Change log for ecryptfs-utils package in Ubuntu
1 → 75 of 141 results | First • Previous • Next • Last |
Published in plucky-release |
Published in oracular-release |
Published in noble-release |
Deleted in noble-proposed (Reason: Moved to noble) |
ecryptfs-utils (111-6ubuntu3) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek <email address hidden> Sun, 31 Mar 2024 18:10:35 +0000
Available diffs
- diff from 111-6ubuntu2 to 111-6ubuntu3 (318 bytes)
ecryptfs-utils (111-6ubuntu2) noble; urgency=medium * No-change rebuild against libgpgme t64. -- Matthias Klose <email address hidden> Fri, 15 Mar 2024 17:26:22 +0100
Available diffs
- diff from 111-5ubuntu1 to 111-6ubuntu2 (1.7 KiB)
- diff from 111-6ubuntu1 to 111-6ubuntu2 (328 bytes)
Superseded in noble-proposed |
ecryptfs-utils (111-6ubuntu1) noble; urgency=medium * Merge with Debian; remaining changes: * debian/patches/swapfile-support.patch: Fix swapfile support. (LP: #1670336) - src/utils/ecryptfs-setup-swap: revise script for a world with swapfiles. - src/utils/ecryptfs-setup-swap: make sure we can restart ecryptfs with systemd.
Available diffs
- diff from 111-5ubuntu1 to 111-6ubuntu1 (1.7 KiB)
Deleted in noble-updates (Reason: superseded by release) |
Superseded in noble-release |
Published in mantic-release |
Published in lunar-release |
Obsolete in kinetic-release |
Published in jammy-release |
Obsolete in impish-release |
Obsolete in hirsute-release |
Deleted in hirsute-proposed (Reason: moved to Release) |
ecryptfs-utils (111-5ubuntu1) hirsute; urgency=medium * Merge from Debian, remaining changes: * debian/patches/swapfile-support.patch: Fix swapfile support. (LP: #1670336) - src/utils/ecryptfs-setup-swap: revise script for a world with swapfiles. - src/utils/ecryptfs-setup-swap: make sure we can restart ecryptfs with systemd.
Available diffs
- diff from 111-0ubuntu7 to 111-5ubuntu1 (35.0 KiB)
Superseded in hirsute-release |
Obsolete in groovy-release |
Published in focal-release |
Deleted in focal-proposed (Reason: moved to Release) |
ecryptfs-utils (111-0ubuntu7) focal; urgency=medium * Build using python2. -- Matthias Klose <email address hidden> Wed, 18 Mar 2020 09:17:11 +0100
Available diffs
- diff from 111-0ubuntu6 to 111-0ubuntu7 (450 bytes)
ecryptfs-utils (111-0ubuntu6) focal; urgency=medium * No-change rebuild to generate dependencies on python2. -- Matthias Klose <email address hidden> Tue, 17 Dec 2019 12:32:45 +0000
Available diffs
- diff from 111-0ubuntu5 to 111-0ubuntu6 (328 bytes)
Superseded in focal-release |
Obsolete in eoan-release |
Obsolete in disco-release |
Obsolete in cosmic-release |
Published in bionic-release |
Superseded in bionic-release |
Obsolete in artful-release |
Deleted in artful-proposed (Reason: moved to release) |
ecryptfs-utils (111-0ubuntu5) artful; urgency=medium [ Alberto Pianon ] * debian/patches/swapfile-support.patch: Fix swapfile support. (LP: #1670336) - src/utils/ecryptfs-setup-swap: revise script for a world with swapfiles. - src/utils/ecryptfs-setup-swap: make sure we can restart ecryptfs with systemd. -- Mathieu Trudel-Lapierre <email address hidden> Mon, 25 Sep 2017 13:31:22 -0400
Available diffs
- diff from 111-0ubuntu4 to 111-0ubuntu5 (1.3 KiB)
Superseded in artful-release |
Obsolete in zesty-release |
Obsolete in yakkety-release |
Deleted in yakkety-proposed (Reason: moved to release) |
ecryptfs-utils (111-0ubuntu4) yakkety; urgency=medium * Drop the hard-coded libnss3-1d dependency. -- Matthias Klose <email address hidden> Tue, 13 Sep 2016 11:34:34 +0200
Available diffs
- diff from 111-0ubuntu3 to 111-0ubuntu4 (448 bytes)
ecryptfs-utils (111-0ubuntu3) yakkety; urgency=medium * No-change rebuild for NSS. -- Matthias Klose <email address hidden> Tue, 13 Sep 2016 09:34:49 +0200
Available diffs
- diff from 111-0ubuntu2 to 111-0ubuntu3 (355 bytes)
ecryptfs-utils (111-0ubuntu2) yakkety; urgency=medium * SECURITY UPDATE: Information exposure via unencrypted swap partitions. The swap partition was not configured to use encryption when GPT partitioning was in use on NVMe and MMC drives. - debian/patches/CVE-2016-6224.patch: Properly handle the formatting of the path to swap partitions on NVMe and MMC drives so that they're correctly marked as not to be automatically mounted by systemd. Based on upstream patch from Jason Gerard DeRose. (LP: #1597154) - debian/ecryptfs-utils.postinst: Fix any unencrypted GPT swap partitions that have mistakenly remained marked as auto mount. This should only modify the swap partitions on systems that ecryptfs-setup-swap has been used on. (LP: #1447282, LP: #1597154) - CVE-2016-6224 -- Tyler Hicks <email address hidden> Thu, 14 Jul 2016 18:48:53 -0500
Available diffs
- diff from 111-0ubuntu1 to 111-0ubuntu2 (2.1 KiB)
ecryptfs-utils (108-0ubuntu1.2) wily-security; urgency=medium * SECURITY UPDATE: Information exposure via unencrypted swap partitions. The swap partition was not configured to use encryption when GPT partitioning was in use on NVMe and MMC drives. - debian/patches/set-up-encrypted-swap-on-nvme-and-mmc.patch: Properly handle the formatting of the path to swap partitions on NVMe and MMC drives so that they're correctly marked as not to be automatically mounted by systemd. Based on upstream patch from Jason Gerard DeRose. (LP: #1597154) - debian/ecryptfs-utils.postinst: Fix any unencrypted GPT swap partitions that have mistakenly remained marked as auto mount. This should only modify the swap partitions on systems that ecryptfs-setup-swap has been used on. (LP: #1447282, LP: #1597154) - CVE not yet assigned -- Tyler Hicks <email address hidden> Wed, 13 Jul 2016 00:57:21 -0500
Available diffs
ecryptfs-utils (111-0ubuntu1.1) xenial-security; urgency=medium * SECURITY UPDATE: Information exposure via unencrypted swap partitions. The swap partition was not configured to use encryption when GPT partitioning was in use on NVMe and MMC drives. - debian/patches/set-up-encrypted-swap-on-nvme-and-mmc.patch: Properly handle the formatting of the path to swap partitions on NVMe and MMC drives so that they're correctly marked as not to be automatically mounted by systemd. Based on upstream patch from Jason Gerard DeRose. (LP: #1597154) - debian/ecryptfs-utils.postinst: Fix any unencrypted GPT swap partitions that have mistakenly remained marked as auto mount. This should only modify the swap partitions on systems that ecryptfs-setup-swap has been used on. (LP: #1447282, LP: #1597154) - CVE not yet assigned -- Tyler Hicks <email address hidden> Wed, 13 Jul 2016 00:36:59 -0500
Available diffs
Superseded in yakkety-release |
Published in xenial-release |
Deleted in xenial-proposed (Reason: moved to release) |
ecryptfs-utils (111-0ubuntu1) xenial; urgency=medium * src/utils/ecryptfs-setup-private: LP: #1328689 - fix a long standing bug, where setting up an encrypted private, encrypted home, or migrating to an encrypted home did not work correctly over ssh sessions - the root cause of the bug is some complexity in the handling of user keyrings and session keyrings - the long term solution would be to correctly use session keyrings - the short term solution is to continue linking user and session keyrings * xenial -- Dustin Kirkland <email address hidden> Fri, 26 Feb 2016 17:58:16 -0600
Available diffs
- diff from 110-0ubuntu1 to 111-0ubuntu1 (2.0 KiB)
ecryptfs-utils (110-0ubuntu1) xenial; urgency=medium [ Tyler Hicks ] * Remove unnecessary dependencies in the Debian packaging (LP: #1548975) - debian/control: Remove opencryptoki from ecryptfs-utils Suggests and libopencryptoki-dev from libecryptfs-dev Depends as openCryptoki is not a dependency of eCryptfs. - debian/rules: Remove openCryptoki related logic since it was not being used and is no longer needed - debian/control: Remove libtspi-dev from libecryptfs-dev Depends since --disable-tspi is passed to the configure script - debian/control: Remove libpkcs11-helper1-dev from libecryptfs-dev Depends since --disable-pkcs11-helper is passed to the configure script - debian/control: Remove libgpg-error-dev and libgpgme11-dev from libecryptfs-dev Depends since --disable-gpg is passed to the configure script - debian/control: Remove libgcrypt11-dev from Build-Depends and libecryptfs-dev Depends since --enable-nss is passed to the configure script to use NSS instead of Libgcrypt - debian/control: Remove libkeyutils-dev and libpam0g-dev from libecryptfs-dev Depends since these are build-time dependencies and not run-time dependencies [ Dustin Kirkland ] * xenial -- Dustin Kirkland <email address hidden> Tue, 23 Feb 2016 17:29:37 -0500
Available diffs
- diff from 109-0ubuntu1 to 110-0ubuntu1 (181.8 KiB)
ecryptfs-utils (109-0ubuntu1) xenial; urgency=medium [ Maikel ] * doc/manpage/ecryptfs-migrate-home.8: Fix typos in man page (LP: #1518787) [ Kylie McClain ] * src/utils/mount.ecryptfs.c, src/utils/mount.ecryptfs_private.c: Fix build issues on musl libc (LP: #1514625) [ Colin Ian King ] * src/daemon/main.c: - Static analysis with Clang's scan-build shows that we can potentially overflow the input buffer if the input is equal or more than the buffer size. Need to guard against this by: 1. Only reading in input_size - 1 chars 2. Checking earlier on to see if input_size is value to insure that we read in at least 1 char [ Tyler Hicks ] * src/utils/mount.ecryptfs_private.c: - Refuse to mount over non-standard filesystems. Mounting over certain types filesystems is a red flag that the user is doing something devious, such as mounting over the /proc/self symlink target with malicious content in order to confuse programs that may attempt to parse those files. (LP: #1530566) [ Dustin Kirkland ] * xenial -- Dustin Kirkland <email address hidden> Fri, 22 Jan 2016 10:05:35 -0600
