Hello community, here is the log from the commit of package ecryptfs-utils for openSUSE:11.3 checked in at Thu Aug 11 21:00:25 CEST 2011. -------- --- old-versions/11.3/all/ecryptfs-utils/ecryptfs-utils.changes 2010-04-10 17:40:48.000000000 +0200 +++ 11.3/ecryptfs-utils/ecryptfs-utils.changes 2011-08-11 18:11:43.000000000 +0200 @@ -1,0 +2,13 @@ +Thu Aug 11 18:11:21 CEST 2011 - meissner@suse.de + +- Various security fixes (bnc#709771) + CVE-2011-1831 - Race condition when checking mountpoint during mount. + CVE-2011-1832 - Race condition when checking mountpoint during unmount. + CVE-2011-1833 - Race condition when checking source during mount. + CVE-2011-1834 - Improper mtab handling allowing corruption due to resource + limits, signals, etc. + CVE-2011-1835 - Key poisoning in ecryptfs-setup-private due to insecure temp + directory. + CVE-2011-1837 - Predictable lock counter name and associated races. + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/ecryptfs-utils Destination is old-versions/11.3/UPDATES/all/ecryptfs-utils calling whatdependson for 11.3-i586 New: ---- CVE-2011-1831,1832,1834.patch CVE-2011-1833.patch CVE-2011-1835.patch CVE-2011-1837.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ecryptfs-utils.spec ++++++ --- /var/tmp/diff_new_pack.EXY4Jh/_old 2011-08-11 20:59:47.000000000 +0200 +++ /var/tmp/diff_new_pack.EXY4Jh/_new 2011-08-11 20:59:47.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package ecryptfs-utils (Version 83) +# spec file for package ecryptfs-utils # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,9 +25,13 @@ AutoReqProv: on Summary: Userspace Utilities for ecryptfs Version: 83 -Release: 2 +Release: 3.<RELEASE2> Source0: http://launchpad.net/ecryptfs/trunk/%version/+download/ecryptfs-utils_%versi... Source1: baselibs.conf +Patch0: CVE-2011-1831,1832,1834.patch +Patch1: CVE-2011-1833.patch +Patch2: CVE-2011-1835.patch +Patch3: CVE-2011-1837.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gtk2-devel intltool keyutils-devel keyutils-libs libgcrypt-devel mozilla-nss-devel openssl-devel pam-devel pkcs11-helper-devel python-devel trousers-devel BuildRequires: update-desktop-files @@ -47,6 +51,10 @@ %prep %setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" ++++++ CVE-2011-1831,1832,1834.patch ++++++ Description: fix privilege escalation via mountpoint race conditions Author: Dan Rosenberg Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/732628 Index: ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c =================================================================== --- ecryptfs-utils-83.orig/src/utils/mount.ecryptfs_private.c +++ ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c @@ -152,6 +152,47 @@ char *fetch_sig(char *pw_dir, int entry) return sig; } +int check_ownership_mnt(int uid, char **mnt) { +/* Check ownership of mount point, chdir into it, and + * canonicalize the path for use in mtab updating. + * Return 0 if everything is in order, 1 on error. + */ + struct stat s; + char *cwd; + + /* From here on, we'll refer to "." as our mountpoint, to avoid + * races. + */ + if (chdir(*mnt) != 0) { + fputs("Cannot chdir into mountpoint.\n", stderr); + return 1; + } + if (stat(".", &s) != 0) { + fputs("Cannot examine mountpoint.\n", stderr); + return 1; + } + if (!S_ISDIR(s.st_mode)) { + fputs("Mountpoint is not a directory.\n", stderr); + return 1; + } + if (s.st_uid != uid) { + fputs("You do not own that mountpoint.