[ecryptfs-utils/f16] set the group id in mount.ecryptfs_private (CVE-2011-3145)

Michal Hlavinka mhlavink at fedoraproject.org
Wed Aug 31 10:45:26 UTC 2011 

commit 2b73ffeeb8c2cb5b17d44aa8a436acf3a03f2c94
Author: Michal Hlavinka <mhlavink at redhat.com>
Date:   Wed Aug 31 12:45:12 2011 +0200

    set the group id in mount.ecryptfs_private (CVE-2011-3145)

 ecryptfs-utils-87-autoload.patch      |   29 ++++++++---
 ecryptfs-utils-90-CVE-2011-3145.patch |   86 +++++++++++++++++++++++++++++++++
 ecryptfs-utils.spec                   |   34 ++++++++-----
 3 files changed, 127 insertions(+), 22 deletions(-)
---
diff --git a/ecryptfs-utils-87-autoload.patch b/ecryptfs-utils-87-autoload.patch
index bb2229e..344c9be 100644
--- a/ecryptfs-utils-87-autoload.patch
+++ b/ecryptfs-utils-87-autoload.patch
@@ -1,18 +1,31 @@
-diff -up ecryptfs-utils-87/src/utils/ecryptfs-setup-private.autoload ecryptfs-utils-87/src/utils/ecryptfs-setup-private
---- ecryptfs-utils-87/src/utils/ecryptfs-setup-private.autoload	2011-05-26 15:03:03.716014960 +0200
-+++ ecryptfs-utils-87/src/utils/ecryptfs-setup-private	2011-05-26 15:03:03.676014684 +0200
+diff -up ecryptfs-utils-90/src/utils/ecryptfs-mount-private.autoload ecryptfs-utils-90/src/utils/ecryptfs-mount-private
+--- ecryptfs-utils-90/src/utils/ecryptfs-mount-private.autoload	2011-08-31 12:06:39.561319897 +0200
++++ ecryptfs-utils-90/src/utils/ecryptfs-mount-private	2011-08-31 12:06:39.589319941 +0200
+@@ -33,6 +33,9 @@ if /sbin/mount.ecryptfs_private >/dev/nu
+ 	exit 0
+ fi
+ 
++#load kernel module if it's missing, FNE support check would fail otherwise
++[ ! -e /sys/fs/ecryptfs/version ] && modinfo ecryptfs >/dev/null 2>&1 && /sbin/mount.ecryptfs_private --loadmodule
++
+ # Otherwise, interactively prompt for the user's password
+ if [ -f "$WRAPPED_PASSPHRASE_FILE" -a -f "$MOUNT_PASSPHRASE_SIG_FILE" ]; then
+ 	tries=0
+diff -up ecryptfs-utils-90/src/utils/ecryptfs-setup-private.autoload ecryptfs-utils-90/src/utils/ecryptfs-setup-private
+--- ecryptfs-utils-90/src/utils/ecryptfs-setup-private.autoload	2011-08-10 15:35:11.000000000 +0200
++++ ecryptfs-utils-90/src/utils/ecryptfs-setup-private	2011-08-31 12:04:57.344158953 +0200
 @@ -101,6 +101,7 @@ random_passphrase () {
  }
  
  filename_encryption_available() {
-+	[ ! -e /sys/fs/ecryptfs/version ] && ! lsmod | grep -q ecryptfs && /sbin/mount.ecryptfs_private --loadmodule
++	[ ! -e /sys/fs/ecryptfs/version ] && modinfo ecryptfs >/dev/null 2>&1 && /sbin/mount.ecryptfs_private --loadmodule
  	version=$(cat /sys/fs/ecryptfs/version 2>/dev/null)
  	[ -z "$version" ] && error "$(gettext 'Cannot get ecryptfs version, ecryptfs kernel module not loaded?')"
  	[ $(($version & 0x100)) -eq 0 ] && return 1
-diff -up ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c.autoload ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c
---- ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c.autoload	2011-05-26 13:35:41.364468265 +0200
-+++ ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c	2011-05-26 13:39:34.887345368 +0200
-@@ -387,6 +387,13 @@ int main(int argc, char *argv[]) {
+diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.autoload ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c
+--- ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.autoload	2011-08-31 12:00:46.109786923 +0200
++++ ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c	2011-08-31 12:00:46.116786934 +0200
+@@ -484,6 +484,13 @@ int main(int argc, char *argv[]) {
  	char *sig, *sig_fnek;
  	FILE *fh_counter = NULL;
  
