Ubuntu
ecryptfs-utils package

mount.ecrpytfs_private sets group owner of /etc/mtab to user's primary group

Bug #830850 reported by John L. Templer on 2011-08-22

346

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ecryptfs-utils (Ubuntu)	Fix Released	High	Marc Deslauriers	Ubuntu ubuntu-11.10-beta-2
	Oneiric	Fix Released	High	Marc Deslauriers	Ubuntu ubuntu-11.10-beta-2

Bug Description

When mount.ecrpytfs_private calls set setreuid() it doesn't also set the effective group id. So when it creates the new version, mtab.tmp, it's created with the group id of the user running mount.ecryptfs_private.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: ecryptfs-utils 87-0ubuntu1.1
ProcVersionSignature: Ubuntu 2.6.38-11.48-generic 2.6.38.8
Uname: Linux 2.6.38-11-generic i686
Architecture: i386
Date: Mon Aug 22 00:41:43 2011
EcryptfsInUse: Yes
ProcEnviron:
LANGUAGE=en_US:en
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: ecryptfs-utils
UpgradeStatus: Upgraded to natty on 2011-04-30 (113 days ago)

Tags:

Related branches

lp:ubuntu/lucid-security/ecryptfs-utils

lp:ubuntu/maverick-security/ecryptfs-utils

lp:ubuntu/natty-security/ecryptfs-utils

lp:~ecryptfs/ecryptfs/oldtrunk (Merged)

lp:ubuntu/oneiric/ecryptfs-utils

CVE References

2011-3145

Revision history for this message

John L. Templer (green-tiger) wrote on 2011-08-22:

Dependencies.txt Edit (969 bytes, text/plain; charset="utf-8")

Marc Deslauriers (mdeslaur) on 2011-08-22

Changed in ecryptfs-utils (Ubuntu):
status:	New → Confirmed
importance:	Undecided → High
security vulnerability:	no → yes
visibility:	public → private

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2011-08-22:

Thanks for reporting this issue. We are working on a fix.

Changed in ecryptfs-utils (Ubuntu):
assignee:	nobody → Marc Deslauriers (mdeslaur)

Revision history for this message

Dan Rosenberg (dan-j-rosenberg) wrote on 2011-08-22:

Sigh. For the record, this issue existed prior to the recent fixes...sorry for missing it. Additionally, this by itself doesn't seem to be a vulnerability, since a mis-assigned group ID on mtab doesn't actually allow the unprivileged user to cross any privilege boundaries. But good catch, definitely a bug and worth fixing.

The more problematic issue is that every setuid mount helper that doesn't explicitly set its umask prior to invoking setmntent() will create an mtab-like file that is potentially world-writable, opening a race window in the best-case scenario.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-08-23:

This bug was fixed in the package ecryptfs-utils - 87-0ubuntu1.2

---------------
ecryptfs-utils (87-0ubuntu1.2) natty-security; urgency=low

  * SECURITY UPDATE: wrong mtab ownership and permissions (LP: #830850)
    - debian/patches/CVE-2011-3145.patch: also set gid and umask before
      updating mtab in src/utils/mount.ecryptfs_private.c.
    - CVE-2011-3145
-- Marc Deslauriers <email address hidden> Mon, 22 Aug 2011 14:10:47 -0400

Changed in ecryptfs-utils (Ubuntu):
status:	Confirmed → Fix Released

Marc Deslauriers (mdeslaur) on 2011-08-23

visibility:

private → public

Revision history for this message

Kasper Dupont (ubuntu-launchpad-feb) wrote on 2011-08-24:

Something is also creating /etc/mtab.fuselock with incorrect group. It doesn't always happen simultaneously though as on my system I found that /etc/mtab and /etc/mtab.fuselock had two different gropus (both incorrect).

Dustin Kirkland  (kirkland) on 2011-08-31

Changed in ecryptfs-utils (Ubuntu Oneiric):
milestone:	none → oneiric-updates
milestone:	oneiric-updates → ubuntu-11.10-beta-1
status:	Fix Released → Fix Committed

Revision history for this message

Martin Pitt (pitti) wrote on 2011-09-01:

I'm afraid we can't afford yet another respin, the release is today. But as this was fixed in stables, I suppose it can also be fixed with an update in oneiric. Moving milestone.

Changed in ecryptfs-utils (Ubuntu Oneiric):
milestone:	ubuntu-11.10-beta-1 → ubuntu-11.10-beta-2

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-09-01:

This bug was fixed in the package ecryptfs-utils - 91-0ubuntu1

---------------
ecryptfs-utils (91-0ubuntu1) oneiric; urgency=low

  [ Diego E. "Flameeyes" Pettenò ]
  * configure.ac:
    - fix reliance on nss-config, which hinders cross-compilation

  [ Marc Deslauriers ]
  * src/utils/mount.ecryptfs_private.c:
  * SECURITY UPDATE: wrong mtab ownership and permissions (LP: #830850)
    - debian/patches/CVE-2011-3145.patch: also set gid and umask before
      updating mtab in src/utils/mount.ecryptfs_private.c.
    - CVE-2011-3145
-- Dustin Kirkland <email address hidden> Wed, 31 Aug 2011 16:44:22 -0500