Bug 989121 - (CVE-2015-8946) VUL-0: CVE-2015-8946: ecryptfs-setup-swap improperly configures encrypted swap when using GPT partitioning
(CVE-2015-8946)
VUL-0: CVE-2015-8946: ecryptfs-setup-swap improperly configures encrypted swa...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.2
Other openSUSE 10.2
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/170955/
CVSSv2:SUSE:CVE-2015-8946:4.0:(AV:L/A...
:
Depends on: CVE-2016-6224
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-15 09:01 UTC by Andreas Stieger
Modified: 2018-02-01 23:38 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-15 09:01:28 UTC
Via RH:

A vulnerability was found in ecryptfs-setup-swap script that is provided by the upstream ecryptfs-utils project.

On systems using systemd 211 or newer and GPT partitioning, the unencrypted swap partition was being automatically activated during boot and the encrypted swap was not used. This was due to ecryptfs-setup-swap not marking the swap partition as "no-auto", as defined by the Discoverable Partitions Spec.

References:

http://seclists.org/oss-sec/2016/q3/52

Debian bug:

https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/1447282

Fix:

https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/857


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1356828
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8946
http://seclists.org/oss-sec/2016/q3/66
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8946.html
Comment 1 Swamp Workflow Management 2016-07-15 22:00:14 UTC
bugbot adjusting priority
Comment 2 Andreas Stieger 2016-07-22 09:54:56 UTC
Based on the systemd version required to trigger this, SLE and openSUSE Leap 42.1 are not affected.

openSUSE Leap 42.2 and openSUSE Tumblewed are affected with systemd 228.
Comment 5 Swamp Workflow Management 2018-02-01 14:11:36 UTC
SUSE-SU-2018:0336-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 989121,989122
CVE References: CVE-2015-8946,CVE-2016-6224
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ecryptfs-utils-103-8.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    ecryptfs-utils-103-8.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    ecryptfs-utils-103-8.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ecryptfs-utils-103-8.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ecryptfs-utils-103-8.3.1
Comment 6 Andreas Stieger 2018-02-01 18:52:01 UTC
done
Comment 7 Swamp Workflow Management 2018-02-01 23:11:24 UTC
openSUSE-SU-2018:0344-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 989121,989122
CVE References: CVE-2015-8946,CVE-2016-6224
Sources used:
openSUSE Leap 42.3 (src):    ecryptfs-utils-103-7.1