\n", stderr); + return 1; + } + + /* Canonicalize our pathname based on the current directory to + * avoid races. + */ + cwd = getcwd(NULL, 0); + if (!cwd) { + fputs("Failed to get current directory\n", stderr); + return 1; + } + *mnt = cwd; + return 0; +} + + int check_ownerships(int uid, char *path) { /* Check ownership of device and mount point. * Return 0 if everything is in order, 1 on error. @@ -177,31 +218,77 @@ int update_mtab(char *dev, char *mnt, ch /* Update /etc/mtab with new mount entry. * Return 0 on success, 1 on failure. */ - FILE *fh; - struct mntent m; - fh = setmntent("/etc/mtab", "a"); - if (fh == NULL) { + int fd; + FILE *old_mtab, *new_mtab; + struct mntent *old_ent, new_ent; + + /* Make an attempt to play nice with other mount helpers + * by creating an /etc/mtab~ lock file. Of course this + * only works if those other helpers actually check for + * this. + */ + fd = open("/etc/mtab~", O_RDONLY | O_CREAT | O_EXCL, 0644); + if (fd < 0) { + perror("open"); + return 1; + } + close(fd); + + old_mtab = setmntent("/etc/mtab", "r"); + if (old_mtab == NULL) { perror("setmntent"); - /* Unmount if mtab cannot be updated */ - umount(mnt); return 1; } - m.mnt_fsname = dev; - m.mnt_dir = mnt; - m.mnt_type = FSTYPE; - m.mnt_opts = opt; - m.mnt_freq = 0; - m.mnt_passno = 0; - flockfile(fh); - if (addmntent(fh, &m) != 0) { + + new_mtab = setmntent("/etc/mtab.tmp", "w"); + if (new_mtab == NULL) { + perror("setmntent"); + goto fail_early; + } + + while (old_ent = getmntent(old_mtab)) { + if (addmntent(new_mtab, old_ent) != 0) { + perror("addmntent"); + goto fail; + } + } + endmntent(old_mtab); + + new_ent.mnt_fsname = dev; + new_ent.mnt_dir = mnt; + new_ent.mnt_type = FSTYPE; + new_ent.mnt_opts = opt; + new_ent.mnt_freq = 0; + new_ent.mnt_passno = 0; + + if (addmntent(new_mtab, &new_ent) != 0) { perror("addmntent"); - endmntent(fh); - /* Unmount if mtab cannot be updated */ - umount(mnt); - return 1; + goto fail; + } + + if (fchmod(fileno(new_mtab), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) < 0) { + perror("fchmod"); + goto fail; + } + endmntent(new_mtab); + + if (rename("/etc/mtab.tmp", "/etc/mtab") < 0) { + perror("rename"); + goto fail_late; } - endmntent(fh); + + unlink("/etc/mtab~"); + return 0; + +fail: + endmntent(new_mtab); +fail_late: + unlink("/etc/mtab.tmp"); +fail_early: + endmntent(old_mtab); + unlink("/etc/mtab~"); + return 1; } FILE *lock_counter(char *u, int uid) { @@ -431,8 +518,9 @@ int main(int argc, char *argv[]) { } } - /* Check ownership of mnt */ - if (check_ownerships(uid, mnt) != 0) { + /* Check ownership of the mountpoint. From here on, dest refers + * to a canonicalized path, and the mountpoint is the cwd. */ + if (check_ownership_mnt(uid, &mnt) != 0) { goto fail; } @@ -462,7 +550,7 @@ int main(int argc, char *argv[]) { */ setreuid(-1, 0); /* Perform mount */ - if (mount(dev, mnt, FSTYPE, 0, opt) == 0) { + if (mount(dev, ".", FSTYPE, 0, opt) == 0) { if (update_mtab(dev, mnt, opt) != 0) { goto fail; } @@ -492,7 +580,7 @@ int main(int argc, char *argv[]) { * Do not use the umount.ecryptfs helper (-i). */ setresuid(0,0,0); - execl("/bin/umount", "umount", "-i", "-l", mnt, NULL); + execl("/bin/umount", "umount", "-i", "-l", ".", NULL); perror("execl unmount failed"); goto fail; } ++++++ CVE-2011-1833.patch ++++++ Description: fix race condition when checking source during mount Author: Marc Deslauriers <marc.deslauriers@canonical.com> Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/732628 Index: ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c =================================================================== --- ecryptfs-utils-83.orig/src/utils/mount.ecryptfs_private.c +++ ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c @@ -501,7 +501,7 @@ int main(int argc, char *argv[]) { if (fnek == 1) { /* Filename encryption is on, so specific the fnek sig */ if ((asprintf(&opt, -"ecryptfs_sig=%s,ecryptfs_fnek_sig=%s,ecryptfs_cipher=%s,ecryptfs_key_bytes=%d", +"ecryptfs_check_dev_ruid,ecryptfs_sig=%s,ecryptfs_fnek_sig=%s,ecryptfs_cipher=%s,ecryptfs_key_bytes=%d", sig, sig_fnek, KEY_CIPHER, KEY_BYTES) < 0) || opt == NULL) { perror("asprintf (opt)"); @@ -510,7 +510,7 @@ int main(int argc, char *argv[]) { } else { /* Filename encryption is off; legacy support */ if ((asprintf(&opt, - "ecryptfs_sig=%s,ecryptfs_cipher=%s,ecryptfs_key_bytes=%d", + "ecryptfs_check_dev_ruid,ecryptfs_sig=%s,ecryptfs_cipher=%s,ecryptfs_key_bytes=%d", sig, KEY_CIPHER, KEY_BYTES) < 0) || opt == NULL) { perror("asprintf (opt)"); ++++++ CVE-2011-1835.patch ++++++ Description: fix key poisoning via insecure temp directory handling Author: Marc Deslauriers <marc.deslauriers@canonical.com> Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/732628 Index: ecryptfs-utils-87/src/utils/ecryptfs-setup-private =================================================================== --- ecryptfs-utils-87.orig/src/utils/ecryptfs-setup-private 2011-07-29 13:04:35.039423874 -0400 +++ ecryptfs-utils-87/src/utils/ecryptfs-setup-private 2011-07-29 13:05:03.769423866 -0400 @@ -380,7 +380,7 @@ # ramdisk, to keep it from leaking to the hard-drive. temp=`mktemp /dev/shm/.ecryptfs-XXXXXX` printf "%s" "$MOUNTPASS" > "$temp" - mv "$temp" "/dev/shm/.ecryptfs-$USER" + mv -f -T "$temp" "/dev/shm/.ecryptfs-$USER" || error "Could not create passphrase file" else printf "%s\n%s" "$MOUNTPASS" "$LOGINPASS" | ecryptfs-wrap-passphrase "$HOME/.ecryptfs/wrapped-passphrase" - || error "$(gettext 'Could not wrap passphrase')" fi ++++++ CVE-2011-1837.patch ++++++ Description: fix arbitrary file overwrite via lock counter race condition Author: Marc Deslauriers <marc.deslauriers@canonical.com> Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/732628 Index: ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c =================================================================== --- ecryptfs-utils-83.orig/src/utils/mount.ecryptfs_private.c +++ ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c @@ -307,26 +307,27 @@ FILE *lock_counter(char *u, int uid) { * file, or it's not owned by the current user, append iterator * until we find a filename we can use. */ - while (1) { - if (stat(f, &s)==0 && (!S_ISREG(s.st_mode) || s.st_uid!=uid)) { - free(f); + while (i < 50) { + if (((fd = open(f, O_RDWR | O_CREAT | O_NOFOLLOW, 0600)) >= 0) && + (fstat(fd, &s)==0 && (S_ISREG(s.st_mode) && s.st_uid==uid))) { + break; + } else { + if (fd >= 0) + close(fd); + free (f); if (asprintf(&f, "%s/%s-%s-%s-%d", TMP, FSTYPE, u, ECRYPTFS_PRIVATE_DIR, i++) < 0) { perror("asprintf"); return NULL; } - } else { - break; } } - /* open file for reading and writing */ - if ((fd = open(f, O_RDWR)) < 0) { - /* Could not open it, so try to safely create it */ - if ((fd = open(f, O_RDWR | O_CREAT | O_EXCL, 0600)) < 0) { - perror("open"); - return NULL; - } + + if (fd < 0) { + perror("open"); + return NULL; } + flock(fd, LOCK_EX); fh = fdopen(fd, "r+"); if (fh == NULL) { ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org