[ecryptfs-utils] set the group id in mount.ecryptfs_private (CVE-2011-3145)
Michal Hlavinka
mhlavink at fedoraproject.org
Wed Aug 31 10:21:15 UTC 2011
commit 25e9385b786e1876f2c08bebb94c504a7768534c
Author: Michal Hlavinka <mhlavink at redhat.com>
Date: Wed Aug 31 12:20:59 2011 +0200
set the group id in mount.ecryptfs_private (CVE-2011-3145)
ecryptfs-utils-87-autoload.patch | 29 ++++++++---
ecryptfs-utils-90-CVE-2011-3145.patch | 86 +++++++++++++++++++++++++++++++++
ecryptfs-utils.spec | 34 ++++++++-----
3 files changed, 127 insertions(+), 22 deletions(-)
---
diff --git a/ecryptfs-utils-87-autoload.patch b/ecryptfs-utils-87-autoload.patch
index bb2229e..344c9be 100644
--- a/ecryptfs-utils-87-autoload.patch
+++ b/ecryptfs-utils-87-autoload.patch
@@ -1,18 +1,31 @@
-diff -up ecryptfs-utils-87/src/utils/ecryptfs-setup-private.autoload ecryptfs-utils-87/src/utils/ecryptfs-setup-private
---- ecryptfs-utils-87/src/utils/ecryptfs-setup-private.autoload 2011-05-26 15:03:03.716014960 +0200
-+++ ecryptfs-utils-87/src/utils/ecryptfs-setup-private 2011-05-26 15:03:03.676014684 +0200
+diff -up ecryptfs-utils-90/src/utils/ecryptfs-mount-private.autoload ecryptfs-utils-90/src/utils/ecryptfs-mount-private
+--- ecryptfs-utils-90/src/utils/ecryptfs-mount-private.autoload 2011-08-31 12:06:39.561319897 +0200
++++ ecryptfs-utils-90/src/utils/ecryptfs-mount-private 2011-08-31 12:06:39.589319941 +0200
+@@ -33,6 +33,9 @@ if /sbin/mount.ecryptfs_private >/dev/nu
+ exit 0
+ fi
+
++#load kernel module if it's missing, FNE support check would fail otherwise
++[ ! -e /sys/fs/ecryptfs/version ] && modinfo ecryptfs >/dev/null 2>&1 && /sbin/mount.ecryptfs_private --loadmodule
++
+ # Otherwise, interactively prompt for the user's password
+ if [ -f "$WRAPPED_PASSPHRASE_FILE" -a -f "$MOUNT_PASSPHRASE_SIG_FILE" ]; then
+ tries=0
+diff -up ecryptfs-utils-90/src/utils/ecryptfs-setup-private.autoload ecryptfs-utils-90/src/utils/ecryptfs-setup-private
+--- ecryptfs-utils-90/src/utils/ecryptfs-setup-private.autoload 2011-08-10 15:35:11.000000000 +0200
++++ ecryptfs-utils-90/src/utils/ecryptfs-setup-private 2011-08-31 12:04:57.344158953 +0200
@@ -101,6 +101,7 @@ random_passphrase () {
}
filename_encryption_available() {
-+ [ ! -e /sys/fs/ecryptfs/version ] && ! lsmod | grep -q ecryptfs && /sbin/mount.ecryptfs_private --loadmodule
++ [ ! -e /sys/fs/ecryptfs/version ] && modinfo ecryptfs >/dev/null 2>&1 && /sbin/mount.ecryptfs_private --loadmodule
version=$(cat /sys/fs/ecryptfs/version 2>/dev/null)
[ -z "$version" ] && error "$(gettext 'Cannot get ecryptfs version, ecryptfs kernel module not loaded?')"
[ $(($version & 0x100)) -eq 0 ] && return 1
-diff -up ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c.autoload ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c
---- ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c.autoload 2011-05-26 13:35:41.364468265 +0200
-+++ ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c 2011-05-26 13:39:34.887345368 +0200
-@@ -387,6 +387,13 @@ int main(int argc, char *argv[]) {
+diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.autoload ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c
+--- ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.autoload 2011-08-31 12:00:46.109786923 +0200
++++ ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c 2011-08-31 12:00:46.116786934 +0200
+@@ -484,6 +484,13 @@ int main(int argc, char *argv[]) {
char *sig, *sig_fnek;
FILE *fh_counter = NULL;
diff --git a/ecryptfs-utils-90-CVE-2011-3145.patch b/ecryptfs-utils-90-CVE-2011-3145.patch
new file mode 100644
index 0000000..0c9e3cd
--- /dev/null
+++ b/ecryptfs-utils-90-CVE-2011-3145.patch
@@ -0,0 +1,86 @@
+diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.CVE-2011-3145 ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c
+--- ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.CVE-2011-3145 2011-08-31 12:08:26.479493949 +0200
++++ ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c 2011-08-31 12:10:09.014666213 +0200
+@@ -274,12 +274,14 @@ int update_mtab(char *dev, char *mnt, ch
+ int fd;
+ FILE *old_mtab, *new_mtab;
+ struct mntent *old_ent, new_ent;
++ mode_t old_umask;
+
+ /* Make an attempt to play nice with other mount helpers
+ * by creating an /etc/mtab~ lock file. Of course this
+ * only works if those other helpers actually check for
+ * this.
