This is the patch to solve this for the ecryptfs-add-passphrase and ecryptfs-wrap-passphrase utilities. The rest of the ecryptfs*passphrase* utilities should be solved in a similar manner. These are the most important two, as well as the callers in ecryptfs- setup-private.
This should be released for Intrepid. :-Dustin ** Attachment added: "ecryptfs-utils.287908.patch" http://launchpadlibrarian.net/18811157/ecryptfs-utils.287908.patch -- ecryptfs-setup-private potentially exposes passwords in the process table https://bugs.launchpad.net/bugs/287908 You received this bug notification because you are a member of eCryptfs, which is subscribed to ecryptfs-utils in ubuntu. Status in “ecryptfs-utils” source package in Ubuntu: In Progress Bug description: Binary package hint: ecryptfs-utils ecryptfs-setup-private potentially exposes passwords in the process table. There are two calls in ecryptfs-setup-private to helper utilities: * ecryptfs-wrap-passphrase * ecryptfs-add-passphrase that use passwords on the command line. There is a small yet real possibility that these passwords could be exposed on the process table momentarily. To fix this problem, we need to: a) patch both ecryptfs-wrap-passphrase and ecryptfs-add-passphrase to take passphrases on stdin b) modify the callers to use a dash/bash builtin function (such as echo or printf) to send this passphrases to those utilities on standard in Thanks to Jamie Strandboge for the bug report. :-Dustin _______________________________________________ Mailing list: https://launchpad.net/~ecryptfs Post to : [email protected] Unsubscribe : https://launchpad.net/~ecryptfs More help : https://help.launchpad.net/ListHelp