Available diffs
- diff from 108-0ubuntu1 to 109-0ubuntu1 (27.3 KiB)
ecryptfs-utils (96-0ubuntu3.5) precise-security; urgency=medium * SECURITY UPDATE: Don't allow mount.ecryptfs_private to be used to mount on top of pseudo filesystem such as procfs - debian/patches/CVE-2016-1572.patch: Check the filesystem type of the mount destination against a whitelist of approved types. - CVE-2016-1572 * debian/patches/CVE-2014-9687.patch: Update patch to return an error when a version 1 wrapped passphrase file could not be read. -- Tyler Hicks <email address hidden> Fri, 15 Jan 2016 17:49:10 -0600
Available diffs
ecryptfs-utils (104-0ubuntu1.14.04.4) trusty-security; urgency=medium * SECURITY UPDATE: Don't allow mount.ecryptfs_private to be used to mount on top of pseudo filesystem such as procfs - debian/patches/CVE-2016-1572.patch: Check the filesystem type of the mount destination against a whitelist of approved types. - CVE-2016-1572 * debian/patches/CVE-2014-9687.patch: Update patch to return an error when a version 1 wrapped passphrase file could not be read. -- Tyler Hicks <email address hidden> Fri, 15 Jan 2016 17:48:52 -0600
ecryptfs-utils (107-0ubuntu1.3) vivid-security; urgency=medium * SECURITY UPDATE: Don't allow mount.ecryptfs_private to be used to mount on top of pseudo filesystem such as procfs - debian/patches/CVE-2016-1572.patch: Check the filesystem type of the mount destination against a whitelist of approved types. - CVE-2016-1572 -- Tyler Hicks <email address hidden> Fri, 15 Jan 2016 17:48:42 -0600
Available diffs
ecryptfs-utils (108-0ubuntu1.1) wily-security; urgency=medium * SECURITY UPDATE: Don't allow mount.ecryptfs_private to be used to mount on top of pseudo filesystem such as procfs - debian/patches/CVE-2016-1572.patch: Check the filesystem type of the mount destination against a whitelist of approved types. - CVE-2016-1572 -- Tyler Hicks <email address hidden> Fri, 15 Jan 2016 17:48:15 -0600
Available diffs
Superseded in xenial-release |
Obsolete in wily-release |
Deleted in wily-proposed (Reason: moved to release) |
ecryptfs-utils (108-0ubuntu1) wily; urgency=medium [ Martin Pitt ] * src/utils/ecryptfs-setup-swap: - Add setup-swap-check-links.patch: When commenting out existing swap, also consider device symlinks like /dev/mapper/ubuntu--vg-swap_1 or /dev/disks/by-uuid/ into account. Fixes broken cryptswap under LVM and manual setups. (LP: #1453738) * src/utils/ecryptfs-setup-swap, debian/ecryptfs-utils.postinst: - On upgrade, uncomment underlying unencrypted swap partitions that are referred to by a device link when crypttab and fstab have a "cryptswap*" device referring to them. * debian/control, debian/libecryptfs0.install, debian/libecryptfs0.links, debian/libecryptfs0.shlibs: - Rename libecryptfs0 to libecryptfs1 and adjust the packaging. It has actually shipped libecryptfs.so.1 since at least trusty. Add C/R/P: libecryptfs0 for smoother upgrades, this needs to be kept until after 16.04 LTS. [ Tyler Hicks ] * src/utils/mount.ecryptfs_private.c: Implement proper option parsing to restore the -f option when unmounting and display a helpful usage message (LP: #1454388) * src/utils/mount.ecryptfs_private.c: Add an option, -d, to umount.ecryptfs_private to treat the situation where the encrypted private session counter is nonzero, after decrementing it, as a non-error situation. No error message is printed to stderr and the exit status is 0. * src/pam_ecryptfs/pam_ecryptfs.c: Use the new umount.ecryptfs_private '-d' option to silence the error message that was printed to stderr when the encrypted private session counter is nonzero after being decremented. (LP: #1454319) * src/utils/ecryptfs-umount-private: Return 1 if umount.ecryptfs_private encounters an error. The ecryptfs-umount-private script was previously returning 0 even when umount.ecryptfs_private exited upon error. * debian/control: Fix 'Please add dh-python package to Build-Depends' build warning [ Dustin Kirkland ] * debian/libecryptfs1.install, debian/libecryptfs1.links, debian/libecryptfs1.shlibs: - fix ftbfs, add missing files * wily -- Dustin Kirkland <email address hidden> Thu, 06 Aug 2015 12:46:37 -0500
Available diffs
- diff from 107-0ubuntu3 to 108-0ubuntu1 (7.6 KiB)
ecryptfs-utils (107-0ubuntu3) wily; urgency=medium * Rename libecryptfs0 to libecryptfs1 and adjust the packaging. It has actually shipped libecryptfs.so.1 since at least trusty. Add C/R/P: libecryptfs0 for smoother upgrades, this needs to be kept until after 16.04 LTS.
Available diffs
- diff from 107-0ubuntu1.1 to 107-0ubuntu3 (2.2 KiB)
- diff from 107-0ubuntu2 to 107-0ubuntu3 (1.0 KiB)
Superseded in wily-proposed |
ecryptfs-utils (107-0ubuntu2) wily; urgency=medium * Add setup-swap-check-links.patch: When commenting out existing swap, also consider device symlinks like /dev/mapper/ubuntu--vg-swap_1 or /dev/disks/by-uuid/ into account. Fixes broken cryptswap under LVM and manual setups. (LP: #1453738) * debian/ecryptfs-utils.postinst: On upgrade, uncomment underlying unencrypted swap partitions that are referred to by a device link when crypttab and fstab have a "cryptswap*" device referring to them. -- Martin Pitt <email address hidden> Thu, 09 Jul 2015 09:04:27 +0200
Available diffs
- diff from 107-0ubuntu1.1 to 107-0ubuntu2 (1.5 KiB)
ecryptfs-utils (107-0ubuntu1.2) vivid-proposed; urgency=medium * Add setup-swap-check-links.patch: When commenting out existing swap, also consider device symlinks like /dev/mapper/ubuntu--vg-swap_1 or /dev/disks/by-uuid/ into account. Fixes broken cryptswap under LVM and manual setups. (LP: #1453738) * debian/ecryptfs-utils.postinst: On upgrade, uncomment underlying unencrypted swap partitions that are referred to by a device link when crypttab and fstab have a "cryptswap*" device referring to them. -- Martin Pitt <email address hidden> Thu, 09 Jul 2015 09:04:27 +0200
Available diffs
Superseded in wily-release |
Superseded in vivid-updates |
Deleted in vivid-proposed (Reason: moved to -updates) |
ecryptfs-utils (107-0ubuntu1.1) vivid; urgency=medium * Add setup-swap-mark-gpt-noauto.patch: In ecryptfs-setup-swap, mark the "fake" underlying unencrypted swap partition as no-auto Without that, the swap partition gets auto-activated under systemd as it cannot be told apart from a real unencrypted swap partition. * debian/ecryptfs-utils.postinst: Fix existing GPT installations with cryptswap1 and an offset= for the above issue. (LP: #1447282) -- Martin Pitt <email address hidden> Fri, 24 Apr 2015 12:15:12 +0100
Available diffs
- diff from 107-0ubuntu1 to 107-0ubuntu1.1 (1.7 KiB)
Superseded in wily-release |
Obsolete in vivid-release |
Deleted in vivid-proposed (Reason: moved to release) |
ecryptfs-utils (107-0ubuntu1) vivid; urgency=medium [ Dustin Kirkland ] * scripts/release.sh: - a few more release script improvements, build the source package for the Ubuntu development distro * debian/control: - build depend on distro-info, which we use in our release script * vivid [ Tyler Hicks ] * src/libecryptfs/key_management.c: - Fix a regression when reading version 1 wrapped passphrase files. A return code indicating success was always returned even when an error was encountered. The impact is low since the error situation is still caught when validating either the wrapping password's signature or the wrapped passphrase's signature. Thanks to László Böszörményi for catching this mistake. - Reject empty passphrases passed into ecryptfs_wrap_passphrase() * src/libecryptfs/main.c: - Reject empty wrapping passphrases passed into generate_passphrase_sig() -- Dustin Kirkland <email address hidden> Thu, 26 Mar 2015 18:02:29 -0500
Available diffs
- diff from 106-0ubuntu1 to 107-0ubuntu1 (2.8 KiB)
ecryptfs-utils (106-0ubuntu1) vivid; urgency=medium [ Dustin Kirkland and Martin Pitt ] * debian/ecryptfs-utils.postinst: LP: #953875 - detect and clean up after nonexisting cryptswap devices [ Tyler Hicks ] * tests/userspace/Makefile.am: Fix the 'make check' failure present in the ecryptfs-utils-105 release tarball. The failure was due to the automake file not specifying that some data files should be distributed as part of the v1-to-v2-wrapped-passphrase test, causing the test to fail due to the missing files. [ Dustin Kirkland ] * scripts/release.sh: - ensure that we try a binary build as part of the release process - make sure we're in the original working directory when we release - remove the -x option, too noisy * vivid * vivid * vivid -- Dustin Kirkland <email address hidden> Wed, 11 Mar 2015 18:42:19 -0500
Available diffs
- diff from 104-0ubuntu1 to 106-0ubuntu1 (34.0 KiB)
- diff from 105-0ubuntu1 to 106-0ubuntu1 (8.5 KiB)
Superseded in vivid-proposed |
