Bug 17424

Summary: encfs new security issue CVE-2014-3462
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/669659/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: encfs-1.7.4-14.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-12-30 22:42:42 CET 
Gentoo has issued an advisory today (December 30):
https://security.gentoo.org/glsa/201512-09

Apparently the issues are fixed upstream in 1.7.5 (and likely 1.8.1).

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-01-12 19:44:49 CET 
Updated package uploaded for Mageia 5.

Advisory:
========================

Updated encfs packages fix security vulnerability:

A local attacker can utilize a possible buffer overflow in the encodeName
method of StreamNameIO and BlockNameIO to execute arbitrary code or cause a
Denial of Service. Also multiple weak cryptographics practices have been found
in encfs (CVE-2014-3462).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3462
https://security.gentoo.org/glsa/201512-09
========================

Updated packages in core/updates_testing:
========================
encfs-1.7.5-1.mga5
libencfs6-1.7.5-1.mga5

from encfs-1.7.5-1.mga5.src.rpm

Assignee: guillomovitch => qa-bugs

Comment 2 David Walser 2016-01-15 20:42:44 CET 
May help with testing:
https://www.howtoforge.com/tutorial/encrypt-your-data-with-encfs-debian-jessie/

Whiteboard: (none) => has_procedure

Comment 3 William Kenney 2016-01-19 20:20:41 CET 
In VirtualBox, M5, KDE, 32-bit

Test proceedure taken from:

https://www.howtoforge.com/tutorial/encrypt-your-data-with-encfs-debian-jessie/
https://wiki.archlinux.org/index.php/EncFS

Package(s) under test:
encfs libencfs6

default install of encfs & libencfs6

[root@localhost wilcal]# urpmi encfs
Package encfs-1.7.4-14.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libencfs6
Package libencfs6-1.7.4-14.mga5.i586 is already installed

create two directories: /home/wilcal/encfs_encrypted /home/wilcal/encfs_decrypted
mkdir -p /home/wilcal/encfs_encrypted
mkdir -p /home/wilcal/encfs_decrypted
in a user terminal run: encfs /home/wilcal/encfs_encrypted /home/wilcal/encfs_decrypted
enter "p" for preconfigured mode
enter password
anything you put into, or remove, in /home/wilcal/encfs_decrypted will be encrypted and
mirrored in /home/wilcal/encfs_encrypted
run in a terminal: fusermount -u /home/wilcal/encfs_decrypted
then delete /home/wilcal/encfs_decrypted
in a terminal run: encfs /home/wilcal/encfs_encrypted /home/wilcal/encfs_decrypted
You will be asked if you want to create: /home/wilcal/encfs_decrypted
Answer "y" and the directory will be created with the decripted files.
An even shorter way is to have encfs create both the directories. Run in a terminal:
encfs /home/wilcal/encfs_encrypted /home/wilcal/encfs_decrypted
and you will be prompted to create the directories if they don't exist and then
you enter the password.

unmount and delete /home/wilcal/encfs_encrypted /home/wilcal/encfs_decrypted

install encfs & libencfs6 from updates_testing

[root@localhost wilcal]# urpmi encfs
Package encfs-1.7.5-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libencfs6
Package libencfs6-1.7.5-1.mga5.i586 is already installed

In a terminal run: encfs /home/wilcal/encfs_encrypted /home/wilcal/encfs_decrypted
allow encfs to create both folders and enter password. 
Drag some files into /home/wilcal/encfs_decrypted
Encrypted files are created in /home/wilcal/encfs_encrypted
In a terminal run: fusermount -u /home/wilcal/encfs_decrypted
Delete folder /home/wilcal/encfs_decrypted
empty trash.
in a terminal run: encfs /home/wilcal/encfs_encrypted /home/wilcal/encfs_decrypted
Let encfs create the folder: /home/wilcal/encfs_decrypted
Enter password.
Files will be decripted from /home/wilcal/encfs_encrypted and placed in /home/wilcal/encfs_decrypted
Folders are back live.

CC: (none) => wilcal.int
Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 4 William Kenney 2016-01-19 20:44:13 CET 
In VirtualBox, M5, KDE, 64-bit

Test proceedure taken from:

https://www.howtoforge.com/tutorial/encrypt-your-data-with-encfs-debian-jessie/
https://wiki.archlinux.org/index.php/EncFS

Package(s) under test:
encfs lib64encfs6

default install of encfs & lib64encfs6

[root@localhost wilcal]# urpmi encfs
Package encfs-1.7.4-14.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64encfs6
Package lib64encfs6-1.7.4-14.mga5.x86_64 is already installed

create two directories: /home/wilcal/encfs_encrypted /home/wilcal/encfs_decrypted
mkdir -p /home/wilcal/encfs_encrypted
mkdir -p /home/wilcal/encfs_decrypted
in a user terminal run: encfs /home/wilcal/encfs_encrypted /home/wilcal/encfs_decrypted
enter "p" for preconfigured mode
enter password
anything you put into, or remove, in /home/wilcal/encfs_decrypted will be encrypted and
mirrored in /home/wilcal/encfs_encrypted
run in a terminal: fusermount -u /home/wilcal/encfs_decrypted
then delete /home/wilcal/encfs_decrypted
in a terminal run: encfs /home/wilcal/encfs_encrypted /home/wilcal/encfs_decrypted
You will be asked if you want to create: /home/wilcal/encfs_decrypted
Answer "y" and the directory will be created with the decripted files.
An even shorter way is to have encfs create both the directories. Run in a terminal:
encfs /home/wilcal/encfs_encrypted /home/wilcal/encfs_decrypted
and you will be prompted to create the directories if they don't exist and then
you enter the password.

unmount and delete /home/wilcal/encfs_encrypted /home/wilcal/encfs_decrypted

install encfs & lib64encfs6 from updates_testing

[root@localhost wilcal]# urpmi encfs
Package encfs-1.7.5-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64encfs6
Package lib64encfs6-1.7.5-1.mga5.x86_64 is already installed

In a terminal run: encfs /home/wilcal/encfs_encrypted /home/wilcal/encfs_decrypted
allow encfs to create both folders and enter password. 
Drag some files into /home/wilcal/encfs_decrypted
Encrypted files are created in /home/wilcal/encfs_encrypted
In a terminal run: fusermount -u /home/wilcal/encfs_decrypted
Delete folder /home/wilcal/encfs_decrypted
empty trash.
in a terminal run: encfs /home/wilcal/encfs_encrypted /home/wilcal/encfs_decrypted
Let encfs create the folder: /home/wilcal/encfs_decrypted
Enter password.
Files will be decripted from /home/wilcal/encfs_encrypted and placed in /home/wilcal/encfs_decrypted
Folders are back live.

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK

Comment 5 William Kenney 2016-01-19 20:45:16 CET 
This slick little application and update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2016-01-19 23:45:47 CET

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 6 Mageia Robot 2016-01-20 18:54:24 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0026.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED