← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1447282] Re: Does not use encrypted swap when using GPT partitioning + encrypted home directory (ecryptfs)

 

This bug was fixed in the package ecryptfs-utils - 111-0ubuntu1.1

---------------
ecryptfs-utils (111-0ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Information exposure via unencrypted swap partitions. The
    swap partition was not configured to use encryption when GPT partitioning
    was in use on NVMe and MMC drives.
    - debian/patches/set-up-encrypted-swap-on-nvme-and-mmc.patch: Properly
      handle the formatting of the path to swap partitions on NVMe and MMC
      drives so that they're correctly marked as not to be automatically
      mounted by systemd. Based on upstream patch from Jason Gerard DeRose.
      (LP: #1597154)
    - debian/ecryptfs-utils.postinst: Fix any unencrypted GPT swap partitions
      that have mistakenly remained marked as auto mount. This should only
      modify the swap partitions on systems that ecryptfs-setup-swap has been
      used on. (LP: #1447282, LP: #1597154)
    - CVE not yet assigned

 -- Tyler Hicks <tyhicks@xxxxxxxxxxxxx>  Wed, 13 Jul 2016 00:36:59 -0500

** Changed in: ecryptfs-utils (Ubuntu Xenial)
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1447282

Title:
  Does not use encrypted swap when using GPT partitioning + encrypted
  home directory (ecryptfs)

Status in eCryptfs:
  Fix Committed
Status in ecryptfs-utils package in Ubuntu:
  Triaged
Status in ecryptfs-utils source package in Vivid:
  Fix Released
Status in ecryptfs-utils source package in Xenial:
  Fix Released
Status in ecryptfs-utils source package in Yakkety:
  Triaged

Bug description:
  CVE Request: http://openwall.com/lists/oss-security/2016/07/13/2

  
  I'm still sorting out the details and eliminating variables, but as far as I can tell:

  Steps to reproduce
  ===============

  1) Install Ubuntu using GPT partitioning for the OS drive[*]

  2) Choose "require my password to login", and check "encrypt my home
  directory"

  Expected behavior
  ===============

  No special user interaction should be required to initialized the
  crytposwap other than normally logging in

  Actual behavior
  ============

  Prior to lightdm coming up, you will be prompted to enter your
  passphrase to unlock the cryptoswap, similar to how you would be
  prompted to unlock the OS drive when using full disk encryption (see
  attached photo).

  When lightdm comes up, you have to enter your password/passphrase
  again to login.

  Work-arounds
  ===========

  1) This only seems to happen when using GTP partitioning, not MBR...
  so use MBR if you can

  2) Even with GTP partitioning, booting with init=/sbin/upstart seems
  to reliably fix the problem, so it certainly seems systemd related

  Notes
  =====

  * As far as I can tell, there isn't a way to force Ubiquity to create
  a GPT partition table when the OS drive is < 2TB, but it will
  automatically use GPT partitioning when the OS drive is >= 2TB. My
  particular test was done using the System76 imaging server, which by
  default uses GPT partitioning even when the OS drive is < 2TB.

  SRU INFORMATION
  ================
  Regression potential:
  This is delicate as we need to fix existing installations with a post-install script. This needs to happen as defensively as possible, but errors in this can still potentially completely break your partition information. Apart from testing that in the above scenario the unencrypted swap partition is marked as "no-auto" and thus after a new boot you are actually using the cryptswap1 one, we also need to verify that it does not destroy working systems.

  Test case:
  (1) Install an EFI system with "encrypt my home directory" (You can do this in QEMU with -bios OVMF.fd); after booting the first time you will be asked to enter a passprase for the swap partition, just press enter. "sudo swapon -s" will say something like /dev/sda3, i. e. using unencrypted swap. After installing this update and rebooting, the bogus passphrase prompt on boot should be gone, and "sudo swapon -s" should say /dev/dm-0, i. e. using encrypted swap.

  In all these other cases the update should not do anything and booting continues to work:
  (2) In the above system, "sudo apt-get install --reinstall ecryptfs-utils" should not change partitions again, but say something like "is already marked as no-auto".
  (3) Install an EFI system without home dir encryption
  (4) Install an MBR system with home dir encryption
  (5) Install an MBR system without home dir encryption

  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: systemd 219-7ubuntu3
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  Uname: Linux 3.19.0-15-generic x86_64
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed Apr 22 11:40:29 2015
  EcryptfsInUse: Yes
  MachineType: System76, Inc. Kudu Professional
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.19.0-15-generic root=UUID=e6c5aea5-d57c-410d-abce-66e96175e946 ro quiet splash vt.handoff=7
  SourcePackage: systemd
  UdevLog: Error: [Errno 2] No such file or directory: '/var/log/udev'
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 01/15/2014
  dmi.bios.vendor: American Megatrends Inc.
  dmi.bios.version: 1.03.03RS76
  dmi.board.asset.tag: Tag 12345
  dmi.board.name: Kudu Professional
  dmi.board.vendor: System76, Inc.
  dmi.board.version: kudp1
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 9
  dmi.chassis.vendor: System76, Inc.
  dmi.chassis.version: kudp1
  dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr1.03.03RS76:bd01/15/2014:svnSystem76,Inc.:pnKuduProfessional:pvrkudp1:rvnSystem76,Inc.:rnKuduProfessional:rvrkudp1:cvnSystem76,Inc.:ct9:cvrkudp1:
  dmi.product.name: Kudu Professional
  dmi.product.version: kudp1
  dmi.sys.vendor: System76, Inc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ecryptfs/+bug/1447282/+subscriptions