← Back to team overview

ecryptfs team mailing list archive

  1. ecryptfs team
  2. Mailing list archive
  3. Message #01843

[Bug 732628] Re: TOCTOU in mount.ecryptfs_private

  Thread PreviousDate PreviousThread Next 
CVE-2011-1831 - Race condition when checking mountpoint during mount.

CVE-2011-1832 - Race condition when checking mountpoint during unmount.

CVE-2011-1833 - Race condition when checking source during mount.

CVE-2011-1834 - Improper mtab handling allowing corruption due to
resource limits, signals, etc.

CVE-2011-1835 - Key poisoning in ecryptfs-setup-private due to insecure
temp directory.

CVE-2011-1836 - ecryptfs-recover-private mounts directly in /tmp

CVE-2011-1837 - Predictable lock counter name and associated races.


** CVE added: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1831

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-1832

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-1833

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-1834

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-1835

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-1836

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-1837

-- 
You received this bug notification because you are a member of eCryptfs,
which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/732628

Title:
  TOCTOU in mount.ecryptfs_private

Status in eCryptfs - Enterprise Cryptographic Filesystem:
  Triaged
Status in “ecryptfs-utils” package in Ubuntu:
  Confirmed
Status in “ecryptfs-utils” source package in Lucid:
  Confirmed
Status in “ecryptfs-utils” source package in Maverick:
  Confirmed
Status in “ecryptfs-utils” source package in Natty:
  Confirmed
Status in “ecryptfs-utils” source package in Oneiric:
  Confirmed
Status in “ecryptfs-utils” package in Debian:
  New
Status in “ecryptfs-utils” package in Fedora:
  New

Bug description:
  check_ownerships() function doesn't work as it should because of a
  race condition.  Arguments of both mount() and umount() calls can be
  changed between the check and the usage.  This may lead to arbitrary
  mount point umounting or probably to gaining ability to try
  passphrases of otherpeople's ecryptfs storages.

  lock_counter() is also racy.  It (1) tries to check existance and
  ownership of the file before open(), (2) neither use stat() instead of
  lstat() nor O_NOFOLLOW, (3) is not protected against deletion of the
  lock file by the owner. The lock file should be probably created in
  root only writable directory before dropping EUID.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ecryptfs/+bug/732628/+subscriptions

References

  Thread PreviousDate PreviousThread Next