[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request - ecryptfs-utils
From:       Marcus Meissner <meissner () suse ! de>
Date:       2008-11-21 13:08:06
Message-ID: 20081121130806.GA12690 () suse ! de
[Download RAW message or body]

On Tue, Nov 18, 2008 at 01:56:59PM +0100, Jan Lieskovsky wrote:
> Hello Steve,
> 
> noticed, the following issue still lacks a separate CVE identifier:
> 
> References:
> http://secunia.com/Advisories/32382/
> http://www.openwall.com/lists/oss-security/2008/10/23/3
> http://www.openwall.com/lists/oss-security/2008/10/29/4
> http://www.openwall.com/lists/oss-security/2008/10/29/7
> 
> Upstream commits:
> 
> http://git.kernel.org/?p=linux/kernel/git/mhalcrow/ecryptfs-utils.git;a=commit;h=06de99afd53f03fe07eda0ad9d61ac6d5d4d9f53
>  http://git.kernel.org/?p=linux/kernel/git/mhalcrow/ecryptfs-utils.git;a=commit;h=0af27a5d514dc4bbc077f07cf33a5d5b362a9193
> 

This last commit is still bad, it uses

printf "$PASSPHRASE..." stuff instead of printf "%s" "$PASSPHRASE..." 

So you can program format exploits in shell...
http://git.kernel.org/?p=linux/kernel/git/mhalcrow/ecryptfs-utils.git;a=blob;f=src/utils/ecryptfs-setup-private;h=7780a4e43983dee18fd5e08318b41bccd57a7298;hb=HEAD


is the current version and looks better.

This script (ecryptfs-setup-private) btw allows passing passphrases on the
commandline too. *sigh*

Ciao, Marcus


[prev in list] [next in list] [prev in thread] [next in thread]