Bug#595998: marked as done (Multiple security issues)

Debian Bug Tracking System Thu, 16 Sep 2010 06:48:28 -0700

Your message dated Thu, 16 Sep 2010 13:47:07 +0000
with message-id <[email protected]>
and subject line Bug#595998: fixed in encfs 1.7.2-1
has caused the Debian Bug report #595998,
regarding Multiple security issues
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
595998: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595998
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: encfs
Severity: grave
Tags: security

The following issues were reported to the oss-security mailing list:

----
Hello Steve, vendors,

  Micha Riser reported:
  [A] http://archives.neohapsis.com/archives/fulldisclosure/2010-08/0316.html

three security flaws in EncFS encrypted filesystem (more from [A]):

"A security analysis of EncFS has revealed multiple vulnerabilities:
(1) Only 32 bit of file IV used
(2) Watermarking attack
(3) Last block with single byte is insecure"

References:
  [B] http://www.arg0.net/encfs
  [C] http://bugs.gentoo.org/show_bug.cgi?id=335938
  [D] 
http://archives.neohapsis.com/archives/fulldisclosure/2010-08/att-0316/watermark-attack-encfs.tar.gz
  [E] https://bugzilla.redhat.com/show_bug.cgi?id=630460


Solutions / patches information:
================================

* for issue (1) -- seems it wasn't fixed / isn't possible to
  fix without breaking backward compatibility. More from [B]:

  "The old IV setup is kept for backwards compatibility."

* for issue (2) -- EncFS upstream has released a fix for the issue:
  [F] http://code.google.com/p/encfs/source/detail?r=59

Valient, could you please confirm, the above referenced [F] patch,
is the correct one to address the watermarking attack issue?

* for issue (3) -- not sure about patch status (included in [F] too?)

Steve, could you allocate CVE ids for these flaws?
----

Upstream replied:

----
Jan,

Yes, the patch referenced in [F],  specifically changes to SSL_Cipher.cpp, were 
made in response to issues (1) & (2).  These are+not backward compatible, and 
so only apply to new filesystems.

Issue (3) is not directly addressed.  A workaround is to enable per-block MAC 
headers, or per-block random bytes.  A patch going+into 1.7.2 allows per-block 
random bytes to be configured independently of MAC headers.  It would be 
possible to change the
+default settings such that per-block random bytes are always used.

Adding new encryption modes is not planned for encfs 1.x.

regards,
Valient

----

The following CVE assignments have been made:

----
Here goes:

CVE-2010-3073 encfs Only 32 bit of file IV used
CVE-2010-3074 encfs Watermarking attack
CVE-2010-3075 encfs Last block with single byte is insecure"

Thanks

-----

Cheers,
         Moritz









-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages encfs depends on:
pn  fuse-utils                    <none>     (no description available)
pn  libboost-serialization1.34.1  <none>     (no description available)
ii  libc6                         2.11.2-2   Embedded GNU C Library: Shared lib
pn  libfuse2                      <none>     (no description available)
ii  libgcc1                       1:4.4.4-9  GCC support library
pn  librlog1c2a                   <none>     (no description available)
ii  libssl0.9.8                   0.9.8o-1   SSL shared libraries
ii  libstdc++6                    4.4.4-9    The GNU Standard C++ Library v3

encfs recommends no packages.

encfs suggests no packages.

--- End Message ---

--- Begin Message ---

Source: encfs
Source-Version: 1.7.2-1

We believe that the bug you reported is fixed in the latest version of
encfs, which is due to be installed in the Debian FTP archive:

encfs_1.7.2-1.debian.tar.gz
  to main/e/encfs/encfs_1.7.2-1.debian.tar.gz
encfs_1.7.2-1.dsc
  to main/e/encfs/encfs_1.7.2-1.dsc
encfs_1.7.2-1_amd64.deb
  to main/e/encfs/encfs_1.7.2-1_amd64.deb
encfs_1.7.2.orig.tar.gz
  to main/e/encfs/encfs_1.7.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eduard Bloch <[email protected]> (supplier of updated encfs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 16 Sep 2010 15:43:04 +0200
Source: encfs
Binary: encfs
Architecture: source amd64
Version: 1.7.2-1
Distribution: unstable
Urgency: high
Maintainer: Eduard Bloch <[email protected]>
Changed-By: Eduard Bloch <[email protected]>
Description: 
 encfs      - encrypted virtual filesystem
Closes: 595998
Changes: 
 encfs (1.7.2-1) unstable; urgency=high
 .
   * New upstream release dealing with security issues (closes: #595998)
Checksums-Sha1: 
 9aaac9968fc323f7652ac5439da7ab2cfe21dd64 1157 encfs_1.7.2-1.dsc
 739514a89b7ad8398ff6320042995947f7fb37f8 930420 encfs_1.7.2.orig.tar.gz
 2243f2c695fa49fee6b4ab64b6d5ebad1a889983 18295 encfs_1.7.2-1.debian.tar.gz
 44691616b0e253c2217a05066a337d957d331861 416894 encfs_1.7.2-1_amd64.deb
Checksums-Sha256: 
 e4782c4c8fae81886017c326f3968676a0f37581b0308aa3339f4de4bd000445 1157 
encfs_1.7.2-1.dsc
 8c0c18011438c1816be5e3cf3e573e38773dc09bf7f8e0ecee3426eadb3e8284 930420 
encfs_1.7.2.orig.tar.gz
 b5557a1a5d2c8baa2af5f77f553ff007b0db5f2765aafe1978951c49729077b7 18295 
encfs_1.7.2-1.debian.tar.gz
 42df2bb591971796819b9ad115c2b07d59506cd94316eee481d857cb787494ee 416894 
encfs_1.7.2-1_amd64.deb
Files: 
 913140c86a01e427d2f0c80cac683252 1157 utils optional encfs_1.7.2-1.dsc
 3a3fef640c7c9f020104304392cd1836 930420 utils optional encfs_1.7.2.orig.tar.gz
 69d38e4b369b622803bfa32b838c972f 18295 utils optional 
encfs_1.7.2-1.debian.tar.gz
 9831d25d4b3b84040ace74713d74f923 416894 utils optional encfs_1.7.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFMkh8n4QZIHu3wCMURAseWAJ4m9slWPwtMeu2pqcYtTfoSTxz0uwCeJKXq
7CYjjjXnYLe9kPoQPN/iOXA=
=KIaa
-----END PGP SIGNATURE-----

--- End Message ---

Bug#595998: marked as done (Multiple security issues)

Reply via email to