1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2382-1] ecryptfs-utils security update

    From Jonathan Wiltshire@1:229/2 to All on Sat Jan 7 19:50:01 2012
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2382-1 [email protected] http://www.debian.org/security/ Jonathan Wiltshire January 07, 2012 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : ecryptfs-utils
    Vulnerability : multiple
    Problem type : local
    Debian-specific: no
    CVE ID : CVE-2011-1831 CVE-2011-1832 CVE-2011-1834 CVE-2011-1835
    CVE-2011-1837 CVE-2011-3145

    Several problems have been discovered in ecryptfs-utils, a cryptographic filesystem for Linux.

    CVE-2011-1831

    Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs
    incorrectly validated permissions on the requested mountpoint. A local
    attacker could use this flaw to mount to arbitrary locations, leading
    to privilege escalation.

    CVE-2011-1832

    Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs
    incorrectly validated permissions on the requested mountpoint. A local
    attacker could use this flaw to unmount to arbitrary locations, leading
    to a denial of service.

    CVE-2011-1834

    Dan Rosenberg and Marc Deslauriers discovered that eCryptfs incorrectly
    handled modifications to the mtab file when an error occurs. A local
    attacker could use this flaw to corrupt the mtab file, and possibly
    unmount arbitrary locations, leading to a denial of service.

    CVE-2011-1835

    Marc Deslauriers discovered that eCryptfs incorrectly handled keys when
    setting up an encrypted private directory. A local attacker could use
    this flaw to manipulate keys during creation of a new user.

    CVE-2011-1837

    Vasiliy Kulikov of Openwall discovered that eCryptfs incorrectly handled
    lock counters. A local attacker could use this flaw to possibly overwrite
    arbitrary files.

    We acknowledge the work of the Ubuntu distribution in preparing patches suitable for near-direct inclusion in the Debian package.

    For the oldstable distribution (lenny), these problems have been fixed in version 68-1+lenny1.

    For the stable distribution (squeeze), these problems have been fixed in version 83-4+squeeze1.

    For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 95-1.

    We recommend that you upgrade your ecryptfs-utils packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iQEcBAEBAgAGBQJPCJaDAAoJEL97/wQC1SS+eKAH/3TKaU7EDHYi53WPas0ZRH7a HLS/BToZs2DrMHPzW8IMvCWNavFUy5WnEdRNZgpRPcULonK4Iabsp0XskUFMlJOZ vbWrjdupnDRFYiQWdcrXdmYBM0xKVaXuwND/ZZUL6KWWGUIL5QF+q03nHE4kWSHc sRORBQ5gqNWqYtrkVjUDntccASW9vLYaVFixGzNy8lol79ps+laRC58TTjLv5s6Q fTsPyY/tf7Nsmm5mMyihpJ+WKDUZDOfjxkyIwnnInoomwmLJhKorMA0D6Ry6Mud7 2DLuShV/jR8sEkXBPpoa29CIIrW8P/LSvEbJKIGUi55fMDWwkz1DE7ACVU+hRK4=
    =xE87
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)