[ecryptfs-utils] security fixes: privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832) r

Thu Aug 11 10:03:10 UTC 2011

commit 88dca2c647235f454207e56fc0f0bc3c3036ba0f
Author: Michal Hlavinka <mhlavink at redhat.com>
Date:   Thu Aug 11 12:02:54 2011 +0200

    security fixes:
    privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832)
    race condition when checking source during mount (CVE-2011-1833)
    mtab corruption via improper handling (CVE-2011-1834)
    key poisoning via insecure temp directory handling (CVE-2011-1835)
    information disclosure via recovery mount in /tmp (CVE-2011-1836)
    arbitrary file overwrite via lock counter race (CVE-2011-1837)

 .gitignore                     |    1 +
 ecryptfs-utils-75-werror.patch |   45 ++++++++++++++++++++++++----------------
 ecryptfs-utils-87-mtab.patch   |   30 +++-----------------------
 ecryptfs-utils.spec            |   14 ++++++++++-
 sources                        |    2 +-
 5 files changed, 45 insertions(+), 47 deletions(-)
---

diff --git a/.gitignore b/.gitignore
index 5f8bf70..e927580 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ ecryptfs-mount-private.png
 /ecryptfs-utils_85.orig.tar.gz
 /ecryptfs-utils_86.orig.tar.gz
 /ecryptfs-utils_87.orig.tar.gz
+/ecryptfs-utils_90.orig.tar.gz
diff --git a/ecryptfs-utils-75-werror.patch b/ecryptfs-utils-75-werror.patch
index f02992b..fddf477 100644
--- a/ecryptfs-utils-75-werror.patch
+++ b/ecryptfs-utils-75-werror.patch
@@ -1,6 +1,6 @@
-diff -up ecryptfs-utils-86/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror ecryptfs-utils-86/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c
---- ecryptfs-utils-86/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror	2011-02-25 17:04:05.760026778 +0100
-+++ ecryptfs-utils-86/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c	2011-02-25 17:04:05.841024970 +0100
+diff -up ecryptfs-utils-90/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror ecryptfs-utils-90/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c
+--- ecryptfs-utils-90/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror	2011-08-11 10:26:55.453235671 +0200
++++ ecryptfs-utils-90/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c	2011-08-11 10:26:55.471235788 +0200
 @@ -86,7 +86,7 @@ static int ecryptfs_pkcs11h_deserialize(
  		pkcs11h_data->serialized_id = NULL;
  	}
@@ -150,9 +150,9 @@ diff -up ecryptfs-utils-86/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror e
  
  	subgraph_key_ctx = (struct pkcs11h_subgraph_key_ctx *)(*foo);
  
