ecryptfs team mailing list archive
-
ecryptfs team
-
Mailing list archive
-
Message #00098
[Bug 287908] [NEW] ecryptfs-setup-private potentially exposes passwords in the process table
Public bug reported:
Binary package hint: ecryptfs-utils
ecryptfs-setup-private potentially exposes passwords in the process
table.
There are two calls in ecryptfs-setup-private to helper utilities:
* ecryptfs-wrap-passphrase
* ecryptfs-add-passphrase
that use passwords on the command line.
There is a small yet real possibility that these passwords could be
exposed on the process table momentarily.
To fix this problem, we need to:
a) patch both ecryptfs-wrap-passphrase and ecryptfs-add-passphrase to take passphrases on stdin
b) modify the callers to use a dash/bash builtin function (such as echo or printf) to send this passphrases to those utilities on standard in
Thanks to Jamie Strandboge for the bug report.
:-Dustin
** Affects: ecryptfs-utils (Ubuntu)
Importance: Critical
Assignee: Dustin Kirkland (kirkland)
Status: In Progress
** Changed in: ecryptfs-utils (Ubuntu)
Importance: Undecided => Critical
Assignee: (unassigned) => Dustin Kirkland (kirkland)
Status: New => In Progress
--
ecryptfs-setup-private potentially exposes passwords in the process table
https://bugs.launchpad.net/bugs/287908
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.
Status in “ecryptfs-utils” source package in Ubuntu: In Progress
Bug description:
Binary package hint: ecryptfs-utils
ecryptfs-setup-private potentially exposes passwords in the process table.
There are two calls in ecryptfs-setup-private to helper utilities:
* ecryptfs-wrap-passphrase
* ecryptfs-add-passphrase
that use passwords on the command line.
There is a small yet real possibility that these passwords could be exposed on the process table momentarily.
To fix this problem, we need to:
a) patch both ecryptfs-wrap-passphrase and ecryptfs-add-passphrase to take passphrases on stdin
b) modify the callers to use a dash/bash builtin function (such as echo or printf) to send this passphrases to those utilities on standard in
Thanks to Jamie Strandboge for the bug report.
:-Dustin
Follow ups
-
[Bug 287908] Re: ecryptfs-setup-private potentially exposes passwords in the process table
From: Dustin Kirkland, 2008-11-09
-
[Bug 287908] Re: ecryptfs-setup-private potentially exposes passwords in the process table
From: Launchpad Bug Tracker, 2008-10-24
-
[Bug 287908] Re: ecryptfs-setup-private potentially exposes passwords in the process table
From: Jamie Strandboge, 2008-10-23
-
[Bug 287908] Re: ecryptfs-setup-private potentially exposes passwords in the process table
From: Jamie Strandboge, 2008-10-23
-
[Bug 287908] Re: ecryptfs-setup-private potentially exposes passwords in the process table
From: Dustin Kirkland, 2008-10-23
-
[Bug 287908] Re: ecryptfs-setup-private potentially exposes passwords in the process table
From: Dustin Kirkland, 2008-10-23
-
[Bug 287908] Re: ecryptfs-setup-private potentially exposes passwords in the process table
From: Dustin Kirkland, 2008-10-23
-
[Bug 287908] Re: ecryptfs-setup-private potentially exposes passwords in the process table
From: Dustin Kirkland, 2008-10-23
-
[Bug 287908] Re: ecryptfs-setup-private potentially exposes passwords in the process table
From: Dustin Kirkland, 2008-10-23
-
[Bug 287908] [NEW] ecryptfs-setup-private potentially exposes passwords in the process table
From: Dustin Kirkland, 2008-10-23
References
