eCryptfs

FEK is encrypted with FNEK and stored in file header

Bug #342128 reported by Tyler Hicks on 2009-03-13

Affects		Status	Importance	Assigned to	Milestone
	eCryptfs	Fix Released	Critical	Tyler Hicks
	linux (Ubuntu)	Fix Released	Critical	Tim Gardner	Ubuntu ubuntu-9.04-beta

Bug Description

The file encryption key (FEK) is being encrypted with the file encryption key encryption key (FEKEK) and stored in the file header (correct behavior). The FEK is also being encrypted with the filename encryption key (FNEK) and stored in the file header (incorrect behavior). This results in either the FEKEK or the FNEK being capable of decrypting the FEK and eventually the file contents.

Related branches

lp:ubuntu/karmic/linux-ports

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2009-03-13:

[PATCH] eCryptfs: Don't encrypt file key with filename key Edit (4.2 KiB, text/plain)

This is a tested patch that applies to 2.6.29-rc8.

Changed in ecryptfs:
assignee:	nobody → tyhicks
importance:	Undecided → High
status:	New → In Progress

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2009-03-13:

Sent upstream in hopes of making 2.6.29: http://thread.gmane.org/gmane.linux.kernel/806318

Tyler Hicks (tyhicks) on 2009-03-13

Changed in ecryptfs:
status:	In Progress → Fix Committed
status:	Fix Committed → In Progress

Revision history for this message

Dustin Kirkland  (kirkland) wrote on 2009-03-13:

Tim-

We're absolutely going to want to carry this one for Jaunty.

:-Dustin

Changed in linux:
assignee:	nobody → timg-tpi
importance:	Undecided → High
milestone:	none → ubuntu-9.04-beta
status:	New → Triaged

Dustin Kirkland  (kirkland) on 2009-03-13

Changed in linux:
importance:	High → Critical
Changed in ecryptfs:
importance:	High → Critical

Revision history for this message

Tim Gardner (timg-tpi) wrote on 2009-03-13:

http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-jaunty.git;a=commit;h=90efd49eeac18845b856ad33c0b266cf2924cb11

Changed in linux:
status:	Triaged → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-03-16:

This bug was fixed in the package linux - 2.6.28-10.32

---------------
linux (2.6.28-10.32) jaunty; urgency=low

[ Amit Kucheria ]

* Delete prepare-ppa-source script

[ Andy Isaacson ]

  * SAUCE: FSAM7400: select CHECK_SIGNATURE
  * SAUCE: LIRC_PVR150: depends on VIDEO_IVTV
    - LP: #341477

[ Ayaz Abdulla ]

* SAUCE: forcedeth: msi interrupt fix
- LP: #288281

[ Brad Figg ]

* Updating armel configs to remove PREEMPT

[ Catalin Marinas ]

* Fix the VFP handling on the Feroceon CPU

[ Huaxu Wan ]

* SAUCE: (drop after 2.6.28) [Jaunty] iwlagn: fix iwlagn DMA mapping
direction

[ Ike Panhc ]

* squashfs: correct misspelling
- LP: #322306

[ Theodore Ts'o ]

  * SAUCE: (drop after 2.6.28) ext4: add EXT4_IOC_ALLOC_DA_BLKS ioctl
  * SAUCE: (drop after 2.6.28) ext4: Automatically allocate delay allocated
    blocks on close
  * SAUCE: (drop after 2.6.28) ext4: Automatically allocate delay allocated
    blocks on rename
    - LP: #317781

[ Tyler Hicks ]

  * SAUCE: (drop after 2.6.28) eCryptfs: Don't encrypt file key with
    filename key
    - LP: #342128

[ Upstream Kernel Changes ]

  * ALS: hda - Add support of iMac 24 Aluminium
  * USB: fix broken OTG makefile reference
  * ALSA: hda - add another MacBook Pro 3,1 SSID
  * ALSA: hda - Add model entry for HP dv4
  * x86-64: fix int $0x80 -ENOSYS return
    - LP: #339743

-- Tim Gardner <email address hidden> Thu, 12 Mar 2009 19:16:07 -0600