-diff -up ecryptfs-utils-86/src/libecryptfs/ecryptfs-stat.c.werror ecryptfs-utils-86/src/libecryptfs/ecryptfs-stat.c
---- ecryptfs-utils-86/src/libecryptfs/ecryptfs-stat.c.werror	2010-12-17 18:34:04.000000000 +0100
-+++ ecryptfs-utils-86/src/libecryptfs/ecryptfs-stat.c	2011-02-25 17:04:05.843024925 +0100
+diff -up ecryptfs-utils-90/src/libecryptfs/ecryptfs-stat.c.werror ecryptfs-utils-90/src/libecryptfs/ecryptfs-stat.c
+--- ecryptfs-utils-90/src/libecryptfs/ecryptfs-stat.c.werror	2010-12-17 18:34:04.000000000 +0100
++++ ecryptfs-utils-90/src/libecryptfs/ecryptfs-stat.c	2011-08-11 10:26:55.472235795 +0200
 @@ -146,7 +146,7 @@ int ecryptfs_parse_stat(struct ecryptfs_
  	if (buf_size < (ECRYPTFS_FILE_SIZE_BYTES
  			+ MAGIC_ECRYPTFS_MARKER_SIZE_BYTES
@@ -162,9 +162,9 @@ diff -up ecryptfs-utils-86/src/libecryptfs/ecryptfs-stat.c.werror ecryptfs-utils
  		       "bytes; there are only [%zu] bytes\n", __FUNCTION__,
  		       (ECRYPTFS_FILE_SIZE_BYTES
  			+ MAGIC_ECRYPTFS_MARKER_SIZE_BYTES
-diff -up ecryptfs-utils-86/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils-86/src/pam_ecryptfs/pam_ecryptfs.c
---- ecryptfs-utils-86/src/pam_ecryptfs/pam_ecryptfs.c.werror	2011-02-06 03:44:30.000000000 +0100
-+++ ecryptfs-utils-86/src/pam_ecryptfs/pam_ecryptfs.c	2011-02-25 17:10:08.898668231 +0100
+diff -up ecryptfs-utils-90/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils-90/src/pam_ecryptfs/pam_ecryptfs.c
+--- ecryptfs-utils-90/src/pam_ecryptfs/pam_ecryptfs.c.werror	2011-02-06 03:44:30.000000000 +0100
++++ ecryptfs-utils-90/src/pam_ecryptfs/pam_ecryptfs.c	2011-08-11 10:26:55.472235795 +0200
 @@ -39,35 +39,11 @@
  #include <sys/stat.h>
  #include <fcntl.h>
@@ -261,9 +261,9 @@ diff -up ecryptfs-utils-86/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils
  		goto out;
  	}
  	saved_uid = geteuid();
-diff -up ecryptfs-utils-86/src/utils/mount.ecryptfs.c.werror ecryptfs-utils-86/src/utils/mount.ecryptfs.c
---- ecryptfs-utils-86/src/utils/mount.ecryptfs.c.werror	2010-12-17 18:34:04.000000000 +0100
-+++ ecryptfs-utils-86/src/utils/mount.ecryptfs.c	2011-02-25 17:04:05.857024613 +0100
+diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs.c.werror ecryptfs-utils-90/src/utils/mount.ecryptfs.c
+--- ecryptfs-utils-90/src/utils/mount.ecryptfs.c.werror	2011-08-11 10:26:55.468235767 +0200
++++ ecryptfs-utils-90/src/utils/mount.ecryptfs.c	2011-08-11 10:26:55.473235801 +0200
 @@ -461,7 +461,7 @@ static int ecryptfs_do_mount(int argc, c
  {
  	int rc;
@@ -282,9 +282,9 @@ diff -up ecryptfs-utils-86/src/utils/mount.ecryptfs.c.werror ecryptfs-utils-86/s
  	if (!(temp = strdup("ecryptfs_unlink_sigs"))) {
  		rc = -ENOMEM;
  		goto out;
-diff -up ecryptfs-utils-86/src/utils/mount.ecryptfs_private.c.werror ecryptfs-utils-86/src/utils/mount.ecryptfs_private.c
---- ecryptfs-utils-86/src/utils/mount.ecryptfs_private.c.werror	2011-02-25 17:04:05.802025842 +0100
-+++ ecryptfs-utils-86/src/utils/mount.ecryptfs_private.c	2011-02-25 17:04:05.859024569 +0100
+diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.werror ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c
+--- ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.werror	2011-08-11 10:26:55.461235723 +0200
++++ ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c	2011-08-11 10:27:23.264417014 +0200
 @@ -95,7 +95,6 @@ int read_config(char *pw_dir, int uid, c
  	*s = strdup(e->mnt_fsname);
  	if (!*s)
@@ -293,9 +293,18 @@ diff -up ecryptfs-utils-86/src/utils/mount.ecryptfs_private.c.werror ecryptfs-ut
  	return 0;
  }
  
-diff -up ecryptfs-utils-86/src/utils/test.c.werror ecryptfs-utils-86/src/utils/test.c
---- ecryptfs-utils-86/src/utils/test.c.werror	2010-12-17 18:34:04.000000000 +0100
-+++ ecryptfs-utils-86/src/utils/test.c	2011-02-25 17:04:05.860024547 +0100
+@@ -300,7 +299,7 @@ int update_mtab(char *dev, char *mnt, ch
+ 		goto fail_early;
+ 	}
+ 
+-	while (old_ent = getmntent(old_mtab)) {
++	while ((old_ent = getmntent(old_mtab))) {
+ 		if (addmntent(new_mtab, old_ent) != 0) {
+ 			perror("addmntent");
+ 			goto fail;
+diff -up ecryptfs-utils-90/src/utils/test.c.werror ecryptfs-utils-90/src/utils/test.c
+--- ecryptfs-utils-90/src/utils/test.c.werror	2010-12-17 18:34:04.000000000 +0100
++++ ecryptfs-utils-90/src/utils/test.c	2011-08-11 10:26:55.474235807 +0200
 @@ -281,7 +281,7 @@ int ecryptfs_encrypt_page(int page_cache
  	struct inode *lower_inode;
  	struct ecryptfs_crypt_stat *crypt_stat;
diff --git a/ecryptfs-utils-87-mtab.patch b/ecryptfs-utils-87-mtab.patch
index 01e8f2c..1e819f5 100644
--- a/ecryptfs-utils-87-mtab.patch
+++ b/ecryptfs-utils-87-mtab.patch
@@ -1,6 +1,6 @@
-diff -up ecryptfs-utils-87/src/libecryptfs/main.c.mtabfix ecryptfs-utils-87/src/libecryptfs/main.c
---- ecryptfs-utils-87/src/libecryptfs/main.c.mtabfix	2011-03-09 14:30:32.000000000 +0100
-+++ ecryptfs-utils-87/src/libecryptfs/main.c	2011-07-11 14:10:40.525812683 +0200
+diff -up ecryptfs-utils-90/src/libecryptfs/main.c.mtabfix ecryptfs-utils-90/src/libecryptfs/main.c
+--- ecryptfs-utils-90/src/libecryptfs/main.c.mtabfix	2011-02-22 18:35:26.000000000 +0100
++++ ecryptfs-utils-90/src/libecryptfs/main.c	2011-08-11 10:24:24.274245958 +0200
 @@ -382,6 +382,7 @@ out:
  