ecryptfs-utils (105-0ubuntu1) vivid; urgency=low [ Dustin Kirkland ] * doc/manpage/ecryptfs.7: LP: #1267640 - fix inconsistency in man page for passphrase_passwd_file format * doc/manpage/ecryptfs-setup-private.1, src/utils/ecryptfs-setup- private, src/utils/ecryptfs-setup-swap: LP: #1420424 - use /dev/random rather than /dev/urandom for long lived keys * src/utils/ecryptfs-setup-private: - use /dev/urandom for our testing, as we read a lot of info * src/utils/ecryptfs-setup-swap: LP: #953875, #1086140 - fix a whitespace bug in a grep, that might cause us to not comment out the old swap space in /etc/fstab - offset the start of the encrypted swap space by 1KB, which ensures that we don't overwrite the UUID label on the header of the partition - use the aes-xts block cipher, and plain64 initialization vector, which are current best practice here - fixed a grammar nitpick [ Colin King ] * src/libecryptfs/key_management.c, src/utils/mount.ecryptfs.c: - A couple of minor fixes: Fix a memory leak and handle out of memory error, as found by using cppcheck. * src/utils/mount.ecryptfs.c - fix potential double free on yesno if get_string_stdin exits early without allocating a new buffer and we free yesno on the exit clean up path. * src/libecryptfs/cmd_ln_parser.c - remove redundant if / goto statement that does nothing. [ Anders Kaseorg ] * src/pam_ecryptfs/pam_ecryptfs.c: exit (not return) from forked child on error (LP: #1323421) [ Tyler Hicks ] * Introduce the version 2 wrapped-passphrase file format. It adds the ability to combine a randomly generated salt with the wrapping password (typically, a user's login password) prior to performing key strengthening. The version 2 file format is considered to be a intermediate step in strengthening the wrapped-passphrase files of existing encrypted home/private users. Support for reading/writing version 2 wrapped-passphrase files and transparent migration, through pam_ecryptfs, from version 1 to version 2 files is considered safe enough to backport to stable distro releases. The libecryptfs ABI around wrapped-passphrase file handling is not broken. - CVE-2014-9687 * Run wrap-unwrap.sh test as part of the make check target. * Add a new test, called v1-to-v2-wrapped-passphrase.sh, which is suitable for the make check target and verifies v1 to v2 wrapped-passphrase file migration. * Create a temporary file when creating a new wrapped-passphrase file and copy it to its final destination after the file has been fully synced to disk (LP: #1020902) -- Dustin Kirkland <email address hidden> Wed, 11 Mar 2015 10:28:15 -0500
Available diffs
- diff from 104-0ubuntu1 to 105-0ubuntu1 (26.1 KiB)
ecryptfs-utils (104-0ubuntu1.14.10.3) utopic-security; urgency=medium * SECURITY UPDATE: Mount passphrase wrapped with a default salt value - debian/patches/CVE-2014-9687.patch: Generate a random salt when wrapping the mount passphrase. If a user has a mount passphrase that was wrapped using the default salt, their mount passphrase will be rewrapped using a random salt when they log in with their password. - debian/patches/CVE-2014-9687.patch: Create a temporary file when creating a new wrapped-passphrase file and copy it to its final destination after the file has been fully synced to disk (LP: #1020902) - debian/rules: Set the executable bit on the v1-to-v2-wrapped-passphrase.sh test script that was created by wrapping-passphrase-salt.patch - CVE-2014-9687 -- Tyler Hicks <email address hidden> Wed, 04 Mar 2015 16:40:18 -0600
Available diffs
ecryptfs-utils (104-0ubuntu1.14.04.3) trusty-security; urgency=medium * SECURITY UPDATE: Mount passphrase wrapped with a default salt value - debian/patches/CVE-2014-9687.patch: Generate a random salt when wrapping the mount passphrase. If a user has a mount passphrase that was wrapped using the default salt, their mount passphrase will be rewrapped using a random salt when they log in with their password. - debian/patches/CVE-2014-9687.patch: Create a temporary file when creating a new wrapped-passphrase file and copy it to its final destination after the file has been fully synced to disk (LP: #1020902) - debian/rules: Set the executable bit on the v1-to-v2-wrapped-passphrase.sh test script that was created by wrapping-passphrase-salt.patch - CVE-2014-9687 -- Tyler Hicks <email address hidden> Wed, 04 Mar 2015 16:39:28 -0600
Available diffs
ecryptfs-utils (96-0ubuntu3.4) precise-security; urgency=medium * SECURITY UPDATE: Mount passphrase wrapped with a default salt value - debian/patches/CVE-2014-9687.patch: Generate a random salt when wrapping the mount passphrase. If a user has a mount passphrase that was wrapped using the default salt, their mount passphrase will be rewrapped using a random salt when they log in with their password. - debian/patches/CVE-2014-9687.patch: Create a temporary file when creating a new wrapped-passphrase file and copy it to its final destination after the file has been fully synced to disk (LP: #1020902) - debian/rules: Set the executable bit on the wrap-unwrap.sh and v1-to-v2-wrapped-passphrase.sh test scripts that were created by wrapping-passphrase-salt.patch - CVE-2014-9687 -- Tyler Hicks <email address hidden> Wed, 04 Mar 2015 16:38:14 -0600
Available diffs
ecryptfs-utils (83-0ubuntu3.2.10.04.6) lucid-security; urgency=medium * SECURITY UPDATE: Mount passphrase wrapped with a default salt value - src/libecryptfs/key_management.c, src/include/ecryptfs.h: Generate a random salt when wrapping the mount passphrase. - src/pam_ecryptfs/pam_ecryptfs.c: If a user has a mount passphrase that was wrapped using the default salt, their mount passphrase will be rewrapped using a random salt when they log in with their password. - src/libecryptfs/key_management.c: Create a temporary file when creating a new wrapped-passphrase file and copy it to its final destination after the file has been fully synced to disk (LP: #1020902) - CVE-2014-9687 -- Tyler Hicks <email address hidden> Wed, 04 Mar 2015 16:26:45 -0600
Superseded in vivid-release |
Obsolete in utopic-release |
Published in trusty-release |
Deleted in trusty-proposed (Reason: moved to release) |
ecryptfs-utils (104-0ubuntu1) trusty; urgency=low [ Colin King ] * src/libecryptfs/ecryptfs-stat.c, tests/kernel/extend-file- random/test.c, tests/kernel/inode-race-stat/test.c, tests/kernel/trunc-file/test.c: - Fixed some 32 bit build warnings * src/libecryptfs/decision_graph.c, src/libecryptfs/key_management.c, src/libecryptfs/main.c, src/libecryptfs/module_mgr.c, src/utils/io.c, src/utils/mount.ecryptfs_private.c, tests/kernel/inotify/test.c, tests/kernel/trunc-file/test.c, tests/userspace/wrap-unwrap/test.c: - Fixed a pile of minor bugs (memory leaks, unclosed file descriptors, etc.) mostly in error paths * src/key_mod/ecryptfs_key_mod_passphrase.c, src/libecryptfs/main.c, src/pam_ecryptfs/pam_ecryptfs.c: - more Coverity fixes, memory leak, error checking, etc. [ Nobuto MURATA ] * fix an empty update-notifier window (LP: #1107650) - changes made in Rev.758 was incomplete [ Tyler Hicks ] * doc/manpage/ecryptfs.7: - adjust man page text to avoid confusion about whether the interactive mount helper takes a capital 'N' for the answer to y/n questions (LP: #1130460) * src/utils/ecryptfs_rewrap_passphrase.c: - Handle errors when interactively reading the new wrapping passphrase and the confirmation from stdin. Fixes a segfault (invalid memory read) in ecryptfs-rewrap-passphrase if there was an error while reading either of these passphrases. * configure.ac: - Set AM_CPPFLAGS to always include config.h as the first include file. Some .c files correctly included config.h before anything else. The majority of .c files got this wrong by including it after other header files, including it multiple times, or not including it at all. Including it in the AM_CPPFLAGS should solve these problems and keep future mistakes from happening in new source files. - Enable large file support (LFS) through the use of the AC_SYS_LARGEFILE autoconf macro. ecryptfs-utils has been well tested with LFS enabled because ecryptfs-utils is being built with '-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64' in Debian-based distros. This is mainly needed for some of the in-tree regression tests but ecryptfs-utils, in general, should be built with LFS enabled. * debian/rules: - Don't append '-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64' to the CFLAGS now that the upstream build enables LFS * tests/userspace/lfs.sh, tests/userspace/lfs/test.c: - Add a test to verify that LFS is enabled. This test is run under the make check target. * tests/kernel/enospc/test.c: - Fix test failures on 32 bit architectures due to large file sizes overflowing data types [ Dustin Kirkland ] * src/utils/ecryptfs-setup-swap: LP: #1172014 - write crypttab entry using UUID * src/utils/ecryptfs-recover-private: LP: #1028532 - error out, if we fail to mount the private data correctly [ Colin King and Dustin Kirkland ] * configure.ac, src/daemon/main.c, src/libecryptfs/cmd_ln_parser.c, src/libecryptfs/decision_graph.c, src/utils/mount.ecryptfs.c, tests/kernel/trunc-file/test.c: - remove some dead code, fix some minor issues raised by Coverity -- Nobuto MURATA <email address hidden> Thu, 21 Feb 2013 01:56:33 +0900
Available diffs
- diff from 103-0ubuntu2 to 104-0ubuntu1 (119.1 KiB)
Superseded in trusty-release |
Obsolete in saucy-release |
Obsolete in raring-release |
Deleted in raring-proposed (Reason: moved to release) |
ecryptfs-utils (103-0ubuntu2) raring; urgency=low * fix an empty update-notifier window (LP: #1107650) - needed part was dropped accidentally at 102-0ubuntu1 -- Nobuto MURATA <email address hidden> Wed, 20 Feb 2013 14:05:42 +0900
Available diffs
- diff from 103-0ubuntu1 to 103-0ubuntu2 (594 bytes)
