Hello community, here is the log from the commit of package ecryptfs-utils for openSUSE:11.4 checked in at Wed Dec 14 17:56:33 CET 2011.
-------- --- old-versions/11.4/UPDATES/all/ecryptfs-utils/ecryptfs-utils.changes 2011-08-11 18:07:00.000000000 +0200 +++ 11.4/ecryptfs-utils/ecryptfs-utils.changes 2011-12-14 15:48:00.000000000 +0100 @@ -1,0 +2,6 @@ +Wed Dec 14 15:26:04 CET 2011 - meiss...@suse.de + +- Fixed umask of /etc/mtab.tmp and get / drop group rights + before/after failed mounting. bnc#735342 / CVE-2011-3145 + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- ecryptfs-utils-CVE-2011-3145.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ecryptfs-utils.spec ++++++ --- /var/tmp/diff_new_pack.gvtA9i/_old 2011-12-14 17:55:59.000000000 +0100 +++ /var/tmp/diff_new_pack.gvtA9i/_new 2011-12-14 17:55:59.000000000 +0100 @@ -25,13 +25,14 @@ AutoReqProv: on Summary: Userspace Utilities for ecryptfs Version: 83 -Release: 6.<RELEASE7> +Release: 6.<RELEASE9> Source0: http://launchpad.net/ecryptfs/trunk/%version/+download/ecryptfs-utils_%version.orig.tar.gz Source1: baselibs.conf Patch0: CVE-2011-1831,1832,1834.patch Patch1: CVE-2011-1833.patch Patch2: CVE-2011-1835.patch Patch4: CVE-2011-1837.patch +Patch5: ecryptfs-utils-CVE-2011-3145.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gtk2-devel intltool keyutils-devel keyutils-libs libgcrypt-devel mozilla-nss-devel openssl-devel pam-devel pkcs11-helper-devel python-devel trousers-devel BuildRequires: update-desktop-files @@ -55,6 +56,7 @@ %patch1 -p1 %patch2 -p1 %patch4 -p1 +%patch5 -p1 %build export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" ++++++ ecryptfs-utils-CVE-2011-3145.patch ++++++ Index: ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c =================================================================== --- ecryptfs-utils-83.orig/src/utils/mount.ecryptfs_private.c +++ ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c @@ -221,12 +221,14 @@ int update_mtab(char *dev, char *mnt, ch int fd; FILE *old_mtab, *new_mtab; struct mntent *old_ent, new_ent; + mode_t old_umask; /* Make an attempt to play nice with other mount helpers * by creating an /etc/mtab~ lock file. Of course this * only works if those other helpers actually check for * this. */ + old_umask = umask(0333); fd = open("/etc/mtab~", O_RDONLY | O_CREAT | O_EXCL, 0644); if (fd < 0) { perror("open"); @@ -279,6 +281,8 @@ int update_mtab(char *dev, char *mnt, ch unlink("/etc/mtab~"); + umask(old_umask); + return 0; fail: @@ -288,6 +292,7 @@ fail_late: fail_early: endmntent(old_mtab); unlink("/etc/mtab~"); + umask(old_umask); return 1; } @@ -424,7 +429,7 @@ int zero(FILE *fh) { * c) updating /etc/mtab */ int main(int argc, char *argv[]) { - int uid, mounting; + int uid, gid, mounting; int force = 0; int fnek = 1; struct passwd *pwd; @@ -433,6 +438,7 @@ int main(int argc, char *argv[]) { FILE *fh_counter = NULL; uid = getuid(); + gid = getgid(); /* Non-privileged effective uid is sufficient for all but the code * that mounts, unmounts, and updates /etc/mtab. * Run at a lower privilege until we need it. @@ -549,7 +555,16 @@ int main(int argc, char *argv[]) { * the real uid to be that of the user. * And we need the effective uid to be root in order to mount. */ - setreuid(-1, 0); + if (setreuid(-1, 0) < 0) { + perror("setreuid"); + return 1; + } + if (setregid(-1, 0) < 0) { + perror("setregid"); + setreuid(uid, uid); + return 1; + } + /* Perform mount */ if (mount(dev, ".", FSTYPE, 0, opt) == 0) { if (update_mtab(dev, mnt, opt) != 0) { @@ -561,6 +576,9 @@ int main(int argc, char *argv[]) { if (setreuid(uid, uid) < 0) { perror("setreuid"); } + if (setregid(gid, gid) < 0) { + perror("setregid"); + } goto fail; } } else { @@ -581,6 +599,7 @@ int main(int argc, char *argv[]) { * Do not use the umount.ecryptfs helper (-i). */ setresuid(0,0,0); + setresgid(0,0,0); execl("/bin/umount", "umount", "-i", "-l", ".", NULL); perror("execl unmount failed"); goto fail; continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
