Ubuntu
ecryptfs-utils package

leakage in the installer

Bug #383650 reported by Dustin Kirkland 
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ecryptfs-utils (Ubuntu)
Fix Released
Critical
Dustin Kirkland 
Ubuntu jaunty-updates
Jaunty
Fix Released
Critical
Dustin Kirkland 
Ubuntu jaunty-updates

Bug Description

Binary package hint: ecryptfs-utils

The mount passphrase is leaked in the Ubuntu installer logs, at /var/log/installer/syslog.

This file is mode 0600:
-rw------- 1 syslog adm 347379 2009-06-04 11:00 /var/log/installer/syslog

However, it is written to the disk in the clear, and constitutes a leakage of the mount passphrase.

The upstream ecryptfs code (and Karmic) should be modified to support a flag to disable this printing, and the user-setup code should call ecryptfs-setup-private with this flag.

As for Jaunty, I'm attach a patch to ecryptfs-utils that should be uploaded to jaunty-security. This patch uses sed to prune the offending lines out of /var/log/installer/syslog.

Please advise on whatever additional disclosure mechanisms (if any) need to be invoked (CVE, USN, etc.).

:-Dustin

Dustin Kirkland  (kirkland)
Changed in ecryptfs-utils (Ubuntu):
assignee: nobody → Dustin Kirkland (kirkland)
importance: Undecided → High
milestone: none → jaunty-updates
status: New → In Progress
Dustin Kirkland  (kirkland)
Changed in ecryptfs-utils (Ubuntu):
importance: High → Critical
Dustin Kirkland  (kirkland)
Changed in ecryptfs-utils (Ubuntu Jaunty):
assignee: nobody → Dustin Kirkland (kirkland)
importance: Undecided → Critical
milestone: none → jaunty-updates
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ecryptfs-utils - 73-0ubuntu6.1

---------------
ecryptfs-utils (73-0ubuntu6.1) jaunty-security; urgency=low

  * SECURITY UPDATE: mount passphrase recorded in install log (LP: #383650).
    - debian/ecryptfs-utils.postinst: prune private information from
      installer log
    - src/utils/ecryptfs-setup-private: don't echo passphrase if running in
      bootstrap mode
    - CVE-2009-1296

 -- Dustin Kirkland <email address hidden> Thu, 04 Jun 2009 11:29:58 -0500

Changed in ecryptfs-utils (Ubuntu Jaunty):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ecryptfs-utils - 75-0ubuntu2

---------------
ecryptfs-utils (75-0ubuntu2) karmic; urgency=low

  * SECURITY UPDATE: mount passphrase recorded in install log (LP: #383650).
    - debian/ecryptfs-utils.postinst: prune private information from
      installer log
    - src/utils/ecryptfs-setup-private: don't echo passphrase if running in
      bootstrap mode
    - CVE-2009-1296

 -- Dustin Kirkland <email address hidden> Fri, 05 Jun 2009 09:39:13 -0500

Changed in ecryptfs-utils (Ubuntu):
status: In Progress → Fix Released
Kees Cook (kees)
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.