ecryptfs team mailing list archive

[Launchpad Bug Tracker <287908@xxxxxxxxxxxxxxxxxx>]

This bug was fixed in the package ecryptfs-utils - 53-1ubuntu11

---------------
ecryptfs-utils (53-1ubuntu11) intrepid; urgency=low

  * debian/patches/55_check_password_and_remove_from_proc.dpatch:
    Fix ecryptfs-add-passphrase and ecryptfs-wrap-passphrase to take
    passphrases on standard, to protect from disclosure on the process
    table; fix callers in ecryptfs-setup-private (LP: #287908).
    Validate that the user password is correct with unix_chkpwd (LP: #287906).
  * debian/patches/00list: updated accordingly

 -- Dustin Kirkland <kirkland@xxxxxxxxxx>   Thu, 23 Oct 2008 12:53:30
-0500

** Changed in: ecryptfs-utils (Ubuntu Intrepid)
       Status: Fix Committed => Fix Released

-- 
ecryptfs-setup-private potentially exposes passwords in the process table
https://bugs.launchpad.net/bugs/287908
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.

Status in “ecryptfs-utils” source package in Ubuntu: Fix Released
Status in ecryptfs-utils in Ubuntu Intrepid: Fix Released

Bug description:
Binary package hint: ecryptfs-utils

ecryptfs-setup-private potentially exposes passwords in the process table.

There are two calls in ecryptfs-setup-private to helper utilities:
 * ecryptfs-wrap-passphrase
 * ecryptfs-add-passphrase
that use passwords on the command line.

There is a small yet real possibility that these passwords could be exposed on the process table momentarily.

To fix this problem, we need to:
 a) patch both ecryptfs-wrap-passphrase and ecryptfs-add-passphrase to take passphrases on stdin
 b) modify the callers to use a dash/bash builtin function (such as echo or printf) to send this passphrases to those utilities on standard in

Thanks to Jamie Strandboge for the bug report.

:-Dustin