CVE-2022-25326 (https://github.com/google/fscrypt/pull/346): fscrypt through v0.3.2 creates a world-writable directory by default when setting up a filesystem, allowing unprivileged users to exhaust filesystem space. We recommend upgrading to fscrypt 0.3.3 or above and adjusting the permissions on existing fscrypt metadata directories where applicable. CVE-2022-25327 (https://github.com/google/fscrypt/pull/346): The PAM module for fscrypt doesn't adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to version 0.3.3 or above CVE-2022-25328 (https://github.com/google/fscrypt/pull/346): The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially escalate their privileges if they create a malicious mountpoint path and if the system administrator happens to be using the fscrypt bash completion script to complete mountpoint paths. We recommend upgrading to version 0.3.3 or above
Please stabilize 0.3.3.
ping
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0497d47af77f0e4821bde8000415b6bcda7cf0c1 commit 0497d47af77f0e4821bde8000415b6bcda7cf0c1 Author: Florian Schmaus <flow@gentoo.org> AuthorDate: 2022-03-18 14:38:49 +0000 Commit: Florian Schmaus <flow@gentoo.org> CommitDate: 2022-03-18 14:39:20 +0000 sys-fs/fscrypt: drop vuln 0.3.0-r1, 0.3.1, 0.3.2 Bug: https://bugs.gentoo.org/834028 Signed-off-by: Florian Schmaus <flow@gentoo.org> sys-fs/fscrypt/Manifest | 6 -- ...tionally-avoid-installation-of-Ubuntu-spe.patch | 39 --------- sys-fs/fscrypt/fscrypt-0.3.0-r1.ebuild | 96 --------------------- sys-fs/fscrypt/fscrypt-0.3.1.ebuild | 97 ---------------------- sys-fs/fscrypt/fscrypt-0.3.2.ebuild | 96 --------------------- 5 files changed, 334 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d18f335af6c258c397b1778bd1b6b8a34e55a952 commit d18f335af6c258c397b1778bd1b6b8a34e55a952 Author: Florian Schmaus <flow@gentoo.org> AuthorDate: 2022-03-18 14:37:36 +0000 Commit: Florian Schmaus <flow@gentoo.org> CommitDate: 2022-03-18 14:39:19 +0000 sys-fs/fscrypt: stabilize 0.3.3 for amd64 Bug: https://bugs.gentoo.org/834028 Signed-off-by: Florian Schmaus <flow@gentoo.org> sys-fs/fscrypt/fscrypt-0.3.3.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)