Hello community,
here is the log from the commit of package ecryptfs-utils for openSUSE:11.4
checked in at Thu Aug 11 21:01:08 CEST 2011.
--------
--- old-versions/11.4/all/ecryptfs-utils/ecryptfs-utils.changes 2010-04-10 17:40:48.000000000 +0200
+++ 11.4/ecryptfs-utils/ecryptfs-utils.changes 2011-08-11 18:07:00.000000000 +0200
@@ -1,0 +2,13 @@
+Thu Aug 11 18:05:51 CEST 2011 - meissner@suse.de
+
+- Various security fixes (bnc#709771)
+ CVE-2011-1831 - Race condition when checking mountpoint during mount.
+ CVE-2011-1832 - Race condition when checking mountpoint during unmount.
+ CVE-2011-1833 - Race condition when checking source during mount.
+ CVE-2011-1834 - Improper mtab handling allowing corruption due to resource
+ limits, signals, etc.
+ CVE-2011-1835 - Key poisoning in ecryptfs-setup-private due to insecure temp
+ directory.
+ CVE-2011-1837 - Predictable lock counter name and associated races.
+
+-------------------------------------------------------------------
Package does not exist at destination yet. Using Fallback old-versions/11.4/all/ecryptfs-utils
Destination is old-versions/11.4/UPDATES/all/ecryptfs-utils
calling whatdependson for 11.4-i586
New:
----
CVE-2011-1831,1832,1834.patch
CVE-2011-1833.patch
CVE-2011-1835.patch
CVE-2011-1837.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ecryptfs-utils.spec ++++++
--- /var/tmp/diff_new_pack.jXcGnt/_old 2011-08-11 21:00:39.000000000 +0200
+++ /var/tmp/diff_new_pack.jXcGnt/_new 2011-08-11 21:00:39.000000000 +0200
@@ -1,7 +1,7 @@
#
-# spec file for package ecryptfs-utils (Version 83)
+# spec file for package ecryptfs-utils
#
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -25,9 +25,13 @@
AutoReqProv: on
Summary: Userspace Utilities for ecryptfs
Version: 83
-Release: 2
+Release: 6.<RELEASE7>
Source0: http://launchpad.net/ecryptfs/trunk/%version/+download/ecryptfs-utils_%versi...
Source1: baselibs.conf
+Patch0: CVE-2011-1831,1832,1834.patch
+Patch1: CVE-2011-1833.patch
+Patch2: CVE-2011-1835.patch
+Patch4: CVE-2011-1837.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: gtk2-devel intltool keyutils-devel keyutils-libs libgcrypt-devel mozilla-nss-devel openssl-devel pam-devel pkcs11-helper-devel python-devel trousers-devel
BuildRequires: update-desktop-files
@@ -47,6 +51,10 @@
%prep
%setup -q
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch4 -p1
%build
export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
++++++ CVE-2011-1831,1832,1834.patch ++++++
Description: fix privilege escalation via mountpoint race conditions
Author: Dan Rosenberg
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/732628
Index: ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c
===================================================================
--- ecryptfs-utils-83.orig/src/utils/mount.ecryptfs_private.c
+++ ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c
@@ -152,6 +152,47 @@ char *fetch_sig(char *pw_dir, int entry)
return sig;
}
+int check_ownership_mnt(int uid, char **mnt) {
+/* Check ownership of mount point, chdir into it, and
+ * canonicalize the path for use in mtab updating.
+ * Return 0 if everything is in order, 1 on error.
+ */
+ struct stat s;
+ char *cwd;
+
+ /* From here on, we'll refer to "." as our mountpoint, to avoid
+ * races.
+ */
+ if (chdir(*mnt) != 0) {
+ fputs("Cannot chdir into mountpoint.\n", stderr);
+ return 1;
+ }
+ if (stat(".", &s) != 0) {
+ fputs("Cannot examine mountpoint.\n", stderr);
+ return 1;
+ }
+ if (!S_ISDIR(s.st_mode)) {
+ fputs("Mountpoint is not a directory.\n", stderr);
+ return 1;
+ }
+ if (s.st_uid != uid) {
+ fputs("You do not own that mountpoint.\n", stderr);
+ return 1;
+ }
+
+ /* Canonicalize our pathname based on the current directory to
+ * avoid races.
+ */
+ cwd = getcwd(NULL, 0);
+ if (!cwd) {
+ fputs("Failed to get current directory\n", stderr);
+ return 1;
+ }
+ *mnt = cwd;
+ return 0;
+}
+
+
int check_ownerships(int uid, char *path) {
/* Check ownership of device and mount point.
* Return 0 if everything is in order, 1 on error.
@@ -177,31 +218,77 @@ int update_mtab(char *dev, char *mnt, ch
/* Update /etc/mtab with new mount entry.
* Return 0 on success, 1 on failure.
*/
- FILE *fh;
- struct mntent m;
- fh = setmntent("/etc/mtab", "a");
- if (fh == NULL) {
+ int fd;
+ FILE *old_mtab, *new_mtab;
+ struct mntent *old_ent, new_ent;
+
+ /* Make an attempt to play nice with other mount helpers
+ * by creating an /etc/mtab~ lock file. Of course this
+ * only works if those other helpers actually check for
+ * this.
+ */
+ fd = open("/etc/mtab~", O_RDONLY | O_CREAT | O_EXCL, 0644);
+ if (fd < 0) {
+ perror("open");
+ return 1;
+ }
+ close(fd);
+
+ old_mtab = setmntent("/etc/mtab", "r");
+ if (old_mtab == NULL) {
perror("setmntent");
- /* Unmount if mtab cannot be updated */
- umount(mnt);
return 1;
}
- m.mnt_fsname = dev;
- m.mnt_dir = mnt;
- m.mnt_type = FSTYPE;
- m.mnt_opts = opt;
- m.mnt_freq = 0;
- m.mnt_passno = 0;
- flockfile(fh);
- if (addmntent(fh, &m) != 0) {
+
+ new_mtab = setmntent("/etc/mtab.tmp", "w");
+ if (new_mtab == NULL) {
+ perror("setmntent");
+ goto fail_early;
+ }
+
+ while (old_ent = getmntent(old_mtab)) {
+ if (addmntent(new_mtab, old_ent) != 0) {
+ perror("addmntent");
+ goto fail;
+ }
+ }
+ endmntent(old_mtab);
+
+ new_ent.mnt_fsname = dev;
+ new_ent.mnt_dir = mnt;
+ new_ent.mnt_type = FSTYPE;
+ new_ent.mnt_opts = opt;
+ new_ent.mnt_freq = 0;
+ new_ent.mnt_passno = 0;
+
+ if (addmntent(new_mtab, &new_ent) != 0) {
perror("addmntent");
- endmntent(fh);
- /* Unmount if mtab cannot be updated */
- umount(mnt);
- return 1;
+ goto fail;
+ }
+
+ if (fchmod(fileno(new_mtab), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) < 0) {
+ perror("fchmod");
+ goto fail;
+ }
+ endmntent(new_mtab);
+
+ if (rename("/etc/mtab.tmp", "/etc/mtab") < 0) {
+ perror("rename");
+ goto fail_late;
}
- endmntent(fh);
+
+ unlink("/etc/mtab~");
+
return 0;
+
+fail:
+ endmntent(new_mtab);
+fail_late:
+ unlink("/etc/mtab.tmp");
+fail_early:
+ endmntent(old_mtab);
+ unlink("/etc/mtab~");
+ return 1;
}
FILE *lock_counter(char *u, int uid) {
@@ -431,8 +518,9 @@ int main(int argc, char *argv[]) {
}
}
- /* Check ownership of mnt */
- if (check_ownerships(uid, mnt) != 0) {
+ /* Check ownership of the mountpoint. From here on, dest refers
+ * to a canonicalized path, and the mountpoint is the cwd. */
+ if (check_ownership_mnt(uid, &mnt) != 0) {
goto fail;
}
@@ -462,7 +550,7 @@ int main(int argc, char *argv[]) {
*/
setreuid(-1, 0);
/* Perform mount */
- if (mount(dev, mnt, FSTYPE, 0, opt) == 0) {
+ if (mount(dev, ".", FSTYPE, 0, opt) == 0) {
if (update_mtab(dev, mnt, opt) != 0) {
goto fail;
}
@@ -492,7 +580,7 @@ int main(int argc, char *argv[]) {
* Do not use the umount.ecryptfs helper (-i).
*/
setresuid(0,0,0);
- execl("/bin/umount", "umount", "-i", "-l", mnt, NULL);
+ execl("/bin/umount", "umount", "-i", "-l", ".", NULL);
perror("execl unmount failed");
goto fail;
}
++++++ CVE-2011-1833.patch ++++++
Description: fix race condition when checking source during mount
Author: Marc Deslauriers