Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 21 Nov 2008 14:08:06 +0100
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Cc: coley@...re.org, Jamie Strandboge <jamie@...onical.com>
Subject: Re: CVE Request - ecryptfs-utils

On Tue, Nov 18, 2008 at 01:56:59PM +0100, Jan Lieskovsky wrote:
> Hello Steve,
> 
>   noticed, the following issue still lacks a separate CVE identifier:
> 
> References:
> http://secunia.com/Advisories/32382/
> http://www.openwall.com/lists/oss-security/2008/10/23/3
> http://www.openwall.com/lists/oss-security/2008/10/29/4
> http://www.openwall.com/lists/oss-security/2008/10/29/7
> 
> Upstream commits:
> 
> http://git.kernel.org/?p=linux/kernel/git/mhalcrow/ecryptfs-utils.git;a=commit;h=06de99afd53f03fe07eda0ad9d61ac6d5d4d9f53
> http://git.kernel.org/?p=linux/kernel/git/mhalcrow/ecryptfs-utils.git;a=commit;h=0af27a5d514dc4bbc077f07cf33a5d5b362a9193

This last commit is still bad, it uses

printf "$PASSPHRASE..." stuff instead of printf "%s" "$PASSPHRASE..." 

So you can program format exploits in shell...
http://git.kernel.org/?p=linux/kernel/git/mhalcrow/ecryptfs-utils.git;a=blob;f=src/utils/ecryptfs-setup-private;h=7780a4e43983dee18fd5e08318b41bccd57a7298;hb=HEAD

is the current version and looks better.

This script (ecryptfs-setup-private) btw allows passing passphrases on the
commandline too. *sigh*

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.