Source: fscrypt Version: 0.3.1-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for fscrypt. CVE-2022-25326[0]: | fscrypt through v0.3.2 creates a world-writable directory by default | when setting up a filesystem, allowing unprivileged users to exhaust | filesystem space. We recommend upgrading to fscrypt 0.3.3 or above and | adjusting the permissions on existing fscrypt metadata directories | where applicable. CVE-2022-25327[1]: | The PAM module for fscrypt doesn't adequately validate fscrypt | metadata files, allowing users to create malicious metadata files that | prevent other users from logging in. A local user can cause a denial | of service by creating a fscrypt metadata file that prevents other | users from logging into the system. We recommend upgrading to version | 0.3.3 or above CVE-2022-25328[2]: | The bash_completion script for fscrypt allows injection of commands | via crafted mountpoint paths, allowing privilege escalation under a | specific set of circumstances. A local user who has control over | mountpoint paths could potentially escalate their privileges if they | create a malicious mountpoint path and if the system administrator | happens to be using the fscrypt bash completion script to complete | mountpoint paths. We recommend upgrading to version 0.3.3 or above The issues do not warrant a DSA, but depending on feasibility it would be good th ave the fixes available as well in bullseye and buster through a point release. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-25326 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25326 [1] https://security-tracker.debian.org/tracker/CVE-2022-25327 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25327 [2] https://security-tracker.debian.org/tracker/CVE-2022-25328 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25328 [3] https://www.openwall.com/lists/oss-security/2022/02/24/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
