699cd72a8 ("new iov_iter flavour: pipe-backed")
+To: Alexander Viro <viro(a)zeniv.linux.org.uk>
+To: linux-fsdevel(a)vger.kernel.org
+To: linux-kernel(a)vger.kernel.org
+Cc: stable(a)vger.kernel.org
+Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com>
+Signed-off-by: Al Viro <viro(a)zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
+---
+ lib/iov_iter.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/iov_iter.c b/lib/iov_iter.c
+index 60b5e6edfbaa..c5b2f0f4b8a8 100644
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -416,6 +416,7 @@ static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t by
+ return 0;
+
+ buf->ops = &page_cache_pipe_buf_ops;
++ buf->flags = 0;
+ get_page(page);
+ buf->page = page;
+ buf->offset = offset;
+@@ -532,6 +533,7 @@ static size_t push_pipe(struct iov_iter *i, size_t size,
+ break;
+
+ buf->ops = &default_pipe_buf_ops;
++ buf->flags = 0;
+ buf->page = page;
+ buf->offset = 0;
+ buf->len = min_t(ssize_t, left, PAGE_SIZE);
+--
+2.30.2
+
diff --git a/src/patches/rtl8189fs/disable_debug.patch b/src/patches/rtl8189fs/disable_debug.patch
new file mode 100644
index 000000000..d29c55e6c
--- /dev/null
+++ b/src/patches/rtl8189fs/disable_debug.patch
@@ -0,0 +1,11 @@
+diff -Naur rtl8189FS_linux-3129a665f835ce0342f9a85a0ce14a556e656b8c.org/include/autoconf.h rtl8189FS_linux-3129a665f835ce0342f9a85a0ce14a556e656b8c/include/autoconf.h
+--- rtl8189FS_linux-3129a665f835ce0342f9a85a0ce14a556e656b8c.org/include/autoconf.h 2021-10-01 14:51:56.000000000 +0000
++++ rtl8189FS_linux-3129a665f835ce0342f9a85a0ce14a556e656b8c/include/autoconf.h 2022-02-26 12:00:09.188965578 +0000
+@@ -224,7 +224,6 @@
+ /*
+ * Debug Related Config
+ */
+-#define CONFIG_DEBUG /* DBG_871X, etc... */
+
+ #ifdef CONFIG_DEBUG
+ #define DBG 1 // for ODM & BTCOEX debug
diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset
index 10a270907..c2970d20b 100644
--- a/src/scripts/update-ids-ruleset
+++ b/src/scripts/update-ids-ruleset
@@ -26,6 +26,9 @@ require '/var/ipfire/general-functions.pl';
require "${General::swroot}/ids-functions.pl";
require "${General::swroot}/lang.pl";
+# Variable to store if the process has written a lockfile.
+my $locked;
+
# Hash to store the configured providers.
my %providers = ();
@@ -77,6 +80,9 @@ if(&IDS::checkdiskspace()) {
# Lock the IDS page.
&IDS::lock_ids_page();
+# The script has requested a lock, so set locket to "1".
+$locked = "1";
+
# Grab the configured providers.
&General::readhasharray("$IDS::providers_settings_file", \%providers);
@@ -114,13 +120,20 @@ foreach my $id (keys %providers) {
# Set correct ownership for the rulesdir and files.
&IDS::set_ownership("$IDS::rulespath");
-# Unlock the IDS page.
-&IDS::unlock_ids_page();
-
# Check if the IDS is running.
if(&IDS::ids_is_running()) {
# Call suricatactrl to perform a reload.
&IDS::call_suricatactrl("reload");
}
+# Custom END declaration to release a IDS page lock
+# when the script has created one.
+END {
+ # Check if a lock has been requested.
+ if ($locked) {
+ # Unlock the IDS page.
+ &IDS::unlock_ids_page();
+ }
+}
+
1;
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-03-09 15:26 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-09 15:26 [git.ipfire.org] IPFire 2.x development tree branch, core164, updated. ead01caeb87f4eb56abb2fc63cea38ea74b16274 Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox