oss-sec mailing list archives
Re: CVE Request - ecryptfs-utils
From: Marcus Meissner <meissner () suse de>
Date: Fri, 21 Nov 2008 14:08:06 +0100
On Tue, Nov 18, 2008 at 01:56:59PM +0100, Jan Lieskovsky wrote:
Hello Steve, noticed, the following issue still lacks a separate CVE identifier: References: http://secunia.com/Advisories/32382/ http://www.openwall.com/lists/oss-security/2008/10/23/3 http://www.openwall.com/lists/oss-security/2008/10/29/4 http://www.openwall.com/lists/oss-security/2008/10/29/7 Upstream commits: http://git.kernel.org/?p=linux/kernel/git/mhalcrow/ecryptfs-utils.git;a=commit;h=06de99afd53f03fe07eda0ad9d61ac6d5d4d9f53 http://git.kernel.org/?p=linux/kernel/git/mhalcrow/ecryptfs-utils.git;a=commit;h=0af27a5d514dc4bbc077f07cf33a5d5b362a9193
This last commit is still bad, it uses printf "$PASSPHRASE..." stuff instead of printf "%s" "$PASSPHRASE..." So you can program format exploits in shell... http://git.kernel.org/?p=linux/kernel/git/mhalcrow/ecryptfs-utils.git;a=blob;f=src/utils/ecryptfs-setup-private;h=7780a4e43983dee18fd5e08318b41bccd57a7298;hb=HEAD is the current version and looks better. This script (ecryptfs-setup-private) btw allows passing passphrases on the commandline too. *sigh* Ciao, Marcus
Current thread:
- CVE Request - ecryptfs-utils Jan Lieskovsky (Nov 18)
- Re: CVE Request - ecryptfs-utils Steven M. Christey (Nov 20)
- Re: CVE Request - ecryptfs-utils Marcus Meissner (Nov 21)