ecryptfs-setup-private potentially exposes passwords in the process table

Bug #287908 reported by Dustin Kirkland 
12
Affects Status Importance Assigned to Milestone
eCryptfs
Fix Released
Undecided
Unassigned
ecryptfs-utils (Ubuntu)
Fix Released
Critical
Dustin Kirkland 
Intrepid
Fix Released
Critical
Dustin Kirkland 

Bug Description

Binary package hint: ecryptfs-utils

ecryptfs-setup-private potentially exposes passwords in the process table.

There are two calls in ecryptfs-setup-private to helper utilities:
 * ecryptfs-wrap-passphrase
 * ecryptfs-add-passphrase
that use passwords on the command line.

There is a small yet real possibility that these passwords could be exposed on the process table momentarily.

To fix this problem, we need to:
 a) patch both ecryptfs-wrap-passphrase and ecryptfs-add-passphrase to take passphrases on stdin
 b) modify the callers to use a dash/bash builtin function (such as echo or printf) to send this passphrases to those utilities on standard in

Thanks to Jamie Strandboge for the bug report.

:-Dustin

Changed in ecryptfs-utils:
assignee: nobody → kirkland
importance: Undecided → Critical
status: New → In Progress
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

This is the patch to solve this for the ecryptfs-add-passphrase and ecryptfs-wrap-passphrase utilities. The rest of the ecryptfs*passphrase* utilities should be solved in a similar manner. These are the most important two, as well as the callers in ecryptfs-setup-private.

This should be released for Intrepid.

:-Dustin

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Attached debdiff solves this bug, as well as bug #287906.

Requesting sponsorship prior to Intrepid GA.

:-Dustin

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Updated debdiff.

:-Dustin

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Updated debdiff.

:-Dustin

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Updated debdiff. Thoroughly tested:

 * ecryptfs-add-passphrase:
 - tested with no and bad parameters, still shows usage statement
  - regression tested with command line parameters, and using stdin
  - verified that passphrase makes it into the keyring
   . check with "keyctl show"
   . clear with "keyctl clear @u")
 - tested adding arbitrary trailing new line characters and no newline character
   . verifying fgets() is working as expected

 * ecryptfs-wrap-passphrase:
  - tested with no and bad parameters, still shows usage statement
  - regression tested with command line parameters, and using stdin
  - verify that the passphrase get's encrypted
   . cat encrypted file
  - verify that the passphrase can be decrypted with the encryption passphrase
   . ecryptfs-unwrap-passphrase

 * ecryptfs-setup-private
 - tested with good and bad passphrases
 - tested on the command line, and interactively
 - unwrapped the passphrases written by ecryptfs-setup-private
 - mounted/unmounted
 - logged out, mounted/unmounted
 - rebooted, mounted/unmounted

:-Dustin

Changed in ecryptfs-utils:
status: In Progress → Fix Committed
Changed in ecryptfs-utils:
milestone: none → ubuntu-8.10
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ecryptfs-utils - 53-1ubuntu11

---------------
ecryptfs-utils (53-1ubuntu11) intrepid; urgency=low

  * debian/patches/55_check_password_and_remove_from_proc.dpatch:
    Fix ecryptfs-add-passphrase and ecryptfs-wrap-passphrase to take
    passphrases on standard, to protect from disclosure on the process
    table; fix callers in ecryptfs-setup-private (LP: #287908).
    Validate that the user password is correct with unix_chkpwd (LP: #287906).
  * debian/patches/00list: updated accordingly

 -- Dustin Kirkland <email address hidden> Thu, 23 Oct 2008 12:53:30 -0500

Changed in ecryptfs-utils:
status: Fix Committed → Fix Released
Changed in ecryptfs:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.