From 88dca2c647235f454207e56fc0f0bc3c3036ba0f Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Aug 11 2011 10:02:54 +0000 Subject: security fixes: privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832) race condition when checking source during mount (CVE-2011-1833) mtab corruption via improper handling (CVE-2011-1834) key poisoning via insecure temp directory handling (CVE-2011-1835) information disclosure via recovery mount in /tmp (CVE-2011-1836) arbitrary file overwrite via lock counter race (CVE-2011-1837) --- diff --git a/.gitignore b/.gitignore index 5f8bf70..e927580 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ ecryptfs-mount-private.png /ecryptfs-utils_85.orig.tar.gz /ecryptfs-utils_86.orig.tar.gz /ecryptfs-utils_87.orig.tar.gz +/ecryptfs-utils_90.orig.tar.gz diff --git a/ecryptfs-utils-75-werror.patch b/ecryptfs-utils-75-werror.patch index f02992b..fddf477 100644 --- a/ecryptfs-utils-75-werror.patch +++ b/ecryptfs-utils-75-werror.patch @@ -1,6 +1,6 @@ -diff -up ecryptfs-utils-86/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror ecryptfs-utils-86/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c ---- ecryptfs-utils-86/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror 2011-02-25 17:04:05.760026778 +0100 -+++ ecryptfs-utils-86/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2011-02-25 17:04:05.841024970 +0100 +diff -up ecryptfs-utils-90/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror ecryptfs-utils-90/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c +--- ecryptfs-utils-90/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror 2011-08-11 10:26:55.453235671 +0200 ++++ ecryptfs-utils-90/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2011-08-11 10:26:55.471235788 +0200 @@ -86,7 +86,7 @@ static int ecryptfs_pkcs11h_deserialize( pkcs11h_data->serialized_id = NULL; } @@ -150,9 +150,9 @@ diff -up ecryptfs-utils-86/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror e subgraph_key_ctx = (struct pkcs11h_subgraph_key_ctx *)(*foo); -diff -up ecryptfs-utils-86/src/libecryptfs/ecryptfs-stat.c.werror ecryptfs-utils-86/src/libecryptfs/ecryptfs-stat.c ---- ecryptfs-utils-86/src/libecryptfs/ecryptfs-stat.c.werror 2010-12-17 18:34:04.000000000 +0100 -+++ ecryptfs-utils-86/src/libecryptfs/ecryptfs-stat.c 2011-02-25 17:04:05.843024925 +0100 +diff -up ecryptfs-utils-90/src/libecryptfs/ecryptfs-stat.c.werror ecryptfs-utils-90/src/libecryptfs/ecryptfs-stat.c +--- ecryptfs-utils-90/src/libecryptfs/ecryptfs-stat.c.werror 2010-12-17 18:34:04.000000000 +0100 ++++ ecryptfs-utils-90/src/libecryptfs/ecryptfs-stat.c 2011-08-11 10:26:55.472235795 +0200 @@ -146,7 +146,7 @@ int ecryptfs_parse_stat(struct ecryptfs_ if (buf_size < (ECRYPTFS_FILE_SIZE_BYTES + MAGIC_ECRYPTFS_MARKER_SIZE_BYTES @@ -162,9 +162,9 @@ diff -up ecryptfs-utils-86/src/libecryptfs/ecryptfs-stat.c.werror ecryptfs-utils "bytes; there are only [%zu] bytes\n", __FUNCTION__, (ECRYPTFS_FILE_SIZE_BYTES + MAGIC_ECRYPTFS_MARKER_SIZE_BYTES -diff -up ecryptfs-utils-86/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils-86/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-86/src/pam_ecryptfs/pam_ecryptfs.c.werror 2011-02-06 03:44:30.000000000 +0100 -+++ ecryptfs-utils-86/src/pam_ecryptfs/pam_ecryptfs.c 2011-02-25 17:10:08.898668231 +0100 +diff -up