Debian Bug report logs -
#532372
ecryptfs-utils: CVE-2009-1296 unencrypted passphrase on disk
Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Mon, 8 Jun 2009 21:21:02 UTC
Severity: normal
Tags: security
Found in versions ecryptfs-utils/75-1, ecryptfs-utils/68-1
Fixed in version ecryptfs-utils/75-2
Done: Daniel Baumann <daniel@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel@debian.org>:
Bug#532372; Package ecryptfs-utils.
(Mon, 08 Jun 2009 21:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Daniel Baumann <daniel@debian.org>.
(Mon, 08 Jun 2009 21:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: ecryptfs-utils
version: 68-1
version: 75-1
severity: serious
tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ecryptfs-utils.
CVE-2009-1296[0]:
|Chris Jones discovered that the eCryptfs support utilities would
|report the mount passphrase into installation logs when an eCryptfs
|home directory was selected during Ubuntu installation. The logs are
|only readable by the root user, but this still left the mount passphrase
|unencrypted on disk, potentially leading to a loss of privacy.
Please coordinate with the security team (team@security.debian.org) to
prepare fixes for lenny.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1296
http://security-tracker.debian.net/tracker/CVE-2009-1296
Bug marked as found in version 68-1.
Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
to control@bugs.debian.org.
(Mon, 08 Jun 2009 21:39:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel@debian.org>:
Bug#532372; Package ecryptfs-utils.
(Thu, 16 Jul 2009 12:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to daniel@debian.org:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel@debian.org>.
(Thu, 16 Jul 2009 12:51:07 GMT) (full text, mbox, link).
Message #12 received at 532372@bugs.debian.org (full text, mbox, reply):
severity 532372 normal
thanks
Hi,
the bug is only a security problem if ecryptfs-utils is integrated into
the installer that is used to install the distribution. on debian, that
is not the case.
Regards,
Daniel
--
Address: Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email: daniel.baumann@panthera-systems.net
Internet: http://people.panthera-systems.net/~daniel-baumann/
Severity set to `normal' from `serious'
Request was from Daniel Baumann <daniel@debian.org>
to control@bugs.debian.org.
(Thu, 16 Jul 2009 12:51:09 GMT) (full text, mbox, link).
Reply sent
to Daniel Baumann <daniel@debian.org>:
You have taken responsibility.
(Thu, 16 Jul 2009 13:24:03 GMT) (full text, mbox, link).
Notification sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Thu, 16 Jul 2009 13:24:03 GMT) (full text, mbox, link).
Message #19 received at 532372-close@bugs.debian.org (full text, mbox, reply):
Source: ecryptfs-utils
Source-Version: 75-2
We believe that the bug you reported is fixed in the latest version of
ecryptfs-utils, which is due to be installed in the Debian FTP archive:
ecryptfs-utils_75-2.diff.gz
to pool/main/e/ecryptfs-utils/ecryptfs-utils_75-2.diff.gz
ecryptfs-utils_75-2.dsc
to pool/main/e/ecryptfs-utils/ecryptfs-utils_75-2.dsc
ecryptfs-utils_75-2_i386.deb
to pool/main/e/ecryptfs-utils/ecryptfs-utils_75-2_i386.deb
libecryptfs-dev_75-2_i386.deb
to pool/main/e/ecryptfs-utils/libecryptfs-dev_75-2_i386.deb
libecryptfs0_75-2_i386.deb
to pool/main/e/ecryptfs-utils/libecryptfs0_75-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 532372@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Baumann <daniel@debian.org> (supplier of updated ecryptfs-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 16 Jul 2009 14:38:55 +0200
Source: ecryptfs-utils
Binary: ecryptfs-utils libecryptfs0 libecryptfs-dev
Architecture: source i386
Version: 75-2
Distribution: unstable
Urgency: low
Maintainer: Daniel Baumann <daniel@debian.org>
Changed-By: Daniel Baumann <daniel@debian.org>
Description:
ecryptfs-utils - ecryptfs cryptographic filesystem (utilities)
libecryptfs-dev - ecryptfs cryptographic filesystem (development)
libecryptfs0 - ecryptfs cryptographic filesystem (library)
Closes: 532372
Changes:
ecryptfs-utils (75-2) unstable; urgency=low
.
* Using correct rfc-2822 date formats in changelog.
* Adding patch from upstream to not echo mount passphrase if running
in bootstrap mode (Closes: #532372).
* Updating package to standards version 3.8.2.
Checksums-Sha1:
1e772576a3853fbb7c9a700d25e8333bbf997e8a 1533 ecryptfs-utils_75-2.dsc
2df675fbd803410e3c8d3792ebf8373c751737a1 6247 ecryptfs-utils_75-2.diff.gz
e74bdcfd89214fcf6c329568e693dcec028d1e2b 94788 ecryptfs-utils_75-2_i386.deb
43d1da02934b7e109cd74f515010e8d7f12c7815 60930 libecryptfs0_75-2_i386.deb
ef3fb7fba08c3adef68c718de50d57fa5b71b642 52556 libecryptfs-dev_75-2_i386.deb
Checksums-Sha256:
f7c99f89f7fafc36aa7746cb911766738efa6e19fd3fe60cd6ee7cdd699afe70 1533 ecryptfs-utils_75-2.dsc
e18342a12381263b77577a59414d631834c0102d4d89aad1a94378ab817bb1a6 6247 ecryptfs-utils_75-2.diff.gz
58a0af11f9732a1c98a2543933c52afb4b476d39c390a61c68d6be0ccf3a8b55 94788 ecryptfs-utils_75-2_i386.deb
d19eff846dd74d740d61f9c28e0c1ff917961b082fa0f5ee29f0cf16ed3e2427 60930 libecryptfs0_75-2_i386.deb
5eb8ca06aed5313a68a218828993b2f475103002e6d3a959649bcacc5c244b63 52556 libecryptfs-dev_75-2_i386.deb
Files:
59a791f8eacd15a4243b03ba48487501 1533 misc optional ecryptfs-utils_75-2.dsc
2955787e0da12d3f341467383f1ca398 6247 misc optional ecryptfs-utils_75-2.diff.gz
153521942b5dc2f614983a7105ff02a3 94788 misc optional ecryptfs-utils_75-2_i386.deb
4b0692acd599ed3c682f8de545b230df 60930 libs optional libecryptfs0_75-2_i386.deb
6b38faf8745cce4cc2eeedcef4d2ab46 52556 libdevel optional libecryptfs-dev_75-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpfIAgACgkQ+C5cwEsrK568XACfVDvMDvsmj/29/wgWLQ2Q2NOd
zHgAoM7+Tkxn0ZAHwlqk+OTO09mdhKo2
=C41A
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 11 Sep 2009 08:09:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:01:45 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon