From 25e9385b786e1876f2c08bebb94c504a7768534c Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Aug 31 2011 10:20:59 +0000 Subject: set the group id in mount.ecryptfs_private (CVE-2011-3145) --- diff --git a/ecryptfs-utils-87-autoload.patch b/ecryptfs-utils-87-autoload.patch index bb2229e..344c9be 100644 --- a/ecryptfs-utils-87-autoload.patch +++ b/ecryptfs-utils-87-autoload.patch @@ -1,18 +1,31 @@ -diff -up ecryptfs-utils-87/src/utils/ecryptfs-setup-private.autoload ecryptfs-utils-87/src/utils/ecryptfs-setup-private ---- ecryptfs-utils-87/src/utils/ecryptfs-setup-private.autoload 2011-05-26 15:03:03.716014960 +0200 -+++ ecryptfs-utils-87/src/utils/ecryptfs-setup-private 2011-05-26 15:03:03.676014684 +0200 +diff -up ecryptfs-utils-90/src/utils/ecryptfs-mount-private.autoload ecryptfs-utils-90/src/utils/ecryptfs-mount-private +--- ecryptfs-utils-90/src/utils/ecryptfs-mount-private.autoload 2011-08-31 12:06:39.561319897 +0200 ++++ ecryptfs-utils-90/src/utils/ecryptfs-mount-private 2011-08-31 12:06:39.589319941 +0200 +@@ -33,6 +33,9 @@ if /sbin/mount.ecryptfs_private >/dev/nu + exit 0 + fi + ++#load kernel module if it's missing, FNE support check would fail otherwise ++[ ! -e /sys/fs/ecryptfs/version ] && modinfo ecryptfs >/dev/null 2>&1 && /sbin/mount.ecryptfs_private --loadmodule ++ + # Otherwise, interactively prompt for the user's password + if [ -f "$WRAPPED_PASSPHRASE_FILE" -a -f "$MOUNT_PASSPHRASE_SIG_FILE" ]; then + tries=0 +diff -up ecryptfs-utils-90/src/utils/ecryptfs-setup-private.autoload ecryptfs-utils-90/src/utils/ecryptfs-setup-private +--- ecryptfs-utils-90/src/utils/ecryptfs-setup-private.autoload 2011-08-10 15:35:11.000000000 +0200 ++++ ecryptfs-utils-90/src/utils/ecryptfs-setup-private 2011-08-31 12:04:57.344158953 +0200 @@ -101,6 +101,7 @@ random_passphrase () { } filename_encryption_available() { -+ [ ! -e /sys/fs/ecryptfs/version ] && ! lsmod | grep -q ecryptfs && /sbin/mount.ecryptfs_private --loadmodule ++ [ ! -e /sys/fs/ecryptfs/version ] && modinfo ecryptfs >/dev/null 2>&1 && /sbin/mount.ecryptfs_private --loadmodule version=$(cat /sys/fs/ecryptfs/version 2>/dev/null) [ -z "$version" ] && error "$(gettext 'Cannot get ecryptfs version, ecryptfs kernel module not loaded?')" [ $(($version & 0x100)) -eq 0 ] && return 1 -diff -up ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c.autoload ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c ---- ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c.autoload 2011-05-26 13:35:41.364468265 +0200 -+++ ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c 2011-05-26 13:39:34.887345368 +0200 -@@ -387,6 +387,13 @@ int main(int argc, char *argv[]) { +diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.autoload ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c +--- ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.autoload 2011-08-31 12:00:46.109786923 +0200 ++++ ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c 2011-08-31 12:00:46.116786934 +0200 +@@ -484,6 +484,13 @@ int main(int argc, char *argv[]) { char *sig, *sig_fnek; FILE *fh_counter = NULL; diff --git a/ecryptfs-utils-90-CVE-2011-3145.patch b/ecryptfs-utils-90-CVE-2011-3145.patch new file mode 100644 index 0000000..0c9e3cd --- /dev/null +++ b/ecryptfs-utils-90-CVE-2011-3145.patch @@ -0,0 +1,86 @@ +diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.CVE-2011-3145 ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c +--- ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.CVE-2011-3145 2011-08-31 12:08:26.479493949 +0200 ++++ ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c 2011-08-31 12:10:09.014666213 +0200 +@@ -274,12 +274,14 @@ int update_mtab(char *dev, char *mnt, ch + int fd; + FILE *old_mtab, *new_mtab; + struct mntent *old_ent, new_ent; ++ mode_t old_umask; + + /* Make an attempt to play nice with other mount helpers + * by creating an /etc/mtab~ lock file. Of course this + * only works if those other helpers actually check for + * this. + */ ++ old_umask = umask(033); + fd = open("/etc/mtab~", O_RDONLY | O_CREAT | O_EXCL, 0644); + if (fd < 0) { + perror("open"); +@@ -332,6 +334,8 @@ int update_mtab(char *dev, char *mnt, ch + + unlink("/etc/mtab~"); + ++ umask(old_umask); ++ + return 0; + + fail: +@@ -341,6 +345,7 @@ fail_late: + fail_early: + endmntent(old_mtab); + unlink("/etc/mtab~"); ++ umask(old_umask); + return 1; + } + +@@ -476,7 +481,7 @@ int zero(FILE *fh) { + * c) updating /etc/mtab + */ + int main(int argc, char *argv[]) { +- int uid, mounting; ++ int uid, gid, mounting; + int force = 0; + struct passwd *pwd; + char *alias, *src, *dest, *opt, *opts2; +@@ -491,6 +496,7 @@ int main(int argc, char *argv[]) { + } + + uid = getuid(); ++ gid = getgid(); + /* Non-privileged effective uid is sufficient for all but the code + * that mounts, unmounts, and updates /etc/mtab. + * Run at a lower privilege until we need it. +@@ -618,7 +624,14 @@ int main(int argc, char *argv[]) { + * the real uid to be that of the user. + * And we need the effective uid to be root in order to mount. + */ +- setreuid(-1, 0); ++ if (setreuid(-1, 0) < 0) { ++ perror("setreuid"); ++ goto fail; ++ } ++ if (setregid(-1, 0) < 0) { ++ perror("setregid"); ++ goto fail; ++ } + /* Perform mount */ + if (mount(src, ".", FSTYPE, 0, opt) == 0) { + if (update_mtab(src, dest, opt) != 0) { +@@ -630,6 +643,9 @@ int main(int argc, char *argv[]) { + if (setreuid(uid, uid) < 0) { + perror("setreuid"); + } ++ if (setregid(gid, gid) < 0) { ++ perror("setregid"); ++ } + goto fail; + } + } else { +@@ -665,6 +681,7 @@ int main(int argc, char *argv[]) { + * Do not use the umount.ecryptfs helper (-i). + */ + setresuid(0,0,0); ++ setresgid(0,0,0); + + /* Since we're doing a lazy unmount anyway, just unmount the current + * directory. This avoids a lot of complexity in dealing with race diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec index 91356df..b17d650 100644 --- a/ecryptfs-utils.spec +++ b/ecryptfs-utils.spec @@ -5,7 +5,7 @@ Name: ecryptfs-utils Version: 90 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The eCryptfs mount helper and support libraries Group: System Environment/Base License: GPLv2+ @@ -47,22 +47,24 @@ Patch12: ecryptfs-utils-87-memcpyfix.patch # allow building with -Werror Patch999: ecryptfs-utils-75-werror.patch +Patch13: ecryptfs-utils-90-CVE-2011-3145.patch + # using return after fork() in pam module has some nasty side effects, rhbz#722445 -Patch13: ecryptfs-utils-87-fixpamfork.patch +Patch14: ecryptfs-utils-87-fixpamfork.patch # we need gid==ecryptfs in pam module before mount.ecryptfs_private execution -Patch14: ecryptfs-utils-87-fixexecgid.patch +Patch15: ecryptfs-utils-87-fixexecgid.patch # do not use zombie process, it causes lock ups at least for ssh login -Patch15: ecryptfs-utils-87-nozombies.patch +Patch16: ecryptfs-utils-87-nozombies.patch # if we do not use zombies, we have to store passphrase in pam_data and init keyring later -Patch16: ecryptfs-utils-87-pamdata.patch +Patch17: ecryptfs-utils-87-pamdata.patch -# patch16 needs propper const on some places -Patch17: ecryptfs-utils-87-fixconst.patch +# patch17 needs propper const on some places +Patch18: ecryptfs-utils-87-fixconst.patch -Patch18: ecryptfs-utils-87-syslog.patch +Patch19: ecryptfs-utils-87-syslog.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Requires: keyutils, cryptsetup-luks, util-linux-ng, gettext @@ -112,12 +114,13 @@ the interface supplied by the ecryptfs-utils library. %patch11 -p1 -b .authconfig %patch12 -p1 -b .memcpyfix %patch999 -p1 -b .werror -%patch13 -p1 -b .fixpamfork -%patch14 -p1 -b .fixexecgid -%patch15 -p1 -b .nozombies -%patch16 -p1 -b .pamdata -%patch17 -p1 -b .fixconst -%patch18 -p1 -b .syslog +%patch13 -p1 -b .CVE-2011-3145 +%patch14 -p1 -b .fixpamfork +%patch15 -p1 -b .fixexecgid +%patch16 -p1 -b .nozombies +%patch17 -p1 -b .pamdata +%patch18 -p1 -b .fixconst +%patch19 -p1 -b .syslog %build export CFLAGS="$RPM_OPT_FLAGS -Werror -Wtype-limits" @@ -246,6 +249,9 @@ rm -rf $RPM_BUILD_ROOT %{python_sitearch}/ecryptfs-utils/_libecryptfs.so %changelog +* Wed Aug 31 2011 Michal Hlavinka - 90-2 +- set the group id in mount.ecryptfs_private (CVE-2011-3145) + * Thu Aug 11 2011 Michal Hlavinka - 90-1 - security fixes: - privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832)