|
Message-ID: <20081023211628.GB7323@severus.strandboge.com>
Date: Thu, 23 Oct 2008 16:16:28 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: CVE request for ecryptfs
Hi,
While reviewing ecryptfs, I discovered an information disclosure
vulnerability in ecryptfs-setup-private and notified upstream. This
helper script was known as ecryptfs-setup-confidential in earlier
releases.
The problem arises when ecryptfs-setup-private invokes
ecryptfs-wrap-passphrase and ecryptfs-add-passphrase with command line
arguments that include the user's existing login password as well as the
newly created mount password. As a result, these passwords can be
snooped in the process table.
This script did not exist in ecryptfs before 45. The original script
(ecryptfs-setup-pam-wrapped.sh) referenced in [1] that formed the basis
for the scripts found in 45 is also vulnerable to this attack vector, so
anyone shipping any of these scripts is affected.
Upstream has fixed this in [2] (with a bugfix in [3]) by updating
ecryptfs-add-passphrase and ecryptfs-wrap-passphrase to accept passwords
on stdin, and adjusting ecryptfs-setup-private to use the builtin
'printf' function of the shell to pipe to these commands. The dash and
bash shells are known to contain the 'printf' builtin. It is my
understanding that upstream plans to release a new version incorporating
this fix soon.
I didn't see any distributions who have released with a vulnerable
version of ecryptfs (or ecryptfs-setup-pam-wrapped.sh). Debian and
Ubuntu [4] do have vulnerable versions in their development releases,
and our ecryptfs developer has contacted the Debian maintainer directly.
Thanks,
Jamie
[1] http://ecryptfs.sourceforge.net/ecryptfs-pam-doc.txt
[2] http://git.kernel.org/?p=linux/kernel/git/mhalcrow/ecryptfs-utils.git;a=commit;h=06de99afd53f03fe07eda0ad9d61ac6d5d4d9f53
[3] http://git.kernel.org/?p=linux/kernel/git/mhalcrow/ecryptfs-utils.git;a=commit;h=0af27a5d514dc4bbc077f07cf33a5d5b362a9193
[4] https://launchpad.net/bugs/287908
--
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/
Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.