ecryptfs-utils-90/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils-90/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-90/src/pam_ecryptfs/pam_ecryptfs.c.werror 2011-02-06 03:44:30.000000000 +0100 ++++ ecryptfs-utils-90/src/pam_ecryptfs/pam_ecryptfs.c 2011-08-11 10:26:55.472235795 +0200 @@ -39,35 +39,11 @@ #include #include @@ -261,9 +261,9 @@ diff -up ecryptfs-utils-86/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils goto out; } saved_uid = geteuid(); -diff -up ecryptfs-utils-86/src/utils/mount.ecryptfs.c.werror ecryptfs-utils-86/src/utils/mount.ecryptfs.c ---- ecryptfs-utils-86/src/utils/mount.ecryptfs.c.werror 2010-12-17 18:34:04.000000000 +0100 -+++ ecryptfs-utils-86/src/utils/mount.ecryptfs.c 2011-02-25 17:04:05.857024613 +0100 +diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs.c.werror ecryptfs-utils-90/src/utils/mount.ecryptfs.c +--- ecryptfs-utils-90/src/utils/mount.ecryptfs.c.werror 2011-08-11 10:26:55.468235767 +0200 ++++ ecryptfs-utils-90/src/utils/mount.ecryptfs.c 2011-08-11 10:26:55.473235801 +0200 @@ -461,7 +461,7 @@ static int ecryptfs_do_mount(int argc, c { int rc; @@ -282,9 +282,9 @@ diff -up ecryptfs-utils-86/src/utils/mount.ecryptfs.c.werror ecryptfs-utils-86/s if (!(temp = strdup("ecryptfs_unlink_sigs"))) { rc = -ENOMEM; goto out; -diff -up ecryptfs-utils-86/src/utils/mount.ecryptfs_private.c.werror ecryptfs-utils-86/src/utils/mount.ecryptfs_private.c ---- ecryptfs-utils-86/src/utils/mount.ecryptfs_private.c.werror 2011-02-25 17:04:05.802025842 +0100 -+++ ecryptfs-utils-86/src/utils/mount.ecryptfs_private.c 2011-02-25 17:04:05.859024569 +0100 +diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.werror ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c +--- ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.werror 2011-08-11 10:26:55.461235723 +0200 ++++ ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c 2011-08-11 10:27:23.264417014 +0200 @@ -95,7 +95,6 @@ int read_config(char *pw_dir, int uid, c *s = strdup(e->mnt_fsname); if (!*s) @@ -293,9 +293,18 @@ diff -up ecryptfs-utils-86/src/utils/mount.ecryptfs_private.c.werror ecryptfs-ut return 0; } -diff -up ecryptfs-utils-86/src/utils/test.c.werror ecryptfs-utils-86/src/utils/test.c ---- ecryptfs-utils-86/src/utils/test.c.werror 2010-12-17 18:34:04.000000000 +0100 -+++ ecryptfs-utils-86/src/utils/test.c 2011-02-25 17:04:05.860024547 +0100 +@@ -300,7 +299,7 @@ int update_mtab(char *dev, char *mnt, ch + goto fail_early; + } + +- while (old_ent = getmntent(old_mtab)) { ++ while ((old_ent = getmntent(old_mtab))) { + if (addmntent(new_mtab, old_ent) != 0) { + perror("addmntent"); + goto fail; +diff -up ecryptfs-utils-90/src/utils/test.c.werror ecryptfs-utils-90/src/utils/test.c +--- ecryptfs-utils-90/src/utils/test.c.werror 2010-12-17 18:34:04.000000000 +0100 ++++ ecryptfs-utils-90/src/utils/test.c 2011-08-11 10:26:55.474235807 +0200 @@ -281,7 +281,7 @@ int ecryptfs_encrypt_page(int page_cache struct inode *lower_inode; struct ecryptfs_crypt_stat *crypt_stat; diff --git a/ecryptfs-utils-87-mtab.patch b/ecryptfs-utils-87-mtab.patch index 01e8f2c..1e819f5 100644 --- a/ecryptfs-utils-87-mtab.patch +++ b/ecryptfs-utils-87-mtab.patch @@ -1,6 +1,6 @@ -diff -up ecryptfs-utils-87/src/libecryptfs/main.c.mtabfix ecryptfs-utils-87/src/libecryptfs/main.c ---- ecryptfs-utils-87/src/libecryptfs/main.c.mtabfix 2011-03-09 14:30:32.000000000 +0100 -+++ ecryptfs-utils-87/src/libecryptfs/main.c 2011-07-11 14:10:40.525812683 +0200 +diff -up ecryptfs-utils-90/src/libecryptfs/main.c.mtabfix ecryptfs-utils-90/src/libecryptfs/main.c +--- ecryptfs-utils-90/src/libecryptfs/main.c.mtabfix 2011-02-22 18:35:26.000000000 +0100 ++++ ecryptfs-utils-90/src/libecryptfs/main.c 2011-08-11 10:24:24.274245958 +0200 @@ -382,6 +382,7 @@ out: int ecryptfs_mount(char *source, char *target, unsigned long flags, char *opts) @@ -38,26 +38,4 @@ diff -up ecryptfs-utils-87/src/libecryptfs/main.c.mtabfix ecryptfs-utils-87/src/ rc = -EIO; syslog(LOG_ERR, "Failed to write to the mount " "table\n"); -diff -up ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c.mtabfix ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c ---- ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c.mtabfix 2011-07-11 13:53:36.942438496 +0200 -+++ ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c 2011-07-11 13:53:36.954438583 +0200 -@@ -219,9 +219,18 @@ int check_ownerships(int uid, char *path - - - int update_mtab(char *dev, char *mnt, char *opt) { --/* Update /etc/mtab with new mount entry. -+/* Update /etc/mtab with new mount entry unless it is a symbolic link - * Return 0 on success, 1 on failure. - */ -+ char dummy; -+ int useMtab; -+ /* Check if mtab is a symlink */ -+ useMtab = (readlink("/etc/mtab", &dummy, 1) < 0); -+ if (!useMtab) { -+ /* No need updating mtab */ -+ return 0; -+ } -+ - FILE *fh; - struct mntent m; - fh = setmntent("/etc/mtab", "a"); +diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.mtabfix ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec index 7ffcc3e..91356df 100644 --- a/ecryptfs-utils.spec +++ b/ecryptfs-utils.spec @@ -4,8 +4,8 @@ %global _sbindir /sbin Name: ecryptfs-utils -Version: 87 -Release: 9%{?dist} +Version: 90 +Release: 1%{?dist} Summary: The eCryptfs mount helper and support libraries Group: System Environment/Base License: GPLv2+ @@ -205,6 +205,7 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/%{name}/ecryptfs-mount-private.desktop %{_datadir}/%{name}/ecryptfs-mount-private.png %{_datadir}/%{name}/ecryptfs-setup-private.desktop +%{_datadir}/%{name}/ecryptfs-find %{_mandir}/man1/ecryptfs-add-passphrase.1.gz %{_mandir}/man1/ecryptfs-generate-tpm-key.1.gz %{_mandir}/man1/ecryptfs-insert-wrapped-passphrase-into-keyring.1.gz @@ -245,6 +246,15 @@ rm -rf $RPM_BUILD_ROOT %{python_sitearch}/ecryptfs-utils/_libecryptfs.so %changelog +* Thu Aug 11 2011 Michal Hlavinka - 90-1 +- security fixes: +- privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832) +- race condition when checking source during mount (CVE-2011-1833) +- mtab corruption via improper handling (CVE-2011-1834) +- key poisoning via insecure temp directory handling (CVE-2011-1835) +- information disclosure via recovery mount in /tmp (CVE-2011-1836) +- arbitrary file overwrite via lock counter race (CVE-2011-1837) + * Tue Aug 09 2011 Michal Hlavinka - 87-9 - improve logging messages of ecryptfs pam module - keep own copy of passphrase, pam clears it too early diff --git a/sources b/sources index 8f77056..c36fcea 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ e612ddb9ccb17f8fec79df26e626a8c6 ecryptfs-mount-private.png -b3e4ec1c70b3c57bd289b327363c39f6 ecryptfs-utils_87.orig.tar.gz +a81621fb2f7ab4b81f9bffc020b181e2 ecryptfs-utils_90.orig.tar.gz