ecryptfs-utils (103-0ubuntu1) raring; urgency=low [ Tyler Hicks ] * debian/rules: - Use dpkg-buildflags to inject distro compiler hardening flags into the build. This also fixes the hardening-no-fortify-functions lintian warnings. [ Dustin Kirkland ] * doc/manpage/ecryptfs-add-passphrase.1, doc/manpage/ecryptfsd.8, doc/manpage/ecryptfs-find.1, doc/manpage/ecryptfs-generate-tpm- key.1, doc/manpage/ecryptfs-insert-wrapped-passphrase-into- keyring.1, doc/manpage/ecryptfs-manager.8, doc/manpage/ecryptfs- migrate-home.8, doc/manpage/ecryptfs-mount-private.1, doc/manpage/ecryptfs-recover-private.1, doc/manpage/ecryptfs-rewrap- passphrase.1, doc/manpage/ecryptfs-rewrite-file.1, doc/manpage/ecryptfs-setup-private.1, doc/manpage/ecryptfs-setup- swap.1, doc/manpage/ecryptfs-stat.1, doc/manpage/ecryptfs-umount- private.1, doc/manpage/ecryptfs-unwrap-passphrase.1, doc/manpage/ecryptfs-verify.1, doc/manpage/ecryptfs-wrap- passphrase.1, doc/manpage/Makefile.am, doc/manpage/mount.ecryptfs.8, doc/manpage/mount.ecryptfs_private.1, doc/manpage/pam_ecryptfs.8, doc/manpage/umount.ecryptfs.8, doc/manpage/umount.ecryptfs_private.1, src/desktop/ecryptfs-find => src/utils/ecryptfs-find, src/desktop/Makefile.am, src/utils/Makefile.am: - add 3 new manpages, for ecryptfs-find, ecryptfs-verify, and ecryptfs-migrate-home - Add SEE ALSO section to manpages which were missing it - Mention "Debian and Ubuntu" in license location - move the ecryptfs-find utility to the proper location in src/utils * src/utils/Makefile.am: - fix broken build * debian/ecryptfs-utils.links: - link no longer needed for ecryptfs-find [ Colin King ] * === added directory tests/kernel/mmap-bmap, === added directory tests/kernel/xattr, tests/kernel/link.sh, tests/kernel/Makefile.am, tests/kernel/mknod.sh, tests/kernel/mmap-bmap.sh, tests/kernel/mmap- bmap/test.c, tests/kernel/tests.rc, tests/kernel/xattr.sh, tests/kernel/xattr/test.c: - ran the current eCryptfs tests on 3.8-rc4 with kernel gcov enabled and spotted a few trivial areas where it would be useful to up the test coverage on the code - so here are a few very simple additional tests to exercise eCryptfs a little further -- Dustin Kirkland <email address hidden> Fri, 25 Jan 2013 12:58:56 -0600
Available diffs
- diff from 102-0ubuntu1 to 103-0ubuntu1 (11.0 KiB)
ecryptfs-utils (102-0ubuntu1) raring; urgency=low [ Dustin Kirkland ] * debian/control: - bump standards, no change * precise [ Tyler Hicks ] * autogen.sh, scripts/release.sh, Makefile.am: - Break out the autoreconf and intltoolize commands from release.sh into an executable autogen.sh - Use the --copy option when invoking intltoolize - Include the new autogen.sh script in the release tarball * debian/rules, debian/control: - Use dh-autoreconf so that upstream sources can easily be used to build packages for all the stable Ubuntu releases in the ecryptfs-utils daily build PPA - Override the dh_autoreconf target by running the autogen.sh script - Drop Build-Depends on autotools-dev since dh-autoreconf is a superset of autotools-dev - Drop Build-Depends on autoconf, automake, and libtool since dh-autoreconf depends on all of these packages * m4/ac_python_devel.m4: - Fix FTBFS in Raring Ringtail due to multiarch Python. Be sure to include platform specific Python include directions in SWIG_PYTHON_CPPFLAGS. * src/utils/mount.ecryptfs_private.c: - Fix conditionals when checking whether to remove authentication tokens from the kernel keyring upon umount. This conditional was incorrectly modified in ecryptfs-utils-101, yet the authentication tokens still seem to be removed from the kernel keyring so it isn't clear if there was actually a user-facing regression. - Pass the FEKEK sig, rather than the FNEK sig, to ecryptfs_private_is_mounted() - Restore behavior of not printing error messages to syslog when unmounting and keys cannot be found in the kernel keyring. - Restore behavior of printing a useful error message about ecryptfs-mount-private when mounting and keys cannot be found in the kernel keyring - Fix memory leak and clean up free()'s in an error path - Use pointer assignment tests, rather than strlen(), to determine which key signatures were fetched * src/daemon/main.c, src/include/ecryptfs.h, src/libecryptfs/{Makefile.am,messaging.c,miscdev.c,netlink.c,sysfs.c}, doc/manpage/ecryptfsd.8, doc/design_doc/ecryptfs_design_doc_v0_2.tex: - Remove netlink messaging interface support - Netlink messaging support was superceded by the miscdev interface (/dev/ecryptfs) in upstream kernel version 2.6.26 in July, 2008 - Netlink messaging support was completely removed from the upstream kernel starting with version 2.6.32 in December, 2009 * src/jprobes/*, scripts/delete-cruft.sh: - Remove all jprobes code, as I don't use jprobes to debug eCryptfs kernel issues and I don't like the idea of maintaining these jprobes outside of the kernel tree * src/escrow/*: - Remove all escrow code, as it isn't used or maintained * tests/kernel/llseek.sh, tests/kernel/llseek/test.c, tests/userspace/wrap-unwrap.sh, tests/userspace/wrap-unwrap/test.c: - Migrate some old testcases over to the modern test framework * tests/lib/etl_funcs.sh: - Update etl_create_test_dir() to allow a parent directory to be specified when creating the directory * src/testcases: - Delete old testcases that were either too basic, covered by more extensive tests in the modern test framework, or just didn't work [ Nobuto MURATA ] * src/desktop/ecryptfs-record-passphrase: -- Dustin Kirkland <email address hidden> Tue, 22 Jan 2013 16:04:11 -0600
Available diffs
- diff from 101-0ubuntu3 to 102-0ubuntu1 (19.8 KiB)
ecryptfs-utils (100-0ubuntu1.1) quantal-proposed; urgency=low * Fix encrypted home/private race condition that could result in encrypted filenames not being decrypted, despite the directory being mounted correctly otherwise. (LP: #1052038) - debian/patches/fix-private-mount-race.patch: Fix race condition by only opening the signature file once, rather than opening, reading, and closing it for each key signature. -- Tyler Hicks <email address hidden> Tue, 04 Dec 2012 14:12:27 -0600
Available diffs
- diff from 100-0ubuntu1 to 100-0ubuntu1.1 (2.9 KiB)
ecryptfs-utils (96-0ubuntu3.1) precise-proposed; urgency=low * Fix encrypted home/private race condition that could result in encrypted filenames not being decrypted, despite the directory being mounted correctly otherwise. (LP: #1052038) - debian/patches/fix-private-mount-race.patch: Fix race condition by only opening the signature file once, rather than opening, reading, and closing it for each key signature. -- Tyler Hicks <email address hidden> Tue, 04 Dec 2012 14:12:55 -0600
Available diffs
- diff from 96-0ubuntu3 to 96-0ubuntu3.1 (3.0 KiB)
ecryptfs-utils (92-0ubuntu1.2) oneiric-proposed; urgency=low * Fix encrypted home/private race condition that could result in encrypted filenames not being decrypted, despite the directory being mounted correctly otherwise. (LP: #1052038) - debian/patches/fix-private-mount-race.patch: Fix race condition by only opening the signature file once, rather than opening, reading, and closing it for each key signature. -- Tyler Hicks <email address hidden> Tue, 04 Dec 2012 14:13:46 -0600
Available diffs
- diff from 92-0ubuntu1.1 to 92-0ubuntu1.2 (3.0 KiB)
ecryptfs-utils (101-0ubuntu3) raring; urgency=low * Fix FTBFS: multiarched python2.7 paths. -- Dmitrijs Ledkovs <email address hidden> Mon, 24 Dec 2012 14:24:56 +0200
Available diffs
- diff from 101-0ubuntu2 to 101-0ubuntu3 (1.1 KiB)
ecryptfs-utils (101-0ubuntu2) raring; urgency=low * debian/patches/record-passphrase-dialogue-translatable.patch: - make "Record your encryption passphrase" dialogue translatable (LP: #982924) - to workaround lp bug 1075304, removing line breaks(.) in the dialogue -- Nobuto MURATA <email address hidden> Thu, 06 Dec 2012 23:37:38 +0900
Available diffs
- diff from 101-0ubuntu1 to 101-0ubuntu2 (1.4 KiB)
ecryptfs-utils (101-0ubuntu1) raring; urgency=low [ Eric Lammerts ] * src/libecryptfs/sysfs.c: LP: #1007880 - Handle NULL mnt pointer when sysfs is not mounted [ Tyler Hicks ] * src/utils/ecryptfs-migrate-home: LP: #1026180 - Correct minor misspelling * src/utils/ecryptfs-recover-private: LP: #1004082 - Fix option parsing when --rw is specified * src/utils/ecryptfs-recover-private: LP: #1028923 - Simplify success message to prevent incorrectly reporting that a read-only mount was performed when the --rw option is specified * tests/lib/etl_func.sh: - Add test library function to return a lower path from an upper path, based on inode numbers * tests/kernel/mmap-close.sh, tests/kernel/mmap-close/test.c: - Add regression test for open->mmap()->close()->dirty memory->munmap() pattern * tests/kernel/lp-561129.sh: - Add test for checking that a pre-existing target inode is properly evicted after a rename * tests/README: - Add documentation on the steps to take when adding new test cases [ Colin King ] * tests/kernel/lp-911507.sh: - Add test case for initializing empty lower files during open() * tests/kernel/lp-872905.sh: - Add test case to check for proper unlinking of lower files when lower file initialization fails * src/key_mod/ecryptfs_key_mod_openssl.c, src/key_mod/ecryptfs_key_mod_pkcs11_helper.c, src/libecryptfs/key_management.c, src/utils/mount.ecryptfs_private.c, src/utils/umount.ecryptfs.c: - address some issues raised by smatch static analysis - fix some memory leaks with frees - fix some pointer refs and derefs - fix some comment typos [ Dustin Kirkland ] * src/libecryptfs/key_management.c: - silence pam error message when errno == EACCES + "Error attempting to parse .ecryptfsrc file; rc = [-13]" * src/utils/mount.ecryptfs_private.c: LP: #1052038 - fix race condition, which typically manifests itself with a user saying that their home directory is not accessible, or that their filenames are not decrypted - the root of the problem is that we were reading the signature file, ~/.ecryptfs/Private.sig, twice; in some cases, the first one succeeds, so the file encryption signature is read and key is loaded, but then some other process (usually from PAM, perhaps a cron job or a subsequent login) mounts the home directory before the filename encryption key is loaded; thus, $HOME is mounted but filenames are not decrypted, so the second read of ~/.ecryptfs/Private.sig fails as that file is not found - the solution is to rework the internal fetch_sig() function and read one or both signatures within a single open/read/close operation of the file - free memory used by char **sig on failure * debian/copyright: - fix lintian warning * precise -- Dustin Kirkland <email address hidden> Thu, 25 Oct 2012 16:13:28 -0500
