[ecryptfs-utils] security fixes: privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832) r
Michal Hlavinka
mhlavink at fedoraproject.org
Thu Aug 11 10:03:10 UTC 2011
commit 88dca2c647235f454207e56fc0f0bc3c3036ba0f
Author: Michal Hlavinka <mhlavink at redhat.com>
Date: Thu Aug 11 12:02:54 2011 +0200
security fixes:
privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832)
race condition when checking source during mount (CVE-2011-1833)
mtab corruption via improper handling (CVE-2011-1834)
key poisoning via insecure temp directory handling (CVE-2011-1835)
information disclosure via recovery mount in /tmp (CVE-2011-1836)
arbitrary file overwrite via lock counter race (CVE-2011-1837)
.gitignore | 1 +
ecryptfs-utils-75-werror.patch | 45 ++++++++++++++++++++++++----------------
ecryptfs-utils-87-mtab.patch | 30 +++-----------------------
ecryptfs-utils.spec | 14 ++++++++++-
sources | 2 +-
5 files changed, 45 insertions(+), 47 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 5f8bf70..e927580 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ ecryptfs-mount-private.png
/ecryptfs-utils_85.orig.tar.gz
/ecryptfs-utils_86.orig.tar.gz
/ecryptfs-utils_87.orig.tar.gz
+/ecryptfs-utils_90.orig.tar.gz
diff --git a/ecryptfs-utils-75-werror.patch b/ecryptfs-utils-75-werror.patch
index f02992b..fddf477 100644
--- a/ecryptfs-utils-75-werror.patch
+++ b/ecryptfs-utils-75-werror.patch
@@ -1,6 +1,6 @@
-diff -up ecryptfs-utils-86/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror ecryptfs-utils-86/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c
---- ecryptfs-utils-86/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror 2011-02-25 17:04:05.760026778 +0100
-+++ ecryptfs-utils-86/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2011-02-25 17:04:05.841024970 +0100
+diff -up ecryptfs-utils-90/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror ecryptfs-utils-90/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c
+--- ecryptfs-utils-90/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror 2011-08-11 10:26:55.453235671 +0200
++++ ecryptfs-utils-90/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2011-08-11 10:26:55.471235788 +0200
@@ -86,7 +86,7 @@ static int ecryptfs_pkcs11h_deserialize(
pkcs11h_data->serialized_id = NULL;
}
@@ -150,9 +150,9 @@ diff -up ecryptfs-utils-86/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror e
subgraph_key_ctx = (struct pkcs11h_subgraph_key_ctx *)(*foo);
-diff -up ecryptfs-utils-86/src/libecryptfs/ecryptfs-stat.c.werror ecryptfs-utils-86/src/libecryptfs/ecryptfs-stat.c
---- ecryptfs-utils-86/src/libecryptfs/ecryptfs-stat.c.werror 2010-12-17 18:34:04.000000000 +0100
-+++ ecryptfs-utils-86/src/libecryptfs/ecryptfs-stat.c 2011-02-25 17:04:05.843024925 +0100
+diff -up ecryptfs-utils-90/src/libecryptfs/ecryptfs-stat.c.werror ecryptfs-utils-90/src/libecryptfs/ecryptfs-stat.c
+--- ecryptfs-utils-90/src/libecryptfs/ecryptfs-stat.c.werror 2010-12-17 18:34:04.000000000 +0100
++++ ecryptfs-utils-90/src/libecryptfs/ecryptfs-stat.c 2011-08-11 10:26:55.472235795 +0200
@@ -146,7 +146,7 @@ int ecryptfs_parse_stat(struct ecryptfs_
if (buf_size < (ECRYPTFS_FILE_SIZE_BYTES
+ MAGIC_ECRYPTFS_MARKER_SIZE_BYTES
@@ -162,9 +162,9 @@ diff -up ecryptfs-utils-86/src/libecryptfs/ecryptfs-stat.c.werror ecryptfs-utils
"bytes; there are only [%zu] bytes\n", __FUNCTION__,
(ECRYPTFS_FILE_SIZE_BYTES
+ MAGIC_ECRYPTFS_MARKER_SIZE_BYTES
-diff -up ecryptfs-utils-86/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils-86/src/pam_ecryptfs/pam_ecryptfs.c
