group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #06108
[Bug 1447282] Re: Does not use encrypted swap when using GPT partitioning + encrypted home directory (ecryptfs)
This bug was fixed in the package ecryptfs-utils - 111-0ubuntu2
---------------
ecryptfs-utils (111-0ubuntu2) yakkety; urgency=medium
* SECURITY UPDATE: Information exposure via unencrypted swap partitions. The
swap partition was not configured to use encryption when GPT partitioning
was in use on NVMe and MMC drives.
- debian/patches/CVE-2016-6224.patch: Properly handle the formatting of
the path to swap partitions on NVMe and MMC drives so that they're
correctly marked as not to be automatically mounted by systemd. Based on
upstream patch from Jason Gerard DeRose. (LP: #1597154)
- debian/ecryptfs-utils.postinst: Fix any unencrypted GPT swap partitions
that have mistakenly remained marked as auto mount. This should only
modify the swap partitions on systems that ecryptfs-setup-swap has been
used on. (LP: #1447282, LP: #1597154)
- CVE-2016-6224
-- Tyler Hicks <tyhicks@xxxxxxxxxxxxx> Thu, 14 Jul 2016 18:48:53 -0500
** Changed in: ecryptfs-utils (Ubuntu Yakkety)
Status: Triaged => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-6224
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1447282
Title:
Does not use encrypted swap when using GPT partitioning + encrypted
home directory (ecryptfs)
Status in eCryptfs:
Fix Committed
Status in ecryptfs-utils package in Ubuntu:
Fix Released
Status in ecryptfs-utils source package in Vivid:
Fix Released
Status in ecryptfs-utils source package in Xenial:
Fix Released
Status in ecryptfs-utils source package in Yakkety:
Fix Released
Bug description:
CVE Request: http://openwall.com/lists/oss-security/2016/07/13/2
I'm still sorting out the details and eliminating variables, but as far as I can tell:
Steps to reproduce
===============
1) Install Ubuntu using GPT partitioning for the OS drive[*]
2) Choose "require my password to login", and check "encrypt my home
directory"
Expected behavior
===============
No special user interaction should be required to initialized the
crytposwap other than normally logging in
Actual behavior
============
Prior to lightdm coming up, you will be prompted to enter your
passphrase to unlock the cryptoswap, similar to how you would be
prompted to unlock the OS drive when using full disk encryption (see
attached photo).
When lightdm comes up, you have to enter your password/passphrase
again to login.
Work-arounds
===========
1) This only seems to happen when using GTP partitioning, not MBR...
so use MBR if you can
2) Even with GTP partitioning, booting with init=/sbin/upstart seems
to reliably fix the problem, so it certainly seems systemd related
Notes
=====
* As far as I can tell, there isn't a way to force Ubiquity to create
a GPT partition table when the OS drive is < 2TB, but it will
automatically use GPT partitioning when the OS drive is >= 2TB. My
particular test was done using the System76 imaging server, which by
default uses GPT partitioning even when the OS drive is < 2TB.
SRU INFORMATION
================
Regression potential:
This is delicate as we need to fix existing installations with a post-install script. This needs to happen as defensively as possible, but errors in this can still potentially completely break your partition information. Apart from testing that in the above scenario the unencrypted swap partition is marked as "no-auto" and thus after a new boot you are actually using the cryptswap1 one, we also need to verify that it does not destroy working systems.
Test case:
(1) Install an EFI system with "encrypt my home directory" (You can do this in QEMU with -bios OVMF.fd); after booting the first time you will be asked to enter a passprase for the swap partition, just press enter. "sudo swapon -s" will say something like /dev/sda3, i. e. using unencrypted swap. After installing this update and rebooting, the bogus passphrase prompt on boot should be gone, and "sudo swapon -s" should say /dev/dm-0, i. e. using encrypted swap.
In all these other cases the update should not do anything and booting continues to work:
(2) In the above system, "sudo apt-get install --reinstall ecryptfs-utils" should not change partitions again, but say something like "is already marked as no-auto".
(3) Install an EFI system without home dir encryption
(4) Install an MBR system with home dir encryption
(5) Install an MBR system without home dir encryption
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: systemd 219-7ubuntu3
ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
Uname: Linux 3.19.0-15-generic x86_64
ApportVersion: 2.17.2-0ubuntu1
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Apr 22 11:40:29 2015
EcryptfsInUse: Yes
MachineType: System76, Inc. Kudu Professional
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.19.0-15-generic root=UUID=e6c5aea5-d57c-410d-abce-66e96175e946 ro quiet splash vt.handoff=7
SourcePackage: systemd
UdevLog: Error: [Errno 2] No such file or directory: '/var/log/udev'
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 01/15/2014
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 1.03.03RS76
dmi.board.asset.tag: Tag 12345
dmi.board.name: Kudu Professional
dmi.board.vendor: System76, Inc.
dmi.board.version: kudp1
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 9
dmi.chassis.vendor: System76, Inc.
dmi.chassis.version: kudp1
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr1.03.03RS76:bd01/15/2014:svnSystem76,Inc.:pnKuduProfessional:pvrkudp1:rvnSystem76,Inc.:rnKuduProfessional:rvrkudp1:cvnSystem76,Inc.:ct9:cvrkudp1:
dmi.product.name: Kudu Professional
dmi.product.version: kudp1
dmi.sys.vendor: System76, Inc.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ecryptfs/+bug/1447282/+subscriptions
