** Visibility changed to: Public -- leakage in the installer https://bugs.launchpad.net/bugs/383650 You received this bug notification because you are a member of eCryptfs, which is subscribed to ecryptfs-utils in ubuntu.
Status in “ecryptfs-utils” source package in Ubuntu: Fix Released Status in ecryptfs-utils in Ubuntu Jaunty: Fix Released Bug description: Binary package hint: ecryptfs-utils The mount passphrase is leaked in the Ubuntu installer logs, at /var/log/installer/syslog. This file is mode 0600: -rw------- 1 syslog adm 347379 2009-06-04 11:00 /var/log/installer/syslog However, it is written to the disk in the clear, and constitutes a leakage of the mount passphrase. The upstream ecryptfs code (and Karmic) should be modified to support a flag to disable this printing, and the user-setup code should call ecryptfs-setup-private with this flag. As for Jaunty, I'm attach a patch to ecryptfs-utils that should be uploaded to jaunty-security. This patch uses sed to prune the offending lines out of /var/log/installer/syslog. Please advise on whatever additional disclosure mechanisms (if any) need to be invoked (CVE, USN, etc.). :-Dustin _______________________________________________ Mailing list: https://launchpad.net/~ecryptfs Post to : [email protected] Unsubscribe : https://launchpad.net/~ecryptfs More help : https://help.launchpad.net/ListHelp