diff --git a/ecryptfs-utils-90-CVE-2011-3145.patch b/ecryptfs-utils-90-CVE-2011-3145.patch
new file mode 100644
index 0000000..0c9e3cd
--- /dev/null
+++ b/ecryptfs-utils-90-CVE-2011-3145.patch
@@ -0,0 +1,86 @@
+diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.CVE-2011-3145 ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c
+--- ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.CVE-2011-3145	2011-08-31 12:08:26.479493949 +0200
++++ ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c	2011-08-31 12:10:09.014666213 +0200
+@@ -274,12 +274,14 @@ int update_mtab(char *dev, char *mnt, ch
+ 	int fd;
+ 	FILE *old_mtab, *new_mtab;
+ 	struct mntent *old_ent, new_ent;
++	mode_t old_umask;
+ 
+ 	/* Make an attempt to play nice with other mount helpers
+ 	 * by creating an /etc/mtab~ lock file. Of course this
+ 	 * only works if those other helpers actually check for
+ 	 * this.
+ 	 */
++	old_umask = umask(033);
+ 	fd = open("/etc/mtab~", O_RDONLY | O_CREAT | O_EXCL, 0644);
+ 	if (fd < 0) {
+ 		perror("open");
+@@ -332,6 +334,8 @@ int update_mtab(char *dev, char *mnt, ch
+ 
+ 	unlink("/etc/mtab~");
+ 
++	umask(old_umask);
++
+ 	return 0;
+ 
+ fail:
+@@ -341,6 +345,7 @@ fail_late:
+ fail_early:
+ 	endmntent(old_mtab);
+ 	unlink("/etc/mtab~");
++	umask(old_umask);
+ 	return 1;
+ }
+ 
+@@ -476,7 +481,7 @@ int zero(FILE *fh) {
+  *  c) updating /etc/mtab
+  */
+ int main(int argc, char *argv[]) {
+-	int uid, mounting;
++	int uid, gid, mounting;
+ 	int force = 0;
+ 	struct passwd *pwd;
+ 	char *alias, *src, *dest, *opt, *opts2;
+@@ -491,6 +496,7 @@ int main(int argc, char *argv[]) {
+ 	}
+ 	
+ 	uid = getuid();
++	gid = getgid();
+ 	/* Non-privileged effective uid is sufficient for all but the code
+  	 * that mounts, unmounts, and updates /etc/mtab.
+ 	 * Run at a lower privilege until we need it.
+@@ -618,7 +624,14 @@ int main(int argc, char *argv[]) {
+ 		 * the real uid to be that of the user.
+ 		 * And we need the effective uid to be root in order to mount.
+ 		 */
+-		setreuid(-1, 0);
++		if (setreuid(-1, 0) < 0) {
++			perror("setreuid");
++			goto fail;
++		}
++		if (setregid(-1, 0) < 0) {
++			perror("setregid");
++			goto fail;
++		}
+  		/* Perform mount */
+ 		if (mount(src, ".", FSTYPE, 0, opt) == 0) {
+ 			if (update_mtab(src, dest, opt) != 0) {
+@@ -630,6 +643,9 @@ int main(int argc, char *argv[]) {
+ 			if (setreuid(uid, uid) < 0) {
+ 				perror("setreuid");
+ 			}
++			if (setregid(gid, gid) < 0) {
++				perror("setregid");
++			}
+ 			goto fail;
+ 		}
+ 	} else {
+@@ -665,6 +681,7 @@ int main(int argc, char *argv[]) {
+ 		 * Do not use the umount.ecryptfs helper (-i).
+  		 */
+ 		setresuid(0,0,0);
++		setresgid(0,0,0);
+ 
+ 		/* Since we're doing a lazy unmount anyway, just unmount the current
+ 		 * directory. This avoids a lot of complexity in dealing with race
diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec
index 91356df..b17d650 100644
--- a/ecryptfs-utils.spec
+++ b/ecryptfs-utils.spec
@@ -5,7 +5,7 @@
 
