ecryptfs team mailing list archive

Thread
Date

[Bug 287908] Re: ecryptfs-setup-private potentially exposes passwords in the process table

To: ecryptfs@xxxxxxxxxxxxxxxxxxx
From: Dustin Kirkland <dustin.kirkland@xxxxxxxxx>
Date: Thu, 23 Oct 2008 15:44:57 -0000
Reply-to: Bug 287908 <287908@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Updated debdiff.

:-Dustin

** Attachment added: "ecryptfs-utils.debdiff"
   http://launchpadlibrarian.net/18820520/ecryptfs-utils.debdiff

-- 
ecryptfs-setup-private potentially exposes passwords in the process table
https://bugs.launchpad.net/bugs/287908
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.

Status in “ecryptfs-utils” source package in Ubuntu: In Progress

Bug description:
Binary package hint: ecryptfs-utils

ecryptfs-setup-private potentially exposes passwords in the process table.

There are two calls in ecryptfs-setup-private to helper utilities:
 * ecryptfs-wrap-passphrase
 * ecryptfs-add-passphrase
that use passwords on the command line.

There is a small yet real possibility that these passwords could be exposed on the process table momentarily.

To fix this problem, we need to:
 a) patch both ecryptfs-wrap-passphrase and ecryptfs-add-passphrase to take passphrases on stdin
 b) modify the callers to use a dash/bash builtin function (such as echo or printf) to send this passphrases to those utilities on standard in

Thanks to Jamie Strandboge for the bug report.

:-Dustin

References

[Bug 287908] [NEW] ecryptfs-setup-private potentially exposes passwords in the process table
From: Dustin Kirkland, 2008-10-23