Available diffs
- diff from 100-0ubuntu1 to 101-0ubuntu1 (29.0 KiB)
ecryptfs-utils (100-0ubuntu1) quantal; urgency=low [ Tyler Hicks ] * src/pam_ecryptfs/pam_ecryptfs.c, src/libecryptfs/key_management.c: LP: #1024476 - fix regression introduced in ecryptfs-utils-99 when Encrypted Home/Private is in use and the eCryptfs kernel code is compiled as a module - drop check for kernel filename encryption support in pam_ecryptfs, as appropriate privileges to load the eCryptfs kernel module may not be available and filename encryption has been supported since 2.6.29 - always add filename encryption key to the kernel keyring from pam mount [ Colin King ] * tests/kernel/inode-race-stat/test.c: - limit number of forks based on fd limits * tests/kernel/enospc.sh, tests/kernel/enospc/test.c, tests/kernel/Makefile.am, tests/kernel/tests.rc: - add test case for ENOSPC [ Tim Harder ] * m4/ac_python_devel.m4: LP: #1029217 - properly save and restore CPPFLAGS and LIBS when python support is enabled -- Dustin Kirkland <email address hidden> Thu, 02 Aug 2012 16:33:55 -0500
Available diffs
- diff from 99-0ubuntu1 to 100-0ubuntu1 (6.3 KiB)
Superseded in quantal-release |
ecryptfs-utils (99-0ubuntu1) quantal; urgency=low [ Dustin Kirkland ] * debian/ecryptfs-utils.postinst: LP: #936093 - ensure desktop file is executable * precise [ Wesley Wiedenmeier ] * src/utils/mount.ecryptfs.c: LP: #329264 - remove old hack, that worked around a temporary kernel regression; ensure that all mount memory is mlocked [ Sebastian Krahmer ] * src/pam_ecryptfs/pam_ecryptfs.c: LP: #732614 - drop group privileges in the same places that user privileges are dropped - check return status of setresuid() calls and return if they fail - drop privileges before checking for the existence of ~/.ecryptfs/auto-mount to prevent possible file existence leakage by a symlink to a path that typically would not be searchable by the user - drop privileges before reading salt from the rc file to prevent the leakage of root's salt and, more importantly, using the incorrect salt - discovered, independently, by Vasiliy Kulikov and Sebastian Krahmer * src/pam_ecryptfs/pam_ecryptfs.c: LP: #1020904 - after dropping privileges, clear the environment before executing the private eCryptfs mount helper - discovered by Sebastian Krahmer * src/utils/mount.ecryptfs_private.c: LP: #1020904 - do not allow private eCryptfs mount aliases to contain ".." characters as a preventative measure against a crafted file path being used as an alias - force the MS_NOSUID mount flag to protect against user controlled lower filesystems, such as an auto mounted USB drive, that may contain a setuid-root binary + CVE-2012-3409 - force the MS_NODEV mount flag - after dropping privileges, clear the environment before executing umount - discovered by Sebastian Krahmer [ Tyler Hicks ] * src/libecryptfs/key_management.c: LP: #732614 - zero statically declared buffers to prevent the leakage of stack contents in the case of a short file read - discovered by Vasiliy Kulikov * src/libecryptfs/module_mgr.c, src/pam_ecryptfs/pam_ecryptfs.c: - fix compiler warnings -- Dustin Kirkland <email address hidden> Fri, 13 Jul 2012 09:52:36 -0500
Available diffs
- diff from 98-0ubuntu1 to 99-0ubuntu1 (5.6 KiB)
Superseded in quantal-release |
ecryptfs-utils (98-0ubuntu1) quantal; urgency=low [ Dustin Kirkland ] * debian/ecryptfs-utils.prerm: - drop the pre-removal ERRORs down to WARNINGs - these have caused a ton of trouble; whatever is causing ecryptfs-utils to be marked for removal should be fixed; but ecryptfs exiting 1 seems to be causing more trouble than it's worth - LP: #871021, #812270, #988960, #990630, #995381, #1010961 * doc/ecryptfs-faq.html: - update the frequently asked questions, which haven't seen much attention in a while now - drop a few references to sourceforge * doc/ecryptfs-pam-doc.txt, doc/manpage/fr/ecryptfs-add-passphrase.1, doc/manpage/fr/ecryptfs-generate-tpm-key.1, doc/manpage/fr/ecryptfs- insert-wrapped-passphrase-into-keyring.1, doc/manpage/fr/ecryptfs- mount-private.1, doc/manpage/fr/ecryptfs-rewrap-passphrase.1, doc/manpage/fr/ecryptfs-setup-private.1, doc/manpage/fr/ecryptfs- umount-private.1, doc/manpage/fr/ecryptfs-unwrap-passphrase.1, doc/manpage/fr/ecryptfs-wrap-passphrase.1, doc/manpage/fr/ecryptfs- zombie-kill.1, doc/manpage/fr/ecryptfs-zombie-list.1, doc/sourceforge_webpage/ecryptfs-article.pdf, doc/sourceforge_webpage/ecryptfs_design_doc_v0_1.pdf, doc/sourceforge_webpage/ecryptfs-faq.html, doc/sourceforge_webpage/ecryptfs-key-diagram-356.png, doc/sourceforge_webpage/ecryptfs-key-diagram-640.png, doc/sourceforge_webpage/ecryptfs-pageuptodate-call-graph.png, doc/sourceforge_webpage/ecryptfs-pam-doc.txt, doc/sourceforge_webpage/ecryptfs.pdf, doc/sourceforge_webpage/index.html, doc/sourceforge_webpage/README, === removed directory doc/manpage/fr, === removed directory doc/sourceforge_webpage, rpm/ecryptfs-utils.spec: - remove some deprecated documentation - fish it out of bzr, if we ever need it again, but let's quit publishing it in our release tarballs * precise -- Dustin Kirkland <email address hidden> Sun, 24 Jun 2012 11:40:53 -0500
Available diffs
- diff from 97-0ubuntu1 to 98-0ubuntu1 (8.9 KiB)
Superseded in quantal-release |
ecryptfs-utils (97-0ubuntu1) quantal; urgency=low [ Kees Cook ] * src/pam_ecryptfs/pam_ecryptfs.c: LP: #938326 - exit, rather than return to prevent duplicate processes [ Andreas Raster ] * src/desktop/ecryptfs-find: - $mounts was quoted once too often [ George Wilson ] * src/key_mod/ecryptfs_key_mod_openssl.c, src/key_mod/ecryptfs_key_mod_pkcs11_helper.c, src/key_mod/ecryptfs_key_mod_tspi.c: LP: #937331 - IBM would like to grant a license exception for key modules that require linking to OpenSSL. The change should make the modules shippable by Linux distributions [ Dustin Kirkland ] * debian/copyright: - note the GPLv2 SSL exception granted by IBM for the key modules * debian/control, debian/copyright, doc/manpage/ecryptfs.7, doc/manpage/ecryptfs-add-passphrase.1, doc/manpage/ecryptfsd.8, doc/manpage/ecryptfs-generate-tpm-key.1, doc/manpage/ecryptfs- insert-wrapped-passphrase-into-keyring.1, doc/manpage/ecryptfs- manager.8, doc/manpage/ecryptfs-mount-private.1, doc/manpage/ecryptfs-recover-private.1, doc/manpage/ecryptfs-rewrap- passphrase.1, doc/manpage/ecryptfs-rewrite-file.1, doc/manpage/ecryptfs-setup-private.1, doc/manpage/ecryptfs-setup- swap.1, doc/manpage/ecryptfs-stat.1, doc/manpage/ecryptfs-umount- private.1, doc/manpage/ecryptfs-unwrap-passphrase.1, doc/manpage/ecryptfs-wrap-passphrase.1, doc/manpage/mount.ecryptfs.8, doc/manpage/mount.ecryptfs_private.1, doc/manpage/pam_ecryptfs.8, doc/manpage/umount.ecryptfs.8, doc/manpage/umount.ecryptfs_private.1, README, src/utils/mount.ecryptfs.c: - use the new ecryptfs.org website where appropriate * debian/control: - update to suggest zescrow-client * precise [ Sergio Peña ] * src/libecryptfs/cipher_list.c: LP: #922821 - add the new name of the blowfish cipher (linux >= 3.2) * src/include/ecryptfs.h, src/libecryptfs/main.c, src/utils/mount.ecryptfs.c: LP: #917509 - use execl() to mount ecryptfs - this allows us to support any arbitrary mount options in /etc/fstab [ Tyler Hicks ] * doc/manpage/ecryptfs.7: - Remove the note saying that the passphrase and openssl key modules are available by default. That's true upstream but not always true in distro builds. * tests/run_tests.sh: - Make upper and lower mount point arguments optional by automatically creating directories in /tmp by default. - Make it possible to run only userspace tests without having to specify unused mount information - Accept a comma-separated list of lower filesystems to test on and loop through all kernel tests for each lower filesystem - Accept a comma-separated list of tests to run * tests/lib/etl_funcs.sh: - Unset $ETL_DISK just before etl_remove_disk() successfully returns * tests/userspace/Makefile.am: - Also build 'make check' tests when building with --enable-tests * include/ecryptfs.h, libecryptfs/Makefile.am, libecryptfs/cipher_list.c, libecryptfs/module_mgr.c, utils/io.h: LP: #994813 - remove overly complicated implementation to detect what ciphers are supported by the currently running kernel's crypto api - prompt for the entire supported cipher list, if the user selects a cipher that their kernel doesn't support, the mount will fail and the kernel will write an error message to the syslog * src/libecryptfs/module_mgr.c: - Use correct blowfish block size when displaying supported ciphers to the user * tests/kernel/lp-1009207.sh, tests/kernel/Makefile.am, tests/kernel/tests.rc: - Add simple test case for incorrect handling of umask and default POSIX ACL masks * tests/kernel/lp-994247.sh, tests/kernel/lp-994247/test.c, tests/kernel/Makefile.am, tests/kernel/tests.rc: - Add test case for incorrect handling of open /dev/ecryptfs file descriptors that are passed or inherited by other processes [ Colin King ] * tests/lib/etl_funcs.sh: - etl_lumount() should use DST rather than SRC dir so it can run on Lucid - use file system appropriate mkfs force flag - cater for correct ext2 default mount flags * tests/kernel/lp-509180.sh, tests/kernel/lp-509180/test.c: - test for trailing garbage at end of files * tests/kernel/lp-524919.sh, tests/kernel/lp-524919/test.c: - test case for checking lstat/readlink size * tests/kernel/lp-870326.sh, tests/kernel/lp-870326/test.c: - test case for open(), mmap(), close(), modify mmap'd region * tests/kernel/lp-469664.sh: - test case for lsattr * tests/kernel/lp-613873.sh: - test case for stat modify time * tests/kernel/lp-745836.sh: - test case for clearing ECRYPTFS_NEW_FILE flag during truncate * tests/lib/etl_funcs.sh, tests/kernel/extend-file-random.sh, tests/kernel/trunc-file.sh (LP: #1007159): - Add test library function for estimating available space in lower fs - Use new library function in tests that need to create large files [ Colin Watson ] * src/utils/ecryptfs-setup-swap: Skip /dev/zram* swap devices LP: #979350 [ Serge Hallyn ] * src/utils/mount.ecryptfs_private.c: - EoL fixes -- Dustin Kirkland <email address hidden> Fri, 15 Jun 2012 09:28:58 -0500
