Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20081029152825.GF6977@severus.strandboge.com>
Date: Wed, 29 Oct 2008 10:28:25 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: oss-security@...ts.openwall.com
Cc: jamie@...onical.com, coley <coley@...re.org>
Subject: Re: CVE request for ecryptfs

On Wed, 29 Oct 2008, Tomas Hoger wrote:

> Hi Jamie!
> 
> On Thu, 23 Oct 2008 16:16:28 -0500 Jamie Strandboge
> <jamie@...onical.com> wrote:
> 
> > While reviewing ecryptfs, I discovered an information disclosure
> > vulnerability in ecryptfs-setup-private and notified upstream. This
> > helper script was known as ecryptfs-setup-confidential in earlier
> > releases.
> > 
> > The problem arises when ecryptfs-setup-private invokes
> > ecryptfs-wrap-passphrase and ecryptfs-add-passphrase with command line
> > arguments that include the user's existing login password as well as
> > the newly created mount password. As a result, these passwords can be
> > snooped in the process table.
> 
> Well the question is whether this should be worded as
> ecryptfs-setup-{private,confidential} issue, or more generic issue
> affecting various ecryptfs-* command line utilities, that only accept
> passwords as command line arguments (i.e. no interactive prompt).  So
> even though there's not ecryptfs-setup-* script to fix in older
> versions, steps done by ecryptfs-setup-* are likely to be performed by
> the user manually, resulting in the same risk of leak as with helper
> script.  Or do I miss anything?
> 

That's exactly right, which reminded me, documentation surrounding
ecryptfs also should be updated. I pinged upstream about it.

I was also notified of an additional commit that is desirable (a bugix
for the patch to ecryptfs-setup-private):
http://git.kernel.org/?p=linux/kernel/git/mhalcrow/ecryptfs-utils.git;a=commit;h=2c422e6d2549f90258cddeebf105b066b598bdbb

Jamie

-- 
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/

Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.