+ */
++ old_umask = umask(033);
+ fd = open("/etc/mtab~", O_RDONLY | O_CREAT | O_EXCL, 0644);
+ if (fd < 0) {
+ perror("open");
+@@ -332,6 +334,8 @@ int update_mtab(char *dev, char *mnt, ch
+
+ unlink("/etc/mtab~");
+
++ umask(old_umask);
++
+ return 0;
+
+ fail:
+@@ -341,6 +345,7 @@ fail_late:
+ fail_early:
+ endmntent(old_mtab);
+ unlink("/etc/mtab~");
++ umask(old_umask);
+ return 1;
+ }
+
+@@ -476,7 +481,7 @@ int zero(FILE *fh) {
+ * c) updating /etc/mtab
+ */
+ int main(int argc, char *argv[]) {
+- int uid, mounting;
++ int uid, gid, mounting;
+ int force = 0;
+ struct passwd *pwd;
+ char *alias, *src, *dest, *opt, *opts2;
+@@ -491,6 +496,7 @@ int main(int argc, char *argv[]) {
+ }
+
+ uid = getuid();
++ gid = getgid();
+ /* Non-privileged effective uid is sufficient for all but the code
+ * that mounts, unmounts, and updates /etc/mtab.
+ * Run at a lower privilege until we need it.
+@@ -618,7 +624,14 @@ int main(int argc, char *argv[]) {
+ * the real uid to be that of the user.
+ * And we need the effective uid to be root in order to mount.
+ */
+- setreuid(-1, 0);
++ if (setreuid(-1, 0) < 0) {
++ perror("setreuid");
++ goto fail;
++ }
++ if (setregid(-1, 0) < 0) {
++ perror("setregid");
++ goto fail;
++ }
+ /* Perform mount */
+ if (mount(src, ".", FSTYPE, 0, opt) == 0) {
+ if (update_mtab(src, dest, opt) != 0) {
+@@ -630,6 +643,9 @@ int main(int argc, char *argv[]) {
+ if (setreuid(uid, uid) < 0) {
+ perror("setreuid");
+ }
++ if (setregid(gid, gid) < 0) {
++ perror("setregid");
++ }
+ goto fail;
+ }
+ } else {
+@@ -665,6 +681,7 @@ int main(int argc, char *argv[]) {
+ * Do not use the umount.ecryptfs helper (-i).
+ */
+ setresuid(0,0,0);
++ setresgid(0,0,0);
+
+ /* Since we're doing a lazy unmount anyway, just unmount the current
+ * directory. This avoids a lot of complexity in dealing with race
diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec
index 91356df..b17d650 100644
--- a/ecryptfs-utils.spec
+++ b/ecryptfs-utils.spec
@@ -5,7 +5,7 @@
Name: ecryptfs-utils
Version: 90
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: The eCryptfs mount helper and support libraries
Group: System Environment/Base
License: GPLv2+
@@ -47,22 +47,24 @@ Patch12: ecryptfs-utils-87-memcpyfix.patch
# allow building with -Werror
Patch999: ecryptfs-utils-75-werror.patch
+Patch13: ecryptfs-utils-90-CVE-2011-3145.patch
+
# using return after fork() in pam module has some nasty side effects, rhbz#722445
-Patch13: ecryptfs-utils-87-fixpamfork.patch
+Patch14: ecryptfs-utils-87-fixpamfork.patch
# we need gid==ecryptfs in pam module before mount.ecryptfs_private execution
-Patch14: ecryptfs-utils-87-fixexecgid.patch
+Patch15: ecryptfs-utils-87-fixexecgid.patch
# do not use zombie process, it causes lock ups at least for ssh login
-Patch15: ecryptfs-utils-87-nozombies.patch
+Patch16: ecryptfs-utils-87-nozombies.patch
# if we do not use zombies, we have to store passphrase in pam_data and init keyring later
-Patch16: ecryptfs-utils-87-pamdata.patch
+Patch17: ecryptfs-utils-87-pamdata.patch
-# patch16 needs propper const on some places
-Patch17: ecryptfs-utils-87-fixconst.patch
+# patch17 needs propper const on some places
+Patch18: ecryptfs-utils-87-fixconst.patch
-Patch18: ecryptfs-utils-87-syslog.patch
+Patch19: ecryptfs-utils-87-syslog.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
Requires: keyutils, cryptsetup-luks, util-linux-ng, gettext
@@ -112,12 +114,13 @@ the interface supplied by the ecryptfs-utils library.
%patch11 -p1 -b .authconfig
%patch12 -p1 -b .memcpyfix
%patch999 -p1 -b .werror
-%patch13 -p1 -b .fixpamfork
-%patch14 -p1 -b .fixexecgid
-%patch15 -p1 -b .nozombies
-%patch16 -p1 -b .pamdata
-%patch17 -p1 -b .fixconst
-%patch18 -p1 -b .syslog
+%patch13 -p1 -b .CVE-2011-3145
+%patch14 -p1 -b .fixpamfork
+%patch15 -p1 -b .fixexecgid
+%patch16 -p1 -b .nozombies
+%patch17 -p1 -b .pamdata
+%patch18 -p1 -b .fixconst
+%patch19 -p1 -b .syslog
%build
export CFLAGS="$RPM_OPT_FLAGS -Werror -Wtype-limits"
@@ -246,6 +249,9 @@ rm -rf $RPM_BUILD_ROOT
%{python_sitearch}/ecryptfs-utils/_libecryptfs.so
%changelog
+* Wed Aug 31 2011 Michal Hlavinka <mhlavink at redhat.com> - 90-2
+- set the group id in mount.ecryptfs_private (CVE-2011-3145)
+
* Thu Aug 11 2011 Michal Hlavinka <mhlavink at redhat.com> - 90-1
- security fixes:
- privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832)
More information about the scm-commits
mailing list