Available diffs
- diff from 96-0ubuntu3 to 97-0ubuntu1 (67.2 KiB)
ecryptfs-utils (96-0ubuntu3) precise; urgency=low * src/utils/ecryptfs-setup-swap: Skip /dev/zram* swap devices (LP: #979350). -- Colin Watson <email address hidden> Wed, 18 Apr 2012 15:52:45 +0100
Available diffs
- diff from 96-0ubuntu2 to 96-0ubuntu3 (700 bytes)
Superseded in precise-release |
ecryptfs-utils (96-0ubuntu2) precise; urgency=low * Add debian/patches/automount-fork-exit.patch (LP: #938326). -- Kees Cook <email address hidden> Tue, 21 Feb 2012 17:49:54 -0800
Available diffs
- diff from 96-0ubuntu1 to 96-0ubuntu2 (1.0 KiB)
Superseded in precise-release |
ecryptfs-utils (96-0ubuntu1) precise; urgency=low [ Dustin Kirkland ] * CONTRIBUTING: - added a new file to describe how to contribute to ecryptfs * === added directory img/old, img/old/ecryptfs_14.png, img/old/ecryptfs_192.png, img/old/ecryptfs_64.png: - saving the old logos/branding for posterity * debian/copyright, img/COPYING: - added CC-by-SA 3.0 license - use the text version * img/ecryptfs_14.png, img/ecryptfs_192.png, img/ecryptfs_64.png: - added scaled copies of images used for Launchpad.net branding * src/utils/ecryptfs-recover-private: LP: #847505 - add an option to allow user to enter the mount passphrase, in case they've recorded that, but forgotten their login passphrase * src/libecryptfs/sysfs.c: LP: #802197 - default sysfs to /sys, if not found in /etc/mtab - it seems that reading /etc/mtab for this is outdated - ensure that ecryptfs works even if there is no sysfs entry in /etc/mtab * src/key_mod/ecryptfs_key_mod_tspi.c: LP: #462225 - fix TPM and string_to_uuid 64bits issue - thanks to Janos for the patch * precise [ Tyler Hicks ] * CONTRIBUTING: - clarified how to contribute to the ecryptfs kernel module * tests/lib/etl_funcs.sh: - created eCryptfs test library of bash functions for use in test cases and test harnesses * test/etl_add_passphrase_key_to_keyring.c: - created a C helper program to allow bash scripts to interface to the libecryptfs function that adds passphrase-based keys to the kernel keyring * tests/kernel/tests.rc, tests/userspace/tests.rc: - created a test case category files for test harnesses to source when running testcases of a certain category (destructive, safe, etc.) * tests/run_tests.sh: - created a test harness to run eCryptfs test cases * tests/kernel/miscdev-bad-count.sh, tests/kernel/miscdev-bad-count/test.c: - created test case for miscdev issue reported to mailing list * tests/kernel/lp-885744.sh: - created test case for pathconf bug * tests/kernel/lp-926292.sh: - created test case for checking stale inode attrs after setxattr * tests/new.sh: - created new test case template to copy from * tests/userspace/verify-passphrase-sig.sh, tests/userspace/verify-passphrase-sig/test.c: - created test case, for make check, to test the creation of passphrase-based fekeks and signatures * configure.ac, Makefile.am, tests/Makefile.am, tests/lib/Makefile.am, tests/kernel/Makefile.am, tests/userspace/Makefile.am: - updated and created autoconf/automake files to build the new tests directory - added make check target [ Eddie Garcia ] * img/*: LP: #907131 - contributing a new set of logos and branding under the CC-by-SA3.0 license [ Colin King ] * tests/kernel/extend-file-random.sh, tests/kernel/extend-file-random/test.c: - Test to randomly extend file size, read/write + unlink * tests/kernel/trunc-file.sh, tests/kernel/trunc-file/test.c: - Test to exercise file truncation * tests/kernel/directory-concurrent.sh, tests/kernel/directory-concurrent/test.c: - test for directory creation/deletion races with multiple processes * tests/kernel/file-concurrent.sh, tests/kernel/file-concurrent/test.c: - test for file creation/truncation/unlink races with multiple processes * tests/kernel/inotify.sh, tests/kernel/inotify/test.c: - test for proper inotify support * tests/kernel/mmap-dir.sh, tests/kernel/mmap-dir/test.c: - test that directory files cannot be mmap'ed * tests/kernel/read-dir.sh, tests/kernel/read-dir/test.c: - test that read() on directory files returns the right error * tests/kernel/setattr-flush-dirty.sh: - test that the modified timestamp isn't clobbered in writeback * tests/kernel/inode-race-stat.sh, tests/kernel/inode-race-stat/test.c: - test for inode initialization race condition -- Dustin Kirkland <email address hidden> Thu, 16 Feb 2012 14:22:09 -0600
Available diffs
- diff from 95-0ubuntu1 to 96-0ubuntu1 (38.6 KiB)
Superseded in precise-release |
ecryptfs-utils (95-0ubuntu1) precise; urgency=low [ Serge Hallyn ] * fix infinite loop on arm: fgetc returns an int, and -1 at end of options. Arm makes char unsigned. (LP: #884407) [ Dustin Kirkland ] * debian/compat, debian/control, debian/ecryptfs-utils.install, debian/ecryptfs-utils.lintian-overrides, debian/libecryptfs0.install, debian/libecryptfs-dev.install, debian/lintian/ecryptfs-utils, debian/python-ecryptfs.install, debian/rules, debian/source/options, doc/ecryptfs-pam-doc.txt, doc/manpage/ecryptfs-setup-private.1, lintian/ecryptfs-utils, === removed directory debian/lintian: - merge a bunch of packaging changes from Debian's Daniel Baumann * scripts/release.sh: - minor release fixes -- Dustin Kirkland <email address hidden> Wed, 14 Dec 2011 14:22:33 -0600
Available diffs
- diff from 94-0ubuntu1 to 95-0ubuntu1 (5.5 KiB)
Superseded in precise-release |
ecryptfs-utils (94-0ubuntu1) precise; urgency=low [ Dustin Kirkland ] * scripts/release.sh: - fix release script - bump ubuntu release * doc/manpage/ecryptfs-recover-private.1, src/utils/ecryptfs-migrate- home (properties changed: -x to +x), src/utils/ecryptfs-recover- private: - add a --rw option for ecryptfs-recover-private * src/utils/ecryptfs-migrate-home: LP: #820416 - show progress on rsync * debian/ecryptfs-utils.ecryptfs-utils-restore.upstart, debian/ecryptfs-utils.ecryptfs-utils-save.upstart, src/utils/ecryptfs-migrate-home, src/utils/ecryptfs-setup-private: LP: #883238 - remove 2 upstart scripts, which attempted to "save" users who didn't login after migrating their home; instead, we now require the root user to enter user passwords at migration time * debian/copyright, debian/ecryptfs-utils.ecryptfs-utils- restore.upstart, debian/ecryptfs-utils.ecryptfs-utils-save.upstart, doc/manpage/ecryptfs.7, doc/manpage/ecryptfs-add-passphrase.1, doc/manpage/ecryptfs-generate-tpm-key.1, doc/manpage/ecryptfs- insert-wrapped-passphrase-into-keyring.1, doc/manpage/ecryptfs- mount-private.1, doc/manpage/ecryptfs-recover-private.1, doc/manpage/ecryptfs-rewrap-passphrase.1, doc/manpage/ecryptfs- rewrite-file.1, doc/manpage/ecryptfs-setup-private.1, doc/manpage/ecryptfs-setup-swap.1, doc/manpage/ecryptfs-stat.1, doc/manpage/ecryptfs-umount-private.1, doc/manpage/ecryptfs-unwrap- passphrase.1, doc/manpage/ecryptfs-wrap-passphrase.1, doc/manpage/fr/ecryptfs-add-passphrase.1, doc/manpage/fr/ecryptfs- generate-tpm-key.1, doc/manpage/fr/ecryptfs-insert-wrapped- passphrase-into-keyring.1, doc/manpage/fr/ecryptfs-mount-private.1, doc/manpage/fr/ecryptfs-rewrap-passphrase.1, doc/manpage/fr/ecryptfs-setup-private.1, doc/manpage/fr/ecryptfs- umount-private.1, doc/manpage/fr/ecryptfs-unwrap-passphrase.1, doc/manpage/fr/ecryptfs-wrap-passphrase.1, doc/manpage/fr/ecryptfs- zombie-kill.1, doc/manpage/fr/ecryptfs-zombie-list.1, doc/manpage/mount.ecryptfs_private.1, doc/manpage/pam_ecryptfs.8, doc/manpage/umount.ecryptfs.8, doc/manpage/umount.ecryptfs_private.1, src/pam_ecryptfs/pam_ecryptfs.c, src/utils/ecryptfs_add_passphrase.c, src/utils/ecryptfs_insert_wrapped_passphrase_into_keyring.c, src/utils/ecryptfs-migrate-home, src/utils/ecryptfs-mount-private, src/utils/ecryptfs-recover-private, src/utils/ecryptfs_rewrap_passphrase.c, src/utils/ecryptfs-rewrite- file, src/utils/ecryptfs-setup-private, src/utils/ecryptfs-setup- swap, src/utils/ecryptfs-umount-private, src/utils/ecryptfs_unwrap_passphrase.c, src/utils/ecryptfs_wrap_passphrase.c: - update some email addresses, moving <email address hidden> -> <email address hidden> (which I can still read) * src/libecryptfs/key_management.c: LP: #715066 - fix 2 places where we were handling ecryptfs_add_passphrase_key_to_keyring() inconsistently - if we're trying to add a key to the keyring, and it's already there, treat that as "success" * debian/control: - ecryptfs-setup-swap is strongly recommended, which depends on cryptsetup; so promote cryptsetup from suggests -> recommends * precise [ Stephan Ritscher and Tyler Hicks ] * src/libecryptfs/cmd_ln_parser.c: LP: #683535 - fix passphrase_passwd_fd for pipes - handle memory allocation failures - free memory in error paths [ Arfrever Frehtes Taifersar Arahesis ] * configure.ac: LP: #893327 - no need to check for python, if --disable-pywrap is passed -- Dustin Kirkland <email address hidden> Wed, 14 Dec 2011 11:49:10 -0600
Available diffs
- diff from 93-0ubuntu2 to 94-0ubuntu1 (33.6 KiB)