---- ecryptfs-utils-86/src/pam_ecryptfs/pam_ecryptfs.c.werror 2011-02-06 03:44:30.000000000 +0100
-+++ ecryptfs-utils-86/src/pam_ecryptfs/pam_ecryptfs.c 2011-02-25 17:10:08.898668231 +0100
+diff -up ecryptfs-utils-90/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils-90/src/pam_ecryptfs/pam_ecryptfs.c
+--- ecryptfs-utils-90/src/pam_ecryptfs/pam_ecryptfs.c.werror 2011-02-06 03:44:30.000000000 +0100
++++ ecryptfs-utils-90/src/pam_ecryptfs/pam_ecryptfs.c 2011-08-11 10:26:55.472235795 +0200
@@ -39,35 +39,11 @@
#include <sys/stat.h>
#include <fcntl.h>
@@ -261,9 +261,9 @@ diff -up ecryptfs-utils-86/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils
goto out;
}
saved_uid = geteuid();
-diff -up ecryptfs-utils-86/src/utils/mount.ecryptfs.c.werror ecryptfs-utils-86/src/utils/mount.ecryptfs.c
---- ecryptfs-utils-86/src/utils/mount.ecryptfs.c.werror 2010-12-17 18:34:04.000000000 +0100
-+++ ecryptfs-utils-86/src/utils/mount.ecryptfs.c 2011-02-25 17:04:05.857024613 +0100
+diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs.c.werror ecryptfs-utils-90/src/utils/mount.ecryptfs.c
+--- ecryptfs-utils-90/src/utils/mount.ecryptfs.c.werror 2011-08-11 10:26:55.468235767 +0200
++++ ecryptfs-utils-90/src/utils/mount.ecryptfs.c 2011-08-11 10:26:55.473235801 +0200
@@ -461,7 +461,7 @@ static int ecryptfs_do_mount(int argc, c
{
int rc;
@@ -282,9 +282,9 @@ diff -up ecryptfs-utils-86/src/utils/mount.ecryptfs.c.werror ecryptfs-utils-86/s
if (!(temp = strdup("ecryptfs_unlink_sigs"))) {
rc = -ENOMEM;
goto out;
-diff -up ecryptfs-utils-86/src/utils/mount.ecryptfs_private.c.werror ecryptfs-utils-86/src/utils/mount.ecryptfs_private.c
---- ecryptfs-utils-86/src/utils/mount.ecryptfs_private.c.werror 2011-02-25 17:04:05.802025842 +0100
-+++ ecryptfs-utils-86/src/utils/mount.ecryptfs_private.c 2011-02-25 17:04:05.859024569 +0100
+diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.werror ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c
+--- ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.werror 2011-08-11 10:26:55.461235723 +0200
++++ ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c 2011-08-11 10:27:23.264417014 +0200
@@ -95,7 +95,6 @@ int read_config(char *pw_dir, int uid, c
*s = strdup(e->mnt_fsname);
if (!*s)
@@ -293,9 +293,18 @@ diff -up ecryptfs-utils-86/src/utils/mount.ecryptfs_private.c.werror ecryptfs-ut
return 0;
}
-diff -up ecryptfs-utils-86/src/utils/test.c.werror ecryptfs-utils-86/src/utils/test.c
---- ecryptfs-utils-86/src/utils/test.c.werror 2010-12-17 18:34:04.000000000 +0100
-+++ ecryptfs-utils-86/src/utils/test.c 2011-02-25 17:04:05.860024547 +0100
+@@ -300,7 +299,7 @@ int update_mtab(char *dev, char *mnt, ch
+ goto fail_early;
+ }
+
+- while (old_ent = getmntent(old_mtab)) {
++ while ((old_ent = getmntent(old_mtab))) {
+ if (addmntent(new_mtab, old_ent) != 0) {
+ perror("addmntent");
+ goto fail;
+diff -up ecryptfs-utils-90/src/utils/test.c.werror ecryptfs-utils-90/src/utils/test.c
+--- ecryptfs-utils-90/src/utils/test.c.werror 2010-12-17 18:34:04.000000000 +0100
++++ ecryptfs-utils-90/src/utils/test.c 2011-08-11 10:26:55.474235807 +0200
@@ -281,7 +281,7 @@ int ecryptfs_encrypt_page(int page_cache
struct inode *lower_inode;
struct ecryptfs_crypt_stat *crypt_stat;
diff --git a/ecryptfs-utils-87-mtab.patch b/ecryptfs-utils-87-mtab.patch
index 01e8f2c..1e819f5 100644
--- a/ecryptfs-utils-87-mtab.patch
+++ b/ecryptfs-utils-87-mtab.patch
@@ -1,6 +1,6 @@
-diff -up ecryptfs-utils-87/src/libecryptfs/main.c.mtabfix ecryptfs-utils-87/src/libecryptfs/main.c
