From ${URL} : I have noticed that ecryptfs-utils is the default program used by the Ubuntu distributions for home folder encryption since version 10.04. In this case, a wrapping key is generated from the user password using the hash function SHA-512 applied 65536 times. By default, the wrapping key is hashed with the default fixed salt (0x0011223344556677) and stored in the a file. This was already noticed in bug : https://bugs.launchpad.net/ecryptfs/+bug/906550 For Ubuntu installations time-memory trade-off (rainbow tables, etc.) can apply, as well as bulk dictionary attacks to crack user passwords of Ubuntu installations when the home folder encryption is activated. I am currently working to correct this weakness. @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
CVE-2014-9687 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9687): eCryptfs 104 and earlier uses a default salt to encrypt the mount passphrase, which makes it easier for attackers to obtain user passwords via a brute force attack.
@maintainer(s), please cleanup vulnerable version. Thank you.
commit 6a91f410dd9e57237c472fd392235eb2063ef4d9