ecryptfs-utils (92-0ubuntu1.1) oneiric-proposed; urgency=low [ Serge Hallyn ] * fix infinite loop on arm: fgetc returns an int, and -1 at end of options. Arm makes char unsigned. (LP: #884407) [ Michael Terry ] * debian/local/ecryptfs-verify, debian/rules: - Backport ecryptfs-verify from version 93. Required to support gnome-control-center's check to see if it should display the autologin controls. LP: #576133 -- Michael Terry <email address hidden> Thu, 10 Nov 2011 10:33:01 -0500
Available diffs
- diff from 92-0ubuntu1 to 92-0ubuntu1.1 (2.9 KiB)
Superseded in precise-release |
ecryptfs-utils (93-0ubuntu2) precise; urgency=low * fix infinite loop on arm: fgetc returns an int, and -1 at end of options. Arm makes char unsigned. (LP: #884407) -- Serge Hallyn <email address hidden> Tue, 08 Nov 2011 10:47:03 -0600
Available diffs
- diff from 93-0ubuntu1 to 93-0ubuntu2 (957 bytes)
Superseded in precise-release |
ecryptfs-utils (93-0ubuntu1) precise; urgency=low * src/utils/ecryptfs-verify, src/utils/Makefile.am: - add an ecryptfs-verify utility, LP: #845738 * src/testcases/write-read.sh: - added a write/read test utility * doc/manpage/ecryptfs-mount-private.1, doc/manpage/ecryptfs-setup- private.1, doc/manpage/mount.ecryptfs_private.1, doc/manpage/umount.ecryptfs_private.1: LP: #882267 - remove inaccurate documentation about being a member of the ecryptfs group * src/utils/ecryptfs-setup-private: LP: #882314 - fix preseeded encrypted home Ubuntu installations (thanks Timo!) * oneiric -- Dustin Kirkland <email address hidden> Thu, 27 Oct 2011 10:55:04 -0500
Available diffs
- diff from 92-0ubuntu1 to 93-0ubuntu1 (8.9 KiB)
ecryptfs-utils (87-0ubuntu1.3) natty-proposed; urgency=low * src/libecryptfs/key_management.c: LP: #725862 - fix nasty bug affecting users who do *not* encrypt filenames; the first login works, but on logout, only one key gets cleaned out; subsequent logins do not insert the necessary key due to an early "goto out" -- Dustin Kirkland <email address hidden> Fri, 02 Sep 2011 17:47:19 -0500
Available diffs
- diff from 87-0ubuntu1 to 87-0ubuntu1.3 (5.0 KiB)
Obsolete in maverick-proposed |
ecryptfs-utils (83-0ubuntu3.2.10.10.3) maverick-proposed; urgency=low * src/libecryptfs/key_management.c: LP: #725862 - fix nasty bug affecting users who do *not* encrypt filenames; the first login works, but on logout, only one key gets cleaned out; subsequent logins do not insert the necessary key due to an early "goto out" -- Dustin Kirkland <email address hidden> Fri, 02 Sep 2011 17:46:45 -0500
Available diffs
ecryptfs-utils (83-0ubuntu3.2.10.04.3) lucid-proposed; urgency=low * src/libecryptfs/key_management.c: LP: #725862 - fix nasty bug affecting users who do *not* encrypt filenames; the first login works, but on logout, only one key gets cleaned out; subsequent logins do not insert the necessary key due to an early "goto out" -- Dustin Kirkland <email address hidden> Fri, 02 Sep 2011 17:47:02 -0500
Available diffs
ecryptfs-utils (92-0ubuntu1) oneiric; urgency=low * src/libecryptfs/key_management.c: LP: #725862 - fix nasty bug affecting users who do *not* encrypt filenames; the first login works, but on logout, only one key gets cleaned out; subsequent logins do not insert the necessary key due to an early "goto out"; this fix needs to be SRU'd * debian/rules: LP: #586281 - fix perms on desktop mount file * src/pam_ecryptfs/pam_ecryptfs.c: LP: #838471 - rework syslogging to be less noisy and note pam_ecryptfs -- Dustin Kirkland <email address hidden> Thu, 01 Sep 2011 16:25:03 -0500
Available diffs
- diff from 91-0ubuntu1 to 92-0ubuntu1 (4.8 KiB)
Superseded in oneiric-release |
ecryptfs-utils (91-0ubuntu1) oneiric; urgency=low [ Diego E. "Flameeyes" Pettenò ] * configure.ac: - fix reliance on nss-config, which hinders cross-compilation [ Marc Deslauriers ] * src/utils/mount.ecryptfs_private.c: * SECURITY UPDATE: wrong mtab ownership and permissions (LP: #830850) - debian/patches/CVE-2011-3145.patch: also set gid and umask before updating mtab in src/utils/mount.ecryptfs_private.c. - CVE-2011-3145 -- Dustin Kirkland <email address hidden> Wed, 31 Aug 2011 16:44:22 -0500
Available diffs
- diff from 90-0ubuntu1 to 91-0ubuntu1 (4.0 KiB)
ecryptfs-utils (87-0ubuntu1.2) natty-security; urgency=low * SECURITY UPDATE: wrong mtab ownership and permissions (LP: #830850) - debian/patches/CVE-2011-3145.patch: also set gid and umask before updating mtab in src/utils/mount.ecryptfs_private.c. - CVE-2011-3145 -- Marc Deslauriers <email address hidden> Mon, 22 Aug 2011 14:10:47 -0400
Available diffs
- diff from 87-0ubuntu1.1 to 87-0ubuntu1.2 (1.6 KiB)
ecryptfs-utils (83-0ubuntu3.2.10.10.2) maverick-security; urgency=low * SECURITY UPDATE: wrong mtab ownership and permissions (LP: #830850) - src/utils/mount.ecryptfs_private.c: also set gid and umask before updating mtab. - CVE-2011-3145 -- Marc Deslauriers <email address hidden> Mon, 22 Aug 2011 15:41:50 -0400
Available diffs
ecryptfs-utils (83-0ubuntu3.2.10.04.2) lucid-security; urgency=low * SECURITY UPDATE: wrong mtab ownership and permissions (LP: #830850) - src/utils/mount.ecryptfs_private.c: also set gid and umask before updating mtab. - CVE-2011-3145 -- Marc Deslauriers <email address hidden> Mon, 22 Aug 2011 15:44:59 -0400
Available diffs
Superseded in oneiric-release |
ecryptfs-utils (90-0ubuntu1) oneiric; urgency=low [ Marc Deslauriers ] * SECURITY UPDATE: privilege escalation via mountpoint race conditions (LP: #732628) - debian/patches/CVE-2011-1831,1832,1834.patch: chdir into mountpoint before checking permissions in src/utils/mount.ecryptfs_private.c. - CVE-2011-1831 - CVE-2011-1832 * SECURITY UPDATE: race condition when checking source during mount (LP: #732628) - debian/patches/CVE-2011-1833.patch: use new ecryptfs_check_dev_ruid kernel option when mounting directory in src/utils/mount.ecryptfs_private.c. - CVE-2011-1833 * SECURITY UPDATE: mtab corruption via improper handling (LP: #732628) - debian/patches/CVE-2011-1831,1832,1834.patch: modify mtab via a temp file first and make sure it succeeds before replacing the real mtab in src/utils/mount.ecryptfs_private.c. - CVE-2011-1834 * SECURITY UPDATE: key poisoning via insecure temp directory handling (LP: #732628) - debian/patches/CVE-2011-1835.patch: make sure we don't copy into a user controlled directory in src/utils/ecryptfs-setup-private. - CVE-2011-1835 * SECURITY UPDATE: information disclosure via recovery mount in /tmp (LP: #732628) - debian/patches/CVE-2011-1836.patch: mount inside protected subdirectory in src/utils/ecryptfs-recover-private. - CVE-2011-1836 * SECURITY UPDATE: arbitrary file overwrite via lock counter race condition (LP: #732628) - debian/patches/CVE-2011-1837.patch: verify permissions with a file descriptor, and don't follow symlinks in src/utils/mount.ecryptfs_private.c. - CVE-2011-1837 -- Dustin Kirkland <email address hidden> Wed, 10 Aug 2011 08:36:44 -0500
Available diffs
- diff from 89-0ubuntu2 to 90-0ubuntu1 (141.1 KiB)
Superseded in oneiric-release |
ecryptfs-utils (89-0ubuntu2) oneiric; urgency=low * SECURITY UPDATE: privilege escalation via mountpoint race conditions (LP: #732628) - debian/patches/CVE-2011-1831,1832,1834.patch: chdir into mountpoint before checking permissions in src/utils/mount.ecryptfs_private.c. - CVE-2011-1831 - CVE-2011-1832 * SECURITY UPDATE: race condition when checking source during mount (LP: #732628) - debian/patches/CVE-2011-1833.patch: use new ecryptfs_check_dev_ruid kernel option when mounting directory in src/utils/mount.ecryptfs_private.c. - CVE-2011-1833 * SECURITY UPDATE: mtab corruption via improper handling (LP: #732628) - debian/patches/CVE-2011-1831,1832,1834.patch: modify mtab via a temp file first and make sure it succeeds before replacing the real mtab in src/utils/mount.ecryptfs_private.c. - CVE-2011-1834 * SECURITY UPDATE: key poisoning via insecure temp directory handling (LP: #732628) - debian/patches/CVE-2011-1835.patch: make sure we don't copy into a user controlled directory in src/utils/ecryptfs-setup-private. - CVE-2011-1835 * SECURITY UPDATE: information disclosure via recovery mount in /tmp (LP: #732628) - debian/patches/CVE-2011-1836.patch: mount inside protected subdirectory in src/utils/ecryptfs-recover-private. - CVE-2011-1836 * SECURITY UPDATE: arbitrary file overwrite via lock counter race condition (LP: #732628) - debian/patches/CVE-2011-1837.patch: verify permissions with a file descriptor, and don't follow symlinks in src/utils/mount.ecryptfs_private.c. - CVE-2011-1837 -- Marc Deslauriers <email address hidden> Thu, 04 Aug 2011 10:37:40 -0400
Available diffs
- diff from 89-0ubuntu1 to 89-0ubuntu2 (3.9 KiB)
ecryptfs-utils (83-0ubuntu3.2.10.04.1) lucid-security; urgency=low * SECURITY UPDATE: privilege escalation via mountpoint race conditions (LP: #732628) - src/utils/mount.ecryptfs_private.c: chdir into mountpoint before checking permissions. Patch thanks to Dan Rosenberg. - CVE-2011-1831 - CVE-2011-1832 * SECURITY UPDATE: race condition when checking source during mount (LP: #732628) - src/utils/mount.ecryptfs_private.c: use new ecryptfs_check_dev_ruid kernel option when mounting directory. - CVE-2011-1833 * SECURITY UPDATE: mtab corruption via improper handling (LP: #732628) - src/utils/mount.ecryptfs_private.c: modify mtab via a temp file first and make sure it succeeds before replacing the real mtab. Patch thanks to Dan Rosenberg. - CVE-2011-1834 * SECURITY UPDATE: key poisoning via insecure temp directory handling (LP: #732628) - src/utils/ecryptfs-setup-private: make sure we don't copy into a user controlled directory. - CVE-2011-1835 * SECURITY UPDATE: arbitrary file overwrite via lock counter race condition (LP: #732628) - src/utils/mount.ecryptfs_private.c: verify permissions with a file descriptor, and don't follow symlinks. - CVE-2011-1837 -- Marc Deslauriers <email address hidden> Thu, 04 Aug 2011 10:37:00 -0400