 Name: ecryptfs-utils
 Version: 90
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: The eCryptfs mount helper and support libraries
 Group: System Environment/Base
 License: GPLv2+
@@ -47,22 +47,24 @@ Patch12: ecryptfs-utils-87-memcpyfix.patch
 # allow building with -Werror
 Patch999: ecryptfs-utils-75-werror.patch
 
+Patch13: ecryptfs-utils-90-CVE-2011-3145.patch
+
 # using return after fork() in pam module has some nasty side effects, rhbz#722445
-Patch13: ecryptfs-utils-87-fixpamfork.patch
+Patch14: ecryptfs-utils-87-fixpamfork.patch
 
 # we need gid==ecryptfs in pam module before mount.ecryptfs_private execution
-Patch14: ecryptfs-utils-87-fixexecgid.patch
+Patch15: ecryptfs-utils-87-fixexecgid.patch
 
 # do not use zombie process, it causes lock ups at least for ssh login
-Patch15: ecryptfs-utils-87-nozombies.patch
+Patch16: ecryptfs-utils-87-nozombies.patch
 
 # if we do not use zombies, we have to store passphrase in pam_data and init keyring later
-Patch16: ecryptfs-utils-87-pamdata.patch
+Patch17: ecryptfs-utils-87-pamdata.patch
 
-# patch16 needs propper const on some places
-Patch17: ecryptfs-utils-87-fixconst.patch
+# patch17 needs propper const on some places
+Patch18: ecryptfs-utils-87-fixconst.patch
 
-Patch18: ecryptfs-utils-87-syslog.patch
+Patch19: ecryptfs-utils-87-syslog.patch
 
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 Requires: keyutils, cryptsetup-luks, util-linux-ng, gettext
@@ -112,12 +114,13 @@ the interface supplied by the ecryptfs-utils library.
 %patch11 -p1 -b .authconfig
 %patch12 -p1 -b .memcpyfix
 %patch999 -p1 -b .werror
-%patch13 -p1 -b .fixpamfork
-%patch14 -p1 -b .fixexecgid
-%patch15 -p1 -b .nozombies
-%patch16 -p1 -b .pamdata
-%patch17 -p1 -b .fixconst
-%patch18 -p1 -b .syslog
+%patch13 -p1 -b .CVE-2011-3145
+%patch14 -p1 -b .fixpamfork
+%patch15 -p1 -b .fixexecgid
+%patch16 -p1 -b .nozombies
+%patch17 -p1 -b .pamdata
+%patch18 -p1 -b .fixconst
+%patch19 -p1 -b .syslog
 
 %build
 export CFLAGS="$RPM_OPT_FLAGS -Werror -Wtype-limits"
@@ -246,6 +249,9 @@ rm -rf $RPM_BUILD_ROOT
 %{python_sitearch}/ecryptfs-utils/_libecryptfs.so
 
 %changelog
+* Wed Aug 31 2011 Michal Hlavinka <mhlavink at redhat.com> - 90-2
+- set the group id in mount.ecryptfs_private (CVE-2011-3145)
+
 * Thu Aug 11 2011 Michal Hlavinka <mhlavink at redhat.com> - 90-1
 - security fixes:
 - privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832)

More information about the scm-commits mailing list