** Also affects: ecryptfs
Importance: Undecided
Status: New
** Changed in: ecryptfs
Status: New => Fix Released
--
ecryptfs-setup-private potentially exposes passwords in the process table
https://bugs.launchpad.net/bugs/287908
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.
Status in eCryptfs - Enterprise Cryptographic Filesystem: Fix Released
Status in “ecryptfs-utils” source package in Ubuntu: Fix Released
Status in ecryptfs-utils in Ubuntu Intrepid: Fix Released
Bug description:
Binary package hint: ecryptfs-utils
ecryptfs-setup-private potentially exposes passwords in the process table.
There are two calls in ecryptfs-setup-private to helper utilities:
* ecryptfs-wrap-passphrase
* ecryptfs-add-passphrase
that use passwords on the command line.
There is a small yet real possibility that these passwords could be exposed on
the process table momentarily.
To fix this problem, we need to:
a) patch both ecryptfs-wrap-passphrase and ecryptfs-add-passphrase to take
passphrases on stdin
b) modify the callers to use a dash/bash builtin function (such as echo or
printf) to send this passphrases to those utilities on standard in
Thanks to Jamie Strandboge for the bug report.
:-Dustin
_______________________________________________
Mailing list: https://launchpad.net/~ecryptfs
Post to : [email protected]
Unsubscribe : https://launchpad.net/~ecryptfs
More help : https://help.launchpad.net/ListHelp
