FEK is encrypted with FNEK and stored in file header

Bug #342128 reported by Tyler Hicks on 2009-03-13
2
Affects Status Importance Assigned to Milestone
eCryptfs
Critical
Tyler Hicks
linux (Ubuntu)
Critical
Tim Gardner

Bug Description

The file encryption key (FEK) is being encrypted with the file encryption key encryption key (FEKEK) and stored in the file header (correct behavior). The FEK is also being encrypted with the filename encryption key (FNEK) and stored in the file header (incorrect behavior). This results in either the FEKEK or the FNEK being capable of decrypting the FEK and eventually the file contents.

Related branches

Tyler Hicks (tyhicks) wrote :

This is a tested patch that applies to 2.6.29-rc8.

Changed in ecryptfs:
assignee: nobody → tyhicks
importance: Undecided → High
status: New → In Progress
Tyler Hicks (tyhicks) wrote :

Sent upstream in hopes of making 2.6.29: http://thread.gmane.org/gmane.linux.kernel/806318

Tyler Hicks (tyhicks) on 2009-03-13
Changed in ecryptfs:
status: In Progress → Fix Committed
status: Fix Committed → In Progress
Dustin Kirkland  (kirkland) wrote :

Tim-

We're absolutely going to want to carry this one for Jaunty.

:-Dustin

Changed in linux:
assignee: nobody → timg-tpi
importance: Undecided → High
milestone: none → ubuntu-9.04-beta
status: New → Triaged
Changed in linux:
importance: High → Critical
Changed in ecryptfs:
importance: High → Critical
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.28-10.32

---------------
linux (2.6.28-10.32) jaunty; urgency=low

  [ Amit Kucheria ]

  * Delete prepare-ppa-source script

  [ Andy Isaacson ]

  * SAUCE: FSAM7400: select CHECK_SIGNATURE
  * SAUCE: LIRC_PVR150: depends on VIDEO_IVTV
    - LP: #341477

  [ Ayaz Abdulla ]

  * SAUCE: forcedeth: msi interrupt fix
    - LP: #288281

  [ Brad Figg ]

  * Updating armel configs to remove PREEMPT

  [ Catalin Marinas ]

  * Fix the VFP handling on the Feroceon CPU

  [ Huaxu Wan ]

  * SAUCE: (drop after 2.6.28) [Jaunty] iwlagn: fix iwlagn DMA mapping
    direction

  [ Ike Panhc ]

  * squashfs: correct misspelling
    - LP: #322306

  [ Theodore Ts'o ]

  * SAUCE: (drop after 2.6.28) ext