Skip to content

v0.3.3

Compare
Choose a tag to compare
@ebiggers ebiggers released this 23 Feb 21:25
· 52 commits to master since this release

This release contains fixes for three security vulnerabilities and related security hardening:

  • Correctly handle malicious mountpoint paths in the fscrypt bash completion script (CVE-2022-25328, command injection).
  • Validate the size, type, and owner (for login protectors) of policy and protector files (CVE-2022-25327, denial of service).
  • Make the fscrypt metadata directories non-world-writable by default (CVE-2022-25326, denial of service).
  • When running as a non-root user, ignore policy and protector files that aren't owned by the user or by root.
  • Also require that the metadata directories themselves and the mountpoint root directory be owned by the user or by root.
  • Make policy and protector files mode 0600 rather than 0644.
  • Make all relevant files owned by the user when root encrypts a directory with a user's login protector, not just the the login protector itself.
  • Make pam_fscrypt ignore system users completely.

Thanks to Matthias Gerstner (SUSE) for reporting the above vulnerabilities and suggesting additional hardening.

Note: none of these vulnerabilities or changes are related to the cryptography used. The main issue was that it wasn't fully considered how fscrypt's metadata storage method could lead to denial-of-service attacks if a local user is malicious.

Although upgrading to v0.3.3 shouldn't break existing users, there may be some edge cases where users were relying on functionality in ways we didn't anticipate. If you encounter any issues, please report them as soon as possible so that we can find a solution for you.