---- ecryptfs-utils-87/src/libecryptfs/main.c.mtabfix 2011-03-09 14:30:32.000000000 +0100
-+++ ecryptfs-utils-87/src/libecryptfs/main.c 2011-07-11 14:10:40.525812683 +0200
+diff -up ecryptfs-utils-90/src/libecryptfs/main.c.mtabfix ecryptfs-utils-90/src/libecryptfs/main.c
+--- ecryptfs-utils-90/src/libecryptfs/main.c.mtabfix 2011-02-22 18:35:26.000000000 +0100
++++ ecryptfs-utils-90/src/libecryptfs/main.c 2011-08-11 10:24:24.274245958 +0200
@@ -382,6 +382,7 @@ out:
int ecryptfs_mount(char *source, char *target, unsigned long flags, char *opts)
@@ -38,26 +38,4 @@ diff -up ecryptfs-utils-87/src/libecryptfs/main.c.mtabfix ecryptfs-utils-87/src/
rc = -EIO;
syslog(LOG_ERR, "Failed to write to the mount "
"table\n");
-diff -up ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c.mtabfix ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c
---- ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c.mtabfix 2011-07-11 13:53:36.942438496 +0200
-+++ ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c 2011-07-11 13:53:36.954438583 +0200
-@@ -219,9 +219,18 @@ int check_ownerships(int uid, char *path
-
-
- int update_mtab(char *dev, char *mnt, char *opt) {
--/* Update /etc/mtab with new mount entry.
-+/* Update /etc/mtab with new mount entry unless it is a symbolic link
- * Return 0 on success, 1 on failure.
- */
-+ char dummy;
-+ int useMtab;
-+ /* Check if mtab is a symlink */
-+ useMtab = (readlink("/etc/mtab", &dummy, 1) < 0);
-+ if (!useMtab) {
-+ /* No need updating mtab */
-+ return 0;
-+ }
-+
- FILE *fh;
- struct mntent m;
- fh = setmntent("/etc/mtab", "a");
+diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.mtabfix ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c
diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec
index 7ffcc3e..91356df 100644
--- a/ecryptfs-utils.spec
+++ b/ecryptfs-utils.spec
@@ -4,8 +4,8 @@
%global _sbindir /sbin
Name: ecryptfs-utils
-Version: 87
-Release: 9%{?dist}
+Version: 90
+Release: 1%{?dist}
Summary: The eCryptfs mount helper and support libraries
Group: System Environment/Base
License: GPLv2+
@@ -205,6 +205,7 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/%{name}/ecryptfs-mount-private.desktop
%{_datadir}/%{name}/ecryptfs-mount-private.png
%{_datadir}/%{name}/ecryptfs-setup-private.desktop
+%{_datadir}/%{name}/ecryptfs-find
%{_mandir}/man1/ecryptfs-add-passphrase.1.gz
%{_mandir}/man1/ecryptfs-generate-tpm-key.1.gz
%{_mandir}/man1/ecryptfs-insert-wrapped-passphrase-into-keyring.1.gz
@@ -245,6 +246,15 @@ rm -rf $RPM_BUILD_ROOT
%{python_sitearch}/ecryptfs-utils/_libecryptfs.so
%changelog
+* Thu Aug 11 2011 Michal Hlavinka <mhlavink at redhat.com> - 90-1
+- security fixes:
+- privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832)
+- race condition when checking source during mount (CVE-2011-1833)
+- mtab corruption via improper handling (CVE-2011-1834)
+- key poisoning via insecure temp directory handling (CVE-2011-1835)
+- information disclosure via recovery mount in /tmp (CVE-2011-1836)
+- arbitrary file overwrite via lock counter race (CVE-2011-1837)
+
* Tue Aug 09 2011 Michal Hlavinka <mhlavink at redhat.com> - 87-9
- improve logging messages of ecryptfs pam module
- keep own copy of passphrase, pam clears it too early
diff --git a/sources b/sources
index 8f77056..c36fcea 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
e612ddb9ccb17f8fec79df26e626a8c6 ecryptfs-mount-private.png
-b3e4ec1c70b3c57bd289b327363c39f6 ecryptfs-utils_87.orig.tar.gz
+a81621fb2f7ab4b81f9bffc020b181e2 ecryptfs-utils_90.orig.tar.gz
More information about the scm-commits
mailing list