This bug was fixed in the package ecryptfs-utils - 99-0ubuntu1 --------------- ecryptfs-utils (99-0ubuntu1) quantal; urgency=low
[ Dustin Kirkland ] * debian/ecryptfs-utils.postinst: LP: #936093 - ensure desktop file is executable * precise [ Wesley Wiedenmeier ] * src/utils/mount.ecryptfs.c: LP: #329264 - remove old hack, that worked around a temporary kernel regression; ensure that all mount memory is mlocked [ Sebastian Krahmer ] * src/pam_ecryptfs/pam_ecryptfs.c: LP: #732614 - drop group privileges in the same places that user privileges are dropped - check return status of setresuid() calls and return if they fail - drop privileges before checking for the existence of ~/.ecryptfs/auto-mount to prevent possible file existence leakage by a symlink to a path that typically would not be searchable by the user - drop privileges before reading salt from the rc file to prevent the leakage of root's salt and, more importantly, using the incorrect salt - discovered, independently, by Vasiliy Kulikov and Sebastian Krahmer * src/pam_ecryptfs/pam_ecryptfs.c: LP: #1020904 - after dropping privileges, clear the environment before executing the private eCryptfs mount helper - discovered by Sebastian Krahmer * src/utils/mount.ecryptfs_private.c: LP: #1020904 - do not allow private eCryptfs mount aliases to contain ".." characters as a preventative measure against a crafted file path being used as an alias - force the MS_NOSUID mount flag to protect against user controlled lower filesystems, such as an auto mounted USB drive, that may contain a setuid-root binary + CVE-2012-3409 - force the MS_NODEV mount flag - after dropping privileges, clear the environment before executing umount - discovered by Sebastian Krahmer [ Tyler Hicks ] * src/libecryptfs/key_management.c: LP: #732614 - zero statically declared buffers to prevent the leakage of stack contents in the case of a short file read - discovered by Vasiliy Kulikov * src/libecryptfs/module_mgr.c, src/pam_ecryptfs/pam_ecryptfs.c: - fix compiler warnings -- Dustin Kirkland <kirkl...@ubuntu.com> Fri, 13 Jul 2012 09:52:36 -0500 ** Changed in: ecryptfs-utils (Ubuntu) Status: Fix Committed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3409 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/936093 Title: Access-Your-Private-Data.desktop is not executable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/936093/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs