Bug 729465 (CVE-2011-1831, CVE-2011-1832, CVE-2011-1834, CVE-2011-1835, CVE-2011-1837)

Summary: CVE-2011-1831 CVE-2011-1832 CVE-2011-1834 CVE-2011-1835 CVE-2011-1837 ecryptfs: multiple flaws to mount/umount arbitrary locations and possibly disclose confidential information
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: esandeen, mhlavink, osoukup, pmatouse
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-03 08:30:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 729470, 729471, 729472, 729473, 729474    
Bug Blocks: 729476    
Attachments:
Description Flags
patch to correct CVE-2011-1831, CVE-2011-1832, and CVE-2011-1834
none
patch to correct CVE-2011-1833
none
patch to correct CVE-2011-1835
none
patch to correct CVE-2011-1836
none
patch to correct CVE-2011-1837
none
patch to correct the flaws in RHEL6 (ecryptfs-utils-82) none

Description Vincent Danen 2011-08-09 20:15:24 UTC 
A number of flaws were reported [1] in eCryptfs that could allow a user to mount or unmount arbitrary locations, and possibly disclose confidential information:

Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested mountpoint. A local attacker could use this flaw to mount to arbitrary locations, leading to privilege escalation. (CVE-2011-1831)

Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested mountpoint. A local attacker could use this flaw to unmount to arbitrary locations, leading to a denial of service. (CVE-2011-1832)

Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested source directory. A local attacker could use this flaw to mount an arbitrary directory, possibly leading to information disclosure. Note that this flaw also requires a fix in the kernel to be complete. (CVE-2011-1833)

Dan Rosenberg and Marc Deslauriers discovered that eCryptfs incorrectly handled modifications to the mtab file when an error occurs. A local attacker could use this flaw to corrupt the mtab file, and possibly unmount arbitrary locations, leading to a denial of service. (CVE-2011-1834)

Marc Deslauriers discovered that eCryptfs incorrectly handled keys when setting up an encrypted private directory. A local attacker could use this flaw to manipulate keys during creation of a new user. (CVE-2011-1835)

Marc Deslauriers discovered that eCryptfs incorrectly handled permissions during recovery. A local attacker could use this flaw to possibly access another user's data during the recovery process. (CVE-2011-1836)

Vasiliy Kulikov of Openwall discovered that eCryptfs incorrectly handled lock counters. A local attacker could use this flaw to possibly overwrite arbitrary files. (CVE-2011-1837)

[1] https://launchpad.net/bugs/732628
Comment 1 Vincent Danen 2011-08-09 20:23:15 UTC 
Created attachment 517480 [details]
patch to correct CVE-2011-1831, CVE-2011-1832, and CVE-2011-1834
Comment 2 Vincent Danen 2011-08-09 20:23:50 UTC 
Created attachment 517481 [details]
patch to correct CVE-2011-1833
Comment 3 Vincent Danen 2011-08-09 20:24:09 UTC 
Created attachment 517482 [details]
patch to correct CVE-2011-1835
Comment 4 Vincent Danen 2011-08-09 20:24:28 UTC 
Created attachment 517483 [details]
patch to correct CVE-2011-1836
Comment 5 Vincent Danen 2011-08-09 20:25:20 UTC 
Created attachment 517484 [details]
patch to correct CVE-2011-1837

These five patches came from Ubuntu: https://launchpad.net/ubuntu/+source/ecryptfs-utils/89-0ubuntu2
Comment 7 Vincent Danen 2011-08-09 20:26:53 UTC 
Created ecryptfs-utils tracking bugs for this issue

Affects: fedora-all [bug 729474]
Comment 8 Vincent Danen 2011-08-09 21:03:22 UTC 
CVE-2011-1836 only affects Fedora; ecryptfs-recover-private does not exist in ecryptfs-utils-82 (which is what is shipped with Red Hat Enterprise Linux 6).
Comment 9 Vincent Danen 2011-08-09 21:40:28 UTC 
Created attachment 517492 [details]
patch to correct the flaws in RHEL6 (ecryptfs-utils-82)

The other individual patches are suitable for Fedora, this patch is extracted from https://launchpad.net/ubuntu/+source/ecryptfs-utils/83-0ubuntu3.2.10.04.1 and is suitable for RHEL6.  It needs some tweaking on RHEL5 (fuzz and one rejected hunk).
Comment 20 Vincent Danen 2011-08-10 18:00:29 UTC 
Upstream kernel commit to fully fix CVE-2011-1833:

http://git.kernel.org/?p=linux/kernel/git/ecryptfs/ecryptfs-2.6.git;a=commit;h=764355487ea220fdc2faf128d577d7f679b91f97
Comment 21 Tomas Hoger 2011-08-16 12:12:03 UTC 
CVE-2011-1836 was moved to separate bug #730964, as it only affect recent ecryptfs-utils versions in Fedora.
Comment 30 errata-xmlrpc 2011-08-31 19:41:03 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1241 https://rhn.redhat.com/errata/RHSA-2011-1241.html