A number of flaws were reported [1] in eCryptfs that could allow a user to mount or unmount arbitrary locations, and possibly disclose confidential information: Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested mountpoint. A local attacker could use this flaw to mount to arbitrary locations, leading to privilege escalation. (CVE-2011-1831) Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested mountpoint. A local attacker could use this flaw to unmount to arbitrary locations, leading to a denial of service. (CVE-2011-1832) Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested source directory. A local attacker could use this flaw to mount an arbitrary directory, possibly leading to information disclosure. Note that this flaw also requires a fix in the kernel to be complete. (CVE-2011-1833) Dan Rosenberg and Marc Deslauriers discovered that eCryptfs incorrectly handled modifications to the mtab file when an error occurs. A local attacker could use this flaw to corrupt the mtab file, and possibly unmount arbitrary locations, leading to a denial of service. (CVE-2011-1834) Marc Deslauriers discovered that eCryptfs incorrectly handled keys when setting up an encrypted private directory. A local attacker could use this flaw to manipulate keys during creation of a new user. (CVE-2011-1835) Marc Deslauriers discovered that eCryptfs incorrectly handled permissions during recovery. A local attacker could use this flaw to possibly access another user's data during the recovery process. (CVE-2011-1836) Vasiliy Kulikov of Openwall discovered that eCryptfs incorrectly handled lock counters. A local attacker could use this flaw to possibly overwrite arbitrary files. (CVE-2011-1837) [1] https://launchpad.net/bugs/732628
Created attachment 517480 [details] patch to correct CVE-2011-1831, CVE-2011-1832, and CVE-2011-1834
Created attachment 517481 [details] patch to correct CVE-2011-1833
Created attachment 517482 [details] patch to correct CVE-2011-1835
Created attachment 517483 [details] patch to correct CVE-2011-1836
Created attachment 517484 [details] patch to correct CVE-2011-1837 These five patches came from Ubuntu: https://launchpad.net/ubuntu/+source/ecryptfs-utils/89-0ubuntu2
Created ecryptfs-utils tracking bugs for this issue Affects: fedora-all [bug 729474]
CVE-2011-1836 only affects Fedora; ecryptfs-recover-private does not exist in ecryptfs-utils-82 (which is what is shipped with Red Hat Enterprise Linux 6).
Created attachment 517492 [details] patch to correct the flaws in RHEL6 (ecryptfs-utils-82) The other individual patches are suitable for Fedora, this patch is extracted from https://launchpad.net/ubuntu/+source/ecryptfs-utils/83-0ubuntu3.2.10.04.1 and is suitable for RHEL6. It needs some tweaking on RHEL5 (fuzz and one rejected hunk).
Upstream kernel commit to fully fix CVE-2011-1833: http://git.kernel.org/?p=linux/kernel/git/ecryptfs/ecryptfs-2.6.git;a=commit;h=764355487ea220fdc2faf128d577d7f679b91f97
CVE-2011-1836 was moved to separate bug #730964, as it only affect recent ecryptfs-utils versions in Fedora.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:1241 https://rhn.redhat.com/errata/RHSA-2011-1241.html