Debian Bug report logs -
#595998
Multiple security issues
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Tue, 7 Sep 2010 20:15:01 UTC
Severity: grave
Tags: security
Fixed in version encfs/1.7.2-1
Done: Eduard Bloch <blade@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Eduard Bloch <blade@debian.org>
:
Bug#595998
; Package encfs
.
(Tue, 07 Sep 2010 20:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Eduard Bloch <blade@debian.org>
.
(Tue, 07 Sep 2010 20:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: encfs
Severity: grave
Tags: security
The following issues were reported to the oss-security mailing list:
----
Hello Steve, vendors,
Micha Riser reported:
[A] http://archives.neohapsis.com/archives/fulldisclosure/2010-08/0316.html
three security flaws in EncFS encrypted filesystem (more from [A]):
"A security analysis of EncFS has revealed multiple vulnerabilities:
(1) Only 32 bit of file IV used
(2) Watermarking attack
(3) Last block with single byte is insecure"
References:
[B] http://www.arg0.net/encfs
[C] http://bugs.gentoo.org/show_bug.cgi?id=335938
[D] http://archives.neohapsis.com/archives/fulldisclosure/2010-08/att-0316/watermark-attack-encfs.tar.gz
[E] https://bugzilla.redhat.com/show_bug.cgi?id=630460
Solutions / patches information:
================================
* for issue (1) -- seems it wasn't fixed / isn't possible to
fix without breaking backward compatibility. More from [B]:
"The old IV setup is kept for backwards compatibility."
* for issue (2) -- EncFS upstream has released a fix for the issue:
[F] http://code.google.com/p/encfs/source/detail?r=59
Valient, could you please confirm, the above referenced [F] patch,
is the correct one to address the watermarking attack issue?
* for issue (3) -- not sure about patch status (included in [F] too?)
Steve, could you allocate CVE ids for these flaws?
----
Upstream replied:
----
Jan,
Yes, the patch referenced in [F], specifically changes to SSL_Cipher.cpp, were made in response to issues (1) & (2). These are+not backward compatible, and so only apply to new filesystems.
Issue (3) is not directly addressed. A workaround is to enable per-block MAC headers, or per-block random bytes. A patch going+into 1.7.2 allows per-block random bytes to be configured independently of MAC headers. It would be possible to change the
+default settings such that per-block random bytes are always used.
Adding new encryption modes is not planned for encfs 1.x.
regards,
Valient
----
The following CVE assignments have been made:
----
Here goes:
CVE-2010-3073 encfs Only 32 bit of file IV used
CVE-2010-3074 encfs Watermarking attack
CVE-2010-3075 encfs Last block with single byte is insecure"
Thanks
-----
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages encfs depends on:
pn fuse-utils <none> (no description available)
pn libboost-serialization1.34.1 <none> (no description available)
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
pn libfuse2 <none> (no description available)
ii libgcc1 1:4.4.4-9 GCC support library
pn librlog1c2a <none> (no description available)
ii libssl0.9.8 0.9.8o-1 SSL shared libraries
ii libstdc++6 4.4.4-9 The GNU Standard C++ Library v3
encfs recommends no packages.
encfs suggests no packages.
Information forwarded
to debian-bugs-dist@lists.debian.org, Eduard Bloch <blade@debian.org>
:
Bug#595998
; Package encfs
.
(Wed, 15 Sep 2010 18:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Ariel <asdebian@dsgml.com>
:
Extra info received and forwarded to list. Copy sent to Eduard Bloch <blade@debian.org>
.
(Wed, 15 Sep 2010 18:03:06 GMT) (full text, mbox, link).
Message #10 received at 595998@bugs.debian.org (full text, mbox, reply):
This bug was actually fixed already in encfs uploaded to experimental on
Sep 1.
Normally I would suggest uploading it in unstable and asking for an
unblock.
But I think a program like encfs needs more testing. In particular 1.7.2
was released on Sep 5 (and is not yet in experimental).
So I think this bug should be ignored for squeeze, unless debian is not
released for a few more months.
-Ariel
Reply sent
to Eduard Bloch <blade@debian.org>
:
You have taken responsibility.
(Thu, 16 Sep 2010 13:48:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Thu, 16 Sep 2010 13:48:08 GMT) (full text, mbox, link).
Message #15 received at 595998-close@bugs.debian.org (full text, mbox, reply):
Source: encfs
Source-Version: 1.7.2-1
We believe that the bug you reported is fixed in the latest version of
encfs, which is due to be installed in the Debian FTP archive:
encfs_1.7.2-1.debian.tar.gz
to main/e/encfs/encfs_1.7.2-1.debian.tar.gz
encfs_1.7.2-1.dsc
to main/e/encfs/encfs_1.7.2-1.dsc
encfs_1.7.2-1_amd64.deb
to main/e/encfs/encfs_1.7.2-1_amd64.deb
encfs_1.7.2.orig.tar.gz
to main/e/encfs/encfs_1.7.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 595998@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eduard Bloch <blade@debian.org> (supplier of updated encfs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 16 Sep 2010 15:43:04 +0200
Source: encfs
Binary: encfs
Architecture: source amd64
Version: 1.7.2-1
Distribution: unstable
Urgency: high
Maintainer: Eduard Bloch <blade@debian.org>
Changed-By: Eduard Bloch <blade@debian.org>
Description:
encfs - encrypted virtual filesystem
Closes: 595998
Changes:
encfs (1.7.2-1) unstable; urgency=high
.
* New upstream release dealing with security issues (closes: #595998)
Checksums-Sha1:
9aaac9968fc323f7652ac5439da7ab2cfe21dd64 1157 encfs_1.7.2-1.dsc
739514a89b7ad8398ff6320042995947f7fb37f8 930420 encfs_1.7.2.orig.tar.gz
2243f2c695fa49fee6b4ab64b6d5ebad1a889983 18295 encfs_1.7.2-1.debian.tar.gz
44691616b0e253c2217a05066a337d957d331861 416894 encfs_1.7.2-1_amd64.deb
Checksums-Sha256:
e4782c4c8fae81886017c326f3968676a0f37581b0308aa3339f4de4bd000445 1157 encfs_1.7.2-1.dsc
8c0c18011438c1816be5e3cf3e573e38773dc09bf7f8e0ecee3426eadb3e8284 930420 encfs_1.7.2.orig.tar.gz
b5557a1a5d2c8baa2af5f77f553ff007b0db5f2765aafe1978951c49729077b7 18295 encfs_1.7.2-1.debian.tar.gz
42df2bb591971796819b9ad115c2b07d59506cd94316eee481d857cb787494ee 416894 encfs_1.7.2-1_amd64.deb
Files:
913140c86a01e427d2f0c80cac683252 1157 utils optional encfs_1.7.2-1.dsc
3a3fef640c7c9f020104304392cd1836 930420 utils optional encfs_1.7.2.orig.tar.gz
69d38e4b369b622803bfa32b838c972f 18295 utils optional encfs_1.7.2-1.debian.tar.gz
9831d25d4b3b84040ace74713d74f923 416894 utils optional encfs_1.7.2-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFMkh8n4QZIHu3wCMURAseWAJ4m9slWPwtMeu2pqcYtTfoSTxz0uwCeJKXq
7CYjjjXnYLe9kPoQPN/iOXA=
=KIaa
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 07 Feb 2011 08:42:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:06:44 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.