Available diffs
ecryptfs-utils (83-0ubuntu3.2.10.10.1) maverick-security; urgency=low * SECURITY UPDATE: privilege escalation via mountpoint race conditions (LP: #732628) - src/utils/mount.ecryptfs_private.c: chdir into mountpoint before checking permissions. Patch thanks to Dan Rosenberg. - CVE-2011-1831 - CVE-2011-1832 * SECURITY UPDATE: race condition when checking source during mount (LP: #732628) - src/utils/mount.ecryptfs_private.c: use new ecryptfs_check_dev_ruid kernel option when mounting directory. - CVE-2011-1833 * SECURITY UPDATE: mtab corruption via improper handling (LP: #732628) - src/utils/mount.ecryptfs_private.c: modify mtab via a temp file first and make sure it succeeds before replacing the real mtab. Patch thanks to Dan Rosenberg. - CVE-2011-1834 * SECURITY UPDATE: key poisoning via insecure temp directory handling (LP: #732628) - src/utils/ecryptfs-setup-private: make sure we don't copy into a user controlled directory. - CVE-2011-1835 * SECURITY UPDATE: arbitrary file overwrite via lock counter race condition (LP: #732628) - src/utils/mount.ecryptfs_private.c: verify permissions with a file descriptor, and don't follow symlinks. - CVE-2011-1837 -- Marc Deslauriers <email address hidden> Thu, 04 Aug 2011 10:41:53 -0400
Available diffs
ecryptfs-utils (87-0ubuntu1.1) natty-security; urgency=low * SECURITY UPDATE: privilege escalation via mountpoint race conditions (LP: #732628) - debian/patches/CVE-2011-1831,1832,1834.patch: chdir into mountpoint before checking permissions in src/utils/mount.ecryptfs_private.c. - CVE-2011-1831 - CVE-2011-1832 * SECURITY UPDATE: race condition when checking source during mount (LP: #732628) - debian/patches/CVE-2011-1833.patch: use new ecryptfs_check_dev_ruid kernel option when mounting directory in src/utils/mount.ecryptfs_private.c. - CVE-2011-1833 * SECURITY UPDATE: mtab corruption via improper handling (LP: #732628) - debian/patches/CVE-2011-1831,1832,1834.patch: modify mtab via a temp file first and make sure it succeeds before replacing the real mtab in src/utils/mount.ecryptfs_private.c. - CVE-2011-1834 * SECURITY UPDATE: key poisoning via insecure temp directory handling (LP: #732628) - debian/patches/CVE-2011-1835.patch: make sure we don't copy into a user controlled directory in src/utils/ecryptfs-setup-private. - CVE-2011-1835 * SECURITY UPDATE: information disclosure via recovery mount in /tmp (LP: #732628) - debian/patches/CVE-2011-1836.patch: mount inside protected subdirectory in src/utils/ecryptfs-recover-private. - CVE-2011-1836 * SECURITY UPDATE: arbitrary file overwrite via lock counter race condition (LP: #732628) - debian/patches/CVE-2011-1837.patch: verify permissions with a file descriptor, and don't follow symlinks in src/utils/mount.ecryptfs_private.c. - CVE-2011-1837 -- Marc Deslauriers <email address hidden> Thu, 04 Aug 2011 10:43:33 -0400
Available diffs
Superseded in oneiric-release |
ecryptfs-utils (89-0ubuntu1) oneiric; urgency=low [ Dustin Kirkland ] * debian/control: - add missing build dependency needed for release * doc/manpage/ecryptfs-wrap-passphrase.1: fix minor error in manpage * src/desktop/ecryptfs-find, src/desktop/Makefile.am: LP: #799157 - add a tool, /usr/share/ecryptfs-utils/ecryptfs-find that can help find cleartext/encrypted filenames by inode number * src/desktop/ecryptfs-find: - test file exists first; ditch the match; search all ecryptfs mounts that user can read/traverse * debian/ecryptfs-utils.links: - add a symlink for Ubuntu * scripts/release.sh: - improve release script [ Serge Hallyn ] * Fix from Christophe Dumez: mount.ecryptfs_private: Do not attempt to update mtab if it is a symbolic link. (LP: #789888) -- Dustin Kirkland <email address hidden> Tue, 19 Jul 2011 14:58:23 -0500
Available diffs
- diff from 88-0ubuntu1 to 89-0ubuntu1 (3.5 KiB)
Superseded in oneiric-release |
ecryptfs-utils (88-0ubuntu1) oneiric; urgency=low * src/utils/mount.ecryptfs_private.c: - reduce the window size for the TOCTOU race; does not entirely solve LP: #732628, which is going to need to be fixed in the kernel with some heavy locking * debian/control: update urls * src/utils/ecryptfs-mount-private: LP: #725862 - fix ecryptfs-mount-private to insert only the fek, if filename encryption is disabled -- Dustin Kirkland <email address hidden> Tue, 24 May 2011 09:47:52 -0500
Available diffs
- diff from 87-0ubuntu1 to 88-0ubuntu1 (7.2 KiB)
ecryptfs-utils (87-0ubuntu1) natty; urgency=low [ Paolo Bonzini <email address hidden> ] * src/utils/ecryptfs-setup-private: update the Private.* selinux contexts [ Dustin Kirkland ] * src/utils/ecryptfs-setup-private: - add -p to mkdir, address noise for a non-error - must insert keys during testing phase, since we remove keys on unmount now, LP: #725862 * src/utils/ecryptfs_rewrap_passphrase.c: confirm passphrases in interactive mode, LP: #667331 -- Dustin Kirkland <email address hidden> Wed, 09 Mar 2011 13:31:29 +0000
Available diffs
- diff from 86-0ubuntu1 to 87-0ubuntu1 (7.1 KiB)
Superseded in natty-release |
ecryptfs-utils (86-0ubuntu1) natty; urgency=low [ Jakob Unterwurzacher ] * src/pam_ecryptfs/pam_ecryptfs.c: - check if this file exists and ask the user for the wrapping passphrase if it does - eliminate both ecryptfs_pam_wrapping_independent_set() and ecryptfs_pam_automount_set() and replace with a reusable file_exists_dotecryptfs() function [ Serge Hallyn and Dustin Kirkland ] * src/utils/mount.ecryptfs_private.c: - support multiple, user configurable private directories by way of a command line "alias" argument - this "alias" references a configuration file by the name of: $HOME/.ecryptfs/alias.conf, which is in an fstab(5) format, as well as $HOME/.ecryptfs/alias.sig, in the same format as Private.sig - if no argument specified, the utility operates in legacy mode, defaulting to "Private" - rename variables, s/dev/src/ and s/mnt/dest/ - add a read_config() function - add an alias char* to replace the #defined ECRYPTFS_PRIVATE_DIR - this is half of the fix to LP: #615657 * doc/manpage/mount.ecryptfs_private.1: document these changes * src/libecryptfs/main.c, src/utils/mount.ecryptfs_private.c: - allow umount.ecryptfs_private to succeed when the key is no longer in user keyring. -- Dustin Kirkland <email address hidden> Thu, 24 Feb 2011 13:43:19 -0600
Available diffs
- diff from 85-0ubuntu1 to 86-0ubuntu1 (6.6 KiB)
ecryptfs-utils (83-0ubuntu3.1maverick) maverick-proposed; urgency=low * Cherry pick upstream bzr commit r520 * src/utils/mount.ecryptfs_private.c: - fix bug LP: #313812, clear used keys on unmount - add ecryptfs_unlink_sigs to the mount opts, so that unmounts from umount.ecryptfs behave similarly - use ecryptfs_remove_auth_tok_from_keyring() on the sig and sig_fnek -- Dustin Kirkland <email address hidden> Fri, 11 Feb 2011 17:21:59 -0600
Available diffs
ecryptfs-utils (83-0ubuntu3.1) lucid-proposed; urgency=low * Cherry pick upstream bzr commit r520 * src/utils/mount.ecryptfs_private.c: - fix bug LP: #313812, clear used keys on unmount - add ecryptfs_unlink_sigs to the mount opts, so that unmounts from umount.ecryptfs behave similarly - use ecryptfs_remove_auth_tok_from_keyring() on the sig and sig_fnek -- Dustin Kirkland <email address hidden> Fri, 11 Feb 2011 17:21:59 -0600
Available diffs
- diff from 83-0ubuntu3 to 83-0ubuntu3.1 (1.2 KiB)
Deleted in karmic-proposed (Reason: unverified, karmic EOL) |
ecryptfs-utils (81-0ubuntu3.1) karmic-proposed; urgency=low * Cherry-pick upstream commit bzr r520 * src/utils/mount.ecryptfs_private.c: - fix bug LP: #313812, clear used keys on unmount - add ecryptfs_unlink_sigs to the mount opts, so that unmounts from umount.ecryptfs behave similarly - use ecryptfs_remove_auth_tok_from_keyring() on the sig and sig_fnek -- Dustin Kirkland <email address hidden> Fri, 11 Feb 2011 17:19:37 -0600
Available diffs
- diff from 81-0ubuntu3 to 81-0ubuntu3.1 (1.2 KiB)
Superseded in natty-release |
ecryptfs-utils (85-0ubuntu1) natty; urgency=low [ Dustin Kirkland ] * src/utils/ecryptfs-recover-private: clean sigs of invalid characters * src/utils/mount.ecryptfs_private.c: - fix bug LP: #313812, clear used keys on unmount - add ecryptfs_unlink_sigs to the mount opts, so that unmounts from umount.ecryptfs behave similarly - use ecryptfs_remove_auth_tok_from_keyring() on the sig and sig_fnek [ <email address hidden> ] * src/utils/ecryptfs-migrate-home: - support user databases outside of /etc/passwd, LP: #627506 -- Dustin Kirkland <email address hidden> Sun, 19 Dec 2010 10:50:52 -0600
Available diffs
- diff from 84-0ubuntu1 to 85-0ubuntu1 (3.0 KiB)
Superseded in natty-release |
ecryptfs-utils (84-0ubuntu1) natty; urgency=low * src/desktop/ecryptfs-record-passphrase: fix typo, LP: #524139 * debian/rules, debian/control: - disable the gpg key module, as it's not yet functional - clean up unneeded build-deps - also, not using opencryptoki either * doc/manpage/ecryptfs.7: fix minor documentation bug, reported by email by Jon 'maddog' Hall * doc/manpage/ecryptfs-recover-private.1, doc/manpage/Makefile.am, po/POTFILES.in, src/utils/ecryptfs-recover-private, src/utils/Makefile.am: add a utility to simplify data recovery of an encrypted private directory from a Live ISO, LP: #689969 -- Dustin Kirkland <email address hidden> Fri, 17 Dec 2010 20:14:45 -0600
Available diffs
- diff from 83-0ubuntu3 to 84-0ubuntu1 (26.1 KiB)
1 → 75 of 141 results | First • Previous • Next • Last |