diff -Nru ecryptfs-utils-96/debian/changelog ecryptfs-utils-96/debian/changelog --- ecryptfs-utils-96/debian/changelog 2015-03-04 22:39:22.000000000 +0000 +++ ecryptfs-utils-96/debian/changelog 2016-01-15 23:49:17.000000000 +0000 @@ -1,3 +1,15 @@ +ecryptfs-utils (96-0ubuntu3.5) precise-security; urgency=medium + + * SECURITY UPDATE: Don't allow mount.ecryptfs_private to be used to mount on + top of pseudo filesystem such as procfs + - debian/patches/CVE-2016-1572.patch: Check the filesystem type of the + mount destination against a whitelist of approved types. + - CVE-2016-1572 + * debian/patches/CVE-2014-9687.patch: Update patch to return an error when a + version 1 wrapped passphrase file could not be read. + + -- Tyler Hicks Fri, 15 Jan 2016 17:49:10 -0600 + ecryptfs-utils (96-0ubuntu3.4) precise-security; urgency=medium * SECURITY UPDATE: Mount passphrase wrapped with a default salt value diff -Nru ecryptfs-utils-96/debian/patches/CVE-2014-9687.patch ecryptfs-utils-96/debian/patches/CVE-2014-9687.patch --- ecryptfs-utils-96/debian/patches/CVE-2014-9687.patch 2015-02-19 20:23:13.000000000 +0000 +++ ecryptfs-utils-96/debian/patches/CVE-2014-9687.patch 2016-01-10 20:58:48.000000000 +0000 @@ -14,6 +14,8 @@ version 2 files when the user successfully logs in with their login password. Author: Tyler Hicks Forwarded: https://code.launchpad.net/~tyhicks/ecryptfs/v2-wrapped-passphrase-files/+merge/249908 +Applied-Upstream: https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/839 +Applied-Upstream: https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/852 --- src/include/ecryptfs.h | 4 @@ -471,7 +473,7 @@ + if (fd != -1) close(fd); + -+ return 0; ++ return rc; +} + +/** diff -Nru ecryptfs-utils-96/debian/patches/CVE-2016-1572.patch ecryptfs-utils-96/debian/patches/CVE-2016-1572.patch --- ecryptfs-utils-96/debian/patches/CVE-2016-1572.patch 1970-01-01 00:00:00.000000000 +0000 +++ ecryptfs-utils-96/debian/patches/CVE-2016-1572.patch 2016-01-10 21:12:08.000000000 +0000 @@ -0,0 +1,106 @@ +From 8fcdb9ef8406cd05c45acef6210a3bfa0831e857 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Thu, 7 Jan 2016 19:39:14 -0600 +Subject: [PATCH] mount.ecryptfs_private: Validate mount destination fs type + +Refuse to mount over non-standard filesystems. Mounting over +certain types filesystems is a red flag that the user is doing +something devious, such as mounting over the /proc/self symlink +target with malicious content in order to confuse programs that may +attempt to parse those files. (LP: #1530566) + +https://launchpad.net/bugs/1530566 +--- + debian/changelog | 8 +++++ + src/utils/mount.ecryptfs_private.c | 61 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 69 insertions(+) + +diff --git a/src/utils/mount.ecryptfs_private.c b/src/utils/mount.ecryptfs_private.c +index 8a8cc7b..35d4545 100644 +--- a/src/utils/mount.ecryptfs_private.c ++++ b/src/utils/mount.ecryptfs_private.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -216,6 +217,62 @@ err: + return NULL; + } + ++static int check_cwd_f_type() ++{ ++ /** ++ * This is *not* a list of compatible lower filesystems list for ++ * eCryptfs. This is a list of filesystems that we reasonably expect to ++ * see mount.ecryptfs_private users mounting on top of. In other words, ++ * the filesystem type of the 'target' parameter of mount(2). ++ * ++ * This whitelist is to prevent malicious mount.ecryptfs_private users ++ * from mounting over filesystem types such as PROC_SUPER_MAGIC to ++ * deceive other programs with a crafted /proc/self/*. See ++ * https://launchpad.net/bugs/1530566 for more details. ++ */ ++ __SWORD_TYPE f_type_whitelist[] = { ++ 0x61756673 /* AUFS_SUPER_MAGIC */, ++ 0x9123683E /* BTRFS_SUPER_MAGIC */, ++ 0x00C36400 /* CEPH_SUPER_MAGIC */, ++ 0xFF534D42 /* CIFS_MAGIC_NUMBER */, ++ 0x0000F15F /* ECRYPTFS_SUPER_MAGIC */, ++ 0x0000EF53 /* EXT[234]_SUPER_MAGIC */, ++ 0xF2F52010 /* F2FS_SUPER_MAGIC */, ++ 0x65735546 /* FUSE_SUPER_MAGIC */, ++ 0x01161970 /* GFS2_MAGIC */, ++ 0x3153464A /* JFS_SUPER_MAGIC */, ++ 0x0000564C /* NCP_SUPER_MAGIC */, ++ 0x00006969 /* NFS_SUPER_MAGIC */, ++ 0x00003434 /* NILFS_SUPER_MAGIC */, ++ 0x5346544E /* NTFS_SB_MAGIC */, ++ 0x794C7630 /* OVERLAYFS_SUPER_MAGIC */, ++ 0x52654973 /* REISERFS_SUPER_MAGIC */, ++ 0x73717368 /* SQUASHFS_MAGIC */, ++ 0x01021994 /* TMPFS_MAGIC */, ++ 0x58465342 /* XFS_SB_MAGIC */, ++ 0x2FC12FC1 /* ZFS_SUPER_MAGIC */, ++ }; ++ struct statfs buf; ++ size_t i, whitelist_len; ++ ++ if (statfs(".", &buf) != 0) { ++ fprintf(stderr, "Failed to check filesystem type: %m\n"); ++ return 1; ++ } ++ ++ whitelist_len = sizeof(f_type_whitelist) / sizeof(*f_type_whitelist); ++ for (i = 0; i < whitelist_len; i++) { ++ if (buf.f_type == f_type_whitelist[i]) { ++ return 0; ++ } ++ } ++ ++ fprintf(stderr, ++ "Refusing to mount over an unapproved filesystem type: %#lx\n", ++ buf.f_type); ++ return 1; ++} ++ + int check_ownership_mnt(int uid, char **mnt) { + /* Check ownership of mount point, chdir into it, and + * canonicalize the path for use in mtab updating. +@@ -616,6 +673,10 @@ int main(int argc, char *argv[]) { + goto fail; + } + ++ if (check_cwd_f_type() != 0) { ++ goto fail; ++ } ++ + if (mounting == 1) { + /* Increment mount counter, errors non-fatal */ + if (increment(fh_counter) < 0) { +-- +2.5.0 + diff -Nru ecryptfs-utils-96/debian/patches/series ecryptfs-utils-96/debian/patches/series --- ecryptfs-utils-96/debian/patches/series 2015-03-04 22:38:12.000000000 +0000 +++ ecryptfs-utils-96/debian/patches/series 2016-01-15 23:48:02.000000000 +0000 @@ -2,3 +2,4 @@ setup-swap-skip-zram.patch fix-private-mount-race.patch CVE-2014-9687.patch +CVE-2016-1572.patch