  int ecryptfs_mount(char *source, char *target, unsigned long flags, char *opts)
@@ -38,26 +38,4 @@ diff -up ecryptfs-utils-87/src/libecryptfs/main.c.mtabfix ecryptfs-utils-87/src/
  		rc = -EIO;
  		syslog(LOG_ERR, "Failed to write to the mount "
  		       "table\n");
-diff -up ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c.mtabfix ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c
---- ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c.mtabfix	2011-07-11 13:53:36.942438496 +0200
-+++ ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c	2011-07-11 13:53:36.954438583 +0200
-@@ -219,9 +219,18 @@ int check_ownerships(int uid, char *path
- 
- 
- int update_mtab(char *dev, char *mnt, char *opt) {
--/* Update /etc/mtab with new mount entry.
-+/* Update /etc/mtab with new mount entry unless it is a symbolic link
-  * Return 0 on success, 1 on failure.
-  */
-+	char dummy;
-+	int useMtab;
-+	/* Check if mtab is a symlink */
-+	useMtab = (readlink("/etc/mtab", &dummy, 1) < 0);
-+	if (!useMtab) {
-+		/* No need updating mtab */
-+		return 0;
-+	}
-+
- 	FILE *fh;
- 	struct mntent m;
- 	fh = setmntent("/etc/mtab", "a");
+diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.mtabfix ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c
diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec
index 7ffcc3e..91356df 100644
--- a/ecryptfs-utils.spec
+++ b/ecryptfs-utils.spec
@@ -4,8 +4,8 @@
 %global _sbindir /sbin
 
 Name: ecryptfs-utils
-Version: 87
-Release: 9%{?dist}
+Version: 90
+Release: 1%{?dist}
 Summary: The eCryptfs mount helper and support libraries
 Group: System Environment/Base
 License: GPLv2+
@@ -205,6 +205,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/%{name}/ecryptfs-mount-private.desktop
 %{_datadir}/%{name}/ecryptfs-mount-private.png
 %{_datadir}/%{name}/ecryptfs-setup-private.desktop
+%{_datadir}/%{name}/ecryptfs-find
 %{_mandir}/man1/ecryptfs-add-passphrase.1.gz
 %{_mandir}/man1/ecryptfs-generate-tpm-key.1.gz
 %{_mandir}/man1/ecryptfs-insert-wrapped-passphrase-into-keyring.1.gz
@@ -245,6 +246,15 @@ rm -rf $RPM_BUILD_ROOT
 %{python_sitearch}/ecryptfs-utils/_libecryptfs.so
 
 %changelog
+* Thu Aug 11 2011 Michal Hlavinka <mhlavink at redhat.com> - 90-1
+- security fixes:
+- privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832)
+- race condition when checking source during mount (CVE-2011-1833)
+- mtab corruption via improper handling (CVE-2011-1834)
+- key poisoning via insecure temp directory handling (CVE-2011-1835)
+- information disclosure via recovery mount in /tmp (CVE-2011-1836)
+- arbitrary file overwrite via lock counter race (CVE-2011-1837)
+
 * Tue Aug 09 2011 Michal Hlavinka <mhlavink at redhat.com> - 87-9
 - improve logging messages of ecryptfs pam module
 - keep own copy of passphrase, pam clears it too early
diff --git a/sources b/sources
index 8f77056..c36fcea 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 e612ddb9ccb17f8fec79df26e626a8c6  ecryptfs-mount-private.png
-b3e4ec1c70b3c57bd289b327363c39f6  ecryptfs-utils_87.orig.tar.gz
+a81621fb2f7ab4b81f9bffc020b181e2  ecryptfs-utils_90.orig.tar.gz
