ecryptfs team mailing list archive

Thread
Date

[Bug 287906] Re: ecryptfs-setup-private should validate that the login password is correct

To: ecryptfs@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <287906@xxxxxxxxxxxxxxxxxx>
Date: Fri, 24 Oct 2008 07:46:38 -0000
Reply-to: Bug 287906 <287906@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package ecryptfs-utils - 53-1ubuntu11

---------------
ecryptfs-utils (53-1ubuntu11) intrepid; urgency=low

  * debian/patches/55_check_password_and_remove_from_proc.dpatch:
    Fix ecryptfs-add-passphrase and ecryptfs-wrap-passphrase to take
    passphrases on standard, to protect from disclosure on the process
    table; fix callers in ecryptfs-setup-private (LP: #287908).
    Validate that the user password is correct with unix_chkpwd (LP: #287906).
  * debian/patches/00list: updated accordingly

 -- Dustin Kirkland <kirkland@xxxxxxxxxx>   Thu, 23 Oct 2008 12:53:30
-0500

** Changed in: ecryptfs-utils (Ubuntu)
       Status: In Progress => Fix Released

-- 
ecryptfs-setup-private should validate that the login password is correct
https://bugs.launchpad.net/bugs/287906
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.

Status in “ecryptfs-utils” source package in Ubuntu: Fix Released

Bug description:
Binary package hint: ecryptfs-utils

ecryptfs-setup-private should validate that the login password is correct.

Bug #259631 sort of exposed this bug.  Somewhere buried in there, we have a user who enters the wrong login password.  If they enter the same wrong password twice, ecryptfs-setup-private proceeds to use it.

This can be fixed with unix_chkpwd.

:-Dustin

References

[Bug 287906] [NEW] ecryptfs-setup-private should validate that the login password is correct
From: Dustin Kirkland, 2008-10-23