FS#44157 - [ecryptfs-utils] release 105 with fix for CVE-2014-9687

Attached to Project: Community Packages
Opened by Ingo Albrecht (indigo) - Wednesday, 11 March 2015, 21:09 GMT
Last edited by Timothy Redaelli (tredaelli) - Tuesday, 17 March 2015, 13:32 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Timothy Redaelli (tredaelli)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Summary:
ecryptfs-utils just got an update to release 105.
The update includes fix for CVE-2014-9687 [1]

Details:
The main issue is an insecure salt usage in the generation of the wrapped passphrase by ecryptfs-utils. More description is available in an issue description [2] and fixing commit [3] [4].

For the fix to be effective the ecryptfs passphrase needs to be rewrapped.
For Arch this is a manual step _to my understanding_ (from [3] it shows that the migration/rewrapping is automatic on Ubuntu). Since it is generally advised for ecryptfs usage to keep an offline backup of the (unwrapped) recover-passphrase, these offline backups need to be updated.

Suggestions:
For above reasons it would be helpful IMO to pacman notify users when the ecryptfs-utils 105 hits stable. A notification could be "ecryptfs passphrase wrapping changed. Rewrap passphrases and update recover passphrases." or something.

At best it is also verified before, if the rewrapping for a PAM-mount configured ecryptfs-userhome directory is indeed a manual step or automatic on next login for Arch. (I can test too but usually don't have testing enabled).

[1] http://packetstormsecurity.com/files/cve/CVE-2014-9687
[2] https://bugs.launchpad.net/ecryptfs/+bug/906550/comments/5
[3] https://code.launchpad.net/~tyhicks/ecryptfs/v2-wrapped-passphrase-files/+merge/249908
[4] http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/839
This task depends upon

Closed by  Timothy Redaelli (tredaelli)
Tuesday, 17 March 2015, 13:32 GMT
Reason for closing:  Fixed
Additional comments about closing:  Updated to version 106

Loading...