ecryptfs team mailing list archive

Thread
Date

[Bug 732628] Re: TOCTOU in mount.ecryptfs_private

To: ecryptfs@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <732628@xxxxxxxxxxxxxxxxxx>
Date: Tue, 09 Aug 2011 17:03:40 -0000
Reply-to: Bug 732628 <732628@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package ecryptfs-utils - 87-0ubuntu1.1

---------------
ecryptfs-utils (87-0ubuntu1.1) natty-security; urgency=low

  * SECURITY UPDATE: privilege escalation via mountpoint race conditions
    (LP: #732628)
    - debian/patches/CVE-2011-1831,1832,1834.patch: chdir into mountpoint
      before checking permissions in src/utils/mount.ecryptfs_private.c.
    - CVE-2011-1831
    - CVE-2011-1832
  * SECURITY UPDATE: race condition when checking source during mount
    (LP: #732628)
    - debian/patches/CVE-2011-1833.patch: use new ecryptfs_check_dev_ruid
      kernel option when mounting directory in
      src/utils/mount.ecryptfs_private.c.
    - CVE-2011-1833
  * SECURITY UPDATE: mtab corruption via improper handling (LP: #732628)
    - debian/patches/CVE-2011-1831,1832,1834.patch: modify mtab via a temp
      file first and make sure it succeeds before replacing the real mtab
      in src/utils/mount.ecryptfs_private.c.
    - CVE-2011-1834
  * SECURITY UPDATE: key poisoning via insecure temp directory handling
    (LP: #732628)
    - debian/patches/CVE-2011-1835.patch: make sure we don't copy into a
      user controlled directory in src/utils/ecryptfs-setup-private.
    - CVE-2011-1835
  * SECURITY UPDATE: information disclosure via recovery mount in /tmp
    (LP: #732628)
    - debian/patches/CVE-2011-1836.patch: mount inside protected
      subdirectory in src/utils/ecryptfs-recover-private.
    - CVE-2011-1836
  * SECURITY UPDATE: arbitrary file overwrite via lock counter race
    condition (LP: #732628)
    - debian/patches/CVE-2011-1837.patch: verify permissions with a file
      descriptor, and don't follow symlinks in
      src/utils/mount.ecryptfs_private.c.
    - CVE-2011-1837
 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>   Thu, 04 Aug 2011 10:43:33 -0400

** Changed in: ecryptfs-utils (Ubuntu Natty)
       Status: Confirmed => Fix Released

** Changed in: ecryptfs-utils (Ubuntu Maverick)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of eCryptfs,
which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/732628

Title:
  TOCTOU in mount.ecryptfs_private

Status in eCryptfs - Enterprise Cryptographic Filesystem:
  Triaged
Status in “ecryptfs-utils” package in Ubuntu:
  Confirmed
Status in “ecryptfs-utils” source package in Lucid:
  Fix Released
Status in “ecryptfs-utils” source package in Maverick:
  Fix Released
Status in “ecryptfs-utils” source package in Natty:
  Fix Released
Status in “ecryptfs-utils” source package in Oneiric:
  Confirmed
Status in “ecryptfs-utils” package in Debian:
  New
Status in “ecryptfs-utils” package in Fedora:
  New

Bug description:
  check_ownerships() function doesn't work as it should because of a
  race condition.  Arguments of both mount() and umount() calls can be
  changed between the check and the usage.  This may lead to arbitrary
  mount point umounting or probably to gaining ability to try
  passphrases of otherpeople's ecryptfs storages.

  lock_counter() is also racy.  It (1) tries to check existance and
  ownership of the file before open(), (2) neither use stat() instead of
  lstat() nor O_NOFOLLOW, (3) is not protected against deletion of the
  lock file by the owner. The lock file should be probably created in
  root only writable directory before dropping EUID.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ecryptfs/+bug/732628/+subscriptions

References

[Bug 732628] [NEW] TOCTOU in mount.ecryptfs_private
From: segooon, 2011-03-10