Date: Thu, 23 Oct 2008 16:16:28 -0500 From: Jamie Strandboge <jamie@...onical.com> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org> Subject: CVE request for ecryptfs Hi, While reviewing ecryptfs, I discovered an information disclosure vulnerability in ecryptfs-setup-private and notified upstream. This helper script was known as ecryptfs-setup-confidential in earlier releases. The problem arises when ecryptfs-setup-private invokes ecryptfs-wrap-passphrase and ecryptfs-add-passphrase with command line arguments that include the user's existing login password as well as the newly created mount password. As a result, these passwords can be snooped in the process table. This script did not exist in ecryptfs before 45. The original script (ecryptfs-setup-pam-wrapped.sh) referenced in  that formed the basis for the scripts found in 45 is also vulnerable to this attack vector, so anyone shipping any of these scripts is affected. Upstream has fixed this in  (with a bugfix in ) by updating ecryptfs-add-passphrase and ecryptfs-wrap-passphrase to accept passwords on stdin, and adjusting ecryptfs-setup-private to use the builtin 'printf' function of the shell to pipe to these commands. The dash and bash shells are known to contain the 'printf' builtin. It is my understanding that upstream plans to release a new version incorporating this fix soon. I didn't see any distributions who have released with a vulnerable version of ecryptfs (or ecryptfs-setup-pam-wrapped.sh). Debian and Ubuntu  do have vulnerable versions in their development releases, and our ecryptfs developer has contacted the Debian maintainer directly. Thanks, Jamie  http://ecryptfs.sourceforge.net/ecryptfs-pam-doc.txt  http://git.kernel.org/?p=linux/kernel/git/mhalcrow/ecryptfs-utils.git;a=commit;h=06de99afd53f03fe07eda0ad9d61ac6d5d4d9f53  http://git.kernel.org/?p=linux/kernel/git/mhalcrow/ecryptfs-utils.git;a=commit;h=0af27a5d514dc4bbc077f07cf33a5d5b362a9193  https://launchpad.net/bugs/287908 -- Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/ Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.