Public bug reported: SRU justification:
Impact: >From mhalcrow's original commit message: Characters with ASCII values greater than the size of filename_rev_map[] are valid filename characters. ecryptfs_decode_from_filename() will access kernel memory beyond that array, and ecryptfs_parse_tag_70_packet() will then decrypt those characters. The attacker, using the FNEK of the crafted file, can then re-encrypt the characters to reveal the kernel memory past the end of the filename_rev_map[] array. I expect low security impact since this array is statically allocated in the text area, and the amount of memory past the array that is accessible is limited by the largest possible ASCII filename character. Fix: Upstream commit 0f751e641a71157aa584c2a2e22fda52b52b8a56 Note: This patch has already been picked up in Lucid as part of the stable updates process, but got overlooked for Natty. ** Affects: linux (Ubuntu) Importance: Medium Assignee: Colin King (colin-king) Status: In Progress ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Colin King (colin-king) ** Changed in: linux (Ubuntu) Importance: Undecided => Medium ** Changed in: linux (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/944990 Title: ecryptfs: Extend array bounds for all filename chars To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/944990/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs