[Secure-testing-team] Bug#852751: [cryptkeeper] Sets the same password "p" for everything independently of user input

Thu, 26 Jan 2017 15:30:28 -0800 

Package: cryptkeeper
Version: 0.9.5-5.1
Severity: critical
Tags: security
X-Debbugs-CC: [email protected]

Hello, guys,

today I tried to use cryptkeeper in the first time. I created
a new encrypted folder by wizzard, and copied my data into
the folder in Nautilus. Then I umounted the folder. But later,
when I mounted it once again, cryptkeeper said the password
is wrong (though, I 100% know, it's true!).

I've looked into cryptkeeper code and found, it calls encfs
with -S option:

execlp ("encfs", "encfs", "-S", crypt_dir, mount_dir, NULL);
                exit (0);

While the password is passed to encfs using pipe in this way:
// paranoid default setup mode
//write (fd[1], "y\n", 2);
//write (fd[1], "y\n", 2);
write (fd[1], "p\n", 2);
write (fd[1], password, strlen (password));
write (fd[1], "\n", 1);

But it seems it's wrong. When I'm executing encfs program
from console

$ encfs -S crypt_dir mount_dir

and I'm passing "p\n", encfs exits and doesn't wait for a password
itself.

I do not know, who is blame, cryptkeeper or encfs, and even nothing
about if the interface above exists ("p\n" before the password).
But decrypting using "p" password works for any encrypted directory,
created using cryptkeeper. This obviously mustn't work such way.

Kirill

--- System information. ---
Architecture: 
Kernel:       Linux 4.9.3+

Debian Release: 9.0
  500 unstable        ftp.ru.debian.org 
  500 testing         ftp.ru.debian.org 
  500 stable-updates  ftp.ru.debian.org 
  500 stable          security.debian.org 
  500 stable          ftp.ru.debian.org 
    1 experimental    ftp.ru.debian.org 

--- Package information. ---
Depends                   (Version) | Installed
===================================-+-=============
gconf-service                       | 3.2.6-4
libatk1.0-0             (>= 1.12.4) | 2.22.0-1
libc6                      (>= 2.4) | 
libcairo2                (>= 1.2.4) | 
libfontconfig1           (>= 2.9.0) | 
libfreetype6             (>= 2.2.1) | 
libgcc1                (>= 1:4.1.1) | 
libgconf-2-4            (>= 2.31.1) | 
libgdk-pixbuf2.0-0      (>= 2.22.0) | 
libglib2.0-0            (>= 2.16.0) | 
libgtk2.0-0             (>= 2.10.0) | 
libpango1.0-0           (>= 1.14.0) | 
libstdc++6               (>= 4.1.1) | 
libx11-6                            | 
zenity                              | 
fuse                                | 
encfs                               | 


Package's Recommends field is empty.

Package's Suggests field is empty.

_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team

Reply via email to