Wed Apr 6 20:23:46 UTC 202220220406202346

a/haveged-1.9.17-x86_64-2.txz: Rebuilt. Install /etc/rc.d/rc.haveged as non-executable. For existing installations running a recent kernel, it is safe to turn this off. Back when we added the haveged package we were using the 4.4 kernel, but since Linux 5.4 this same entropy generating algorithm has been built into the kernel, so there's no reason to also run it in userspace. We'll keep the package around (for now, anyway) in case someone might be running an old kernel. Thanks to Jason A. Donenfeld. a/sysvinit-scripts-15.0-noarch-10.txz: Rebuilt. rc.S, rc.6: use the seedrng utility to seed and initialize the kernel random number generator and generate a new seed. If seedrng is missing, we'll attempt to do these things with scripting. Thanks to Jason A. Donenfeld for hints about how to make a modest improvement in that regard (blame me for any problems with my own changes), but because you can't force the kernel RNG to initialize with a script (it needs an ioctl), you won't get the same guarantees that you do when using the new seedrng utility. a/util-linux-2.38-x86_64-2.txz: Rebuilt. Added seedrng utility, used to seed and initialize the kernel random number generator and to generate new seeds for carrying entropy across reboots. Thanks to Jason A. Donenfeld. n/libmnl-1.0.5-x86_64-1.txz: Upgraded. n/libnfnetlink-1.0.2-x86_64-1.txz: Upgraded. xap/mozilla-thunderbird-91.8.0-x86_64-1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/thunderbird/91.8.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1097 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28281 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1197 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1196 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28282 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28285 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28286 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24713 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28289 (* Security fix *)
author: Patrick J Volkerding <volkerdi@slackware.com> 2022-04-06 20:23:46 +0000
committer: Eric Hameleers <alien@slackware.com> 2022-04-07 06:59:44 +0200
commit: bfece22130a1673e30695d7c5e563b9eace2b915 (patch)
tree: 41979314035e2fd0ac8460dbb7bf4ed505ad7d51 /source/a/sysvinit-scripts
parent: dc48df8960b47406124ff6c59af6d6bd54c60eb7 (diff)
download: current-bfece22130a1673e30695d7c5e563b9eace2b915.tar.gz
current-bfece22130a1673e30695d7c5e563b9eace2b915.tar.xz
3 files changed, 73 insertions, 17 deletions
diff --git a/source/a/sysvinit-scripts/scripts/rc.6 b/source/a/sysvinit-scripts/scripts/rc.6
index 383c5490b..1ebe12b69 100644
--- a/source/a/sysvinit-scripts/scripts/rc.6
+++ b/source/a/sysvinit-scripts/scripts/rc.6
@@ -218,15 +218,32 @@ if /bin/grep -q quota /etc/fstab ; then
 fi
 
 # Carry a random seed between reboots.
+# Doing this properly requires the seedrng utility.
 if [ -z "$container" ]; then
-  echo "Saving random seed from /dev/urandom in /etc/random-seed."
-  # Use the pool size from /proc, or 4096 bits:
-  if [ -r /proc/sys/kernel/random/poolsize ]; then
-    /bin/dd if=/dev/urandom of=/etc/random-seed count=1 bs=$(expr $(cat /proc/sys/kernel/random/poolsize) / 8) 2> /dev/null
-  else
-    /bin/dd if=/dev/urandom of=/etc/random-seed count=1 bs=512 2> /dev/null
+  # Any old seed that exists here shall be deemed useless:
+  if [ -f /etc/random-seed ]; then
+    rm -f /etc/random-seed
+  fi
+  if [ -x /usr/sbin/seedrng ]; then
+    /usr/sbin/seedrng
+  else # we have to fall back on the old method:
+    # Make sure the new seed storage directory exists:
+    if [ ! -d /var/lib/seedrng ]; then
+      mkdir -p /var/lib/seedrng
+      chmod 700 /var/lib/seedrng
+    fi
+    echo "The SeedRNG utility was not found. Generating a non-creditable and"
+    echo "inferior RNG seed: /var/lib/seedrng/seed.no-credit"
+    # To get a seed that matches the pool size, we'll use dd. This assumes that
+    # by the time the machine was shut down that the kernel had generated nearly
+    # a full entropy pool, but there is no guarantee of this.
+    if [ -r /proc/sys/kernel/random/poolsize ]; then
+      /bin/dd if=/dev/urandom of=/var/lib/seedrng/seed.no-credit count=1 bs=$(expr $(cat /proc/sys/kernel/random/poolsize) / 8) 2> /dev/null
+    else
+      /bin/dd if=/dev/urandom of=/var/lib/seedrng/seed.no-credit count=1 bs=512 2> /dev/null
+    fi
+    /bin/chmod 400 /var/lib/seedrng/seed.no-credit
   fi
-  /bin/chmod 600 /etc/random-seed
 fi
 
 # Before unmounting file systems write a reboot or halt record to wtmp.
diff --git a/source/a/sysvinit-scripts/scripts/rc.S b/source/a/sysvinit-scripts/scripts/rc.S
index 5dfa72c5c..c49140616 100644
--- a/source/a/sysvinit-scripts/scripts/rc.S
+++ b/source/a/sysvinit-scripts/scripts/rc.S
@@ -463,16 +463,55 @@ if [ -x /etc/rc.d/rc.serial -a -z "$container" ]; then
 fi
 
