[USN-2524-1] eCryptfs vulnerability

Tyler Hicks tyhicks at canonical.com
Wed Mar 11 00:50:52 UTC 2015 

==========================================================================
Ubuntu Security Notice USN-2524-1
March 11, 2015

ecryptfs-utils vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

Sensitive information in encrypted home and Private directories could be
exposed if an attacker gained access to your files.

Software Description:
- ecryptfs-utils: eCryptfs cryptographic filesystem utilities

Details:

Sylvain Pelissier discovered that eCryptfs did not generate a random salt when
encrypting the mount passphrase with the login password. An attacker could use
this issue to discover the login password used to protect the mount passphrase
and gain unintended access to the encrypted files.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.10:
  ecryptfs-utils                  104-0ubuntu1.14.10.3
  libecryptfs0                    104-0ubuntu1.14.10.3

Ubuntu 14.04 LTS:
  ecryptfs-utils                  104-0ubuntu1.14.04.3
  libecryptfs0                    104-0ubuntu1.14.04.3

Ubuntu 12.04 LTS:
  ecryptfs-utils                  96-0ubuntu3.4
  libecryptfs0                    96-0ubuntu3.4

Ubuntu 10.04 LTS:
  ecryptfs-utils                  83-0ubuntu3.2.10.04.6
  libecryptfs0                    83-0ubuntu3.2.10.04.6

After a standard system update you need to log out of all sessions and then log
back in to make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-2524-1
  CVE-2014-9687

Package Information:
  https://launchpad.net/ubuntu/+source/ecryptfs-utils/104-0ubuntu1.14.10.3
  https://launchpad.net/ubuntu/+source/ecryptfs-utils/104-0ubuntu1.14.04.3
  https://launchpad.net/ubuntu/+source/ecryptfs-utils/96-0ubuntu3.4
  https://launchpad.net/ubuntu/+source/ecryptfs-utils/83-0ubuntu3.2.10.04.6

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20150310/f0e5c5f3/attachment.sig>

More information about the ubuntu-security-announce mailing list