834028 – (CVE-2022-25326, CVE-2022-25327, CVE-2022-25328) <sys-fs/fscrypt-0.3.3: multiple vulnerabilities

Bug 834028 (CVE-2022-25326, CVE-2022-25327, CVE-2022-25328) - <sys-fs/fscrypt-0.3.3: multiple vulnerabilities

Summary: <sys-fs/fscrypt-0.3.3: multiple vulnerabilities

Status:	IN_PROGRESS

Alias:	CVE-2022-25326, CVE-2022-25327, CVE-2022-25328

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:
Blocks:

Reported:	2022-02-25 13:54 UTC by John Helmert III
Modified:	2022-04-06 22:14 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-02-25 13:54:10 UTC

CVE-2022-25326 (https://github.com/google/fscrypt/pull/346):

fscrypt through v0.3.2 creates a world-writable directory by default when setting up a filesystem, allowing unprivileged users to exhaust filesystem space. We recommend upgrading to fscrypt 0.3.3 or above and adjusting the permissions on existing fscrypt metadata directories where applicable.

CVE-2022-25327 (https://github.com/google/fscrypt/pull/346):

The PAM module for fscrypt doesn't adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to version 0.3.3 or above

CVE-2022-25328 (https://github.com/google/fscrypt/pull/346):

The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially escalate their privileges if they create a malicious mountpoint path and if the system administrator happens to be using the fscrypt bash completion script to complete mountpoint paths. We recommend upgrading to version 0.3.3 or above

Comment 1 John Helmert III archtester

2022-02-25 13:54:23 UTC

Please stabilize 0.3.3.

Comment 2 Sam James archtester

2022-03-17 23:25:24 UTC

ping

Comment 3 Larry the Git Cow gentoo-dev

2022-03-18 14:39:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0497d47af77f0e4821bde8000415b6bcda7cf0c1

commit 0497d47af77f0e4821bde8000415b6bcda7cf0c1
Author:     Florian Schmaus <flow@gentoo.org>
AuthorDate: 2022-03-18 14:38:49 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-03-18 14:39:20 +0000

    sys-fs/fscrypt: drop vuln 0.3.0-r1, 0.3.1, 0.3.2
    
    Bug: https://bugs.gentoo.org/834028
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 sys-fs/fscrypt/Manifest                            |  6 --
 ...tionally-avoid-installation-of-Ubuntu-spe.patch | 39 ---------
 sys-fs/fscrypt/fscrypt-0.3.0-r1.ebuild             | 96 ---------------------
 sys-fs/fscrypt/fscrypt-0.3.1.ebuild                | 97 ----------------------
 sys-fs/fscrypt/fscrypt-0.3.2.ebuild                | 96 ---------------------
 5 files changed, 334 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d18f335af6c258c397b1778bd1b6b8a34e55a952

commit d18f335af6c258c397b1778bd1b6b8a34e55a952
Author:     Florian Schmaus <flow@gentoo.org>
AuthorDate: 2022-03-18 14:37:36 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-03-18 14:39:19 +0000

    sys-fs/fscrypt: stabilize 0.3.3 for amd64
    
    Bug: https://bugs.gentoo.org/834028
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 sys-fs/fscrypt/fscrypt-0.3.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)