 # Carry an entropy pool between reboots to improve randomness.
+# To do this properly, we need to utilize the "seedrng" utility, since that
+# supports the ioctls in recent kernels that allow the RNG to be initialized
+# after seeding. Otherwise using the script methods that were previously
+# recommended in the kernel source, it could take a long time for entropy
+# written to /dev/urandom to actually add to the entropy, and the new seed
+# that's output immediately afterward might actually have less entropy. This
+# would only be an issue in case a power failure occured before a proper
+# shutdown, or if a proper shutdown happened before enough time had gone by
+# to generate good entropy. We'll favor using seedrng, but if it's missing
+# (shouldn't be) then we'll fall back on using the script method.
 if [ -z "$container" ]; then
+  # Make sure the new seed storage directory exists:
+  if [ ! -d /var/lib/seedrng ]; then
+    mkdir -p /var/lib/seedrng
+    chmod 700 /var/lib/seedrng
+  fi
+  # If the old /etc/random-seed exists and no seedrng-generated seeds exist,
+  # then we might as well use it for non-creditable entropy:
   if [ -f /etc/random-seed ]; then
-    echo "Using /etc/random-seed to initialize /dev/urandom."
-    cat /etc/random-seed > /dev/urandom
+    if ! /bin/ls /var/lib/seedrng/seed.* 1> /dev/null 2> /dev/null ; then
+      echo "Moving /etc/random-seed to /var/lib/seedrng/seed.no-credit."
+      mv /etc/random-seed /var/lib/seedrng/seed.no-credit
+      chmod 400 /var/lib/seedrng/seed.no-credit
+    fi
   fi
-  # Use the pool size from /proc, or 4096 bits:
-  if [ -r /proc/sys/kernel/random/poolsize ]; then
-    dd if=/dev/urandom of=/etc/random-seed count=1 bs=$(expr $(cat /proc/sys/kernel/random/poolsize) / 8) 2> /dev/null
-  else
-    dd if=/dev/urandom of=/etc/random-seed count=1 bs=512 2> /dev/null
+  # If we have the seedrng utility, we will use it to initialize the RNG:
+  if [ -x /usr/sbin/seedrng ]; then
+    /usr/sbin/seedrng
+  else # we have to fall back on the old method:
+    if ! /bin/ls /var/lib/seedrng/seed.* 1> /dev/null 2> /dev/null ; then
+      echo "WARNING: no usable RNG seed was found in /var/lib/seedrng."
+    else
+      echo "The SeedRNG utility was not found. Seeding the RNG with an inferior method."
+      SEED="$(cat /var/lib/seedrng/seed.* | base64)"
+      rm -f /var/lib/seedrng/seed.*
+      sync /var/lib/seedrng
+      echo "$SEED" | base64 -d > /dev/urandom
+      # The seed saved below isn't going to be as large as the pool size, but
+      # it would only be used if the power fails before a proper shutdown is
+      # done. Nevertheless we'll try to get a little entropy saved from our
+      # previous seed(s) plus some bits from /dev/urandom (which *might* have
+      # some additional entropy in it). It's probably better than nothing.
+      echo "Saving a new uncreditable seed:  /var/lib/seedrng/seed.no-credit"
+      {
+        head -c 512 /dev/urandom
+        echo "$SEED" | base64 -d
+      } | sha256sum | cut -d ' ' -f 1 > /var/lib/seedrng/seed.no-credit
+      chmod 400 /var/lib/seedrng/seed.no-credit
+      unset SEED
+    fi
   fi
-  chmod 600 /etc/random-seed
 fi
diff --git a/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild b/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild
index 090af12e5..17e0dd5ce 100755
--- a/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild
+++ b/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2005-2018  Patrick J. Volkerding, Sebeka, MN, USA
+# Copyright 2005-2022  Patrick J. Volkerding, Sebeka, MN, USA
 # All rights reserved.
 #
 # Redistribution and use of this script, with or without modification, is
@@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 PKGNAM=sysvinit-scripts
 VERSION=${VERSION:-15.0}
 ARCH=noarch
-BUILD=${BUILD:-9}
+BUILD=${BUILD:-10}
 
 # If the variable PRINT_PACKAGE_NAME is set, then this script will report what
 # the name of the created package would be, and then exit. This information
author	Patrick J Volkerding <volkerdi@slackware.com>	2022-04-06 20:23:46 +0000
committer	Eric Hameleers <alien@slackware.com>	2022-04-07 06:59:44 +0200
commit	bfece22130a1673e30695d7c5e563b9eace2b915 (patch)
tree	41979314035e2fd0ac8460dbb7bf4ed505ad7d51 /source/a/sysvinit-scripts
parent	dc48df8960b47406124ff6c59af6d6bd54c60eb7 (diff)
download	current-bfece22130a1673e30695d7c5e563b9eace2b915.tar.gz current-bfece22130a1673e30695d7c5e563b9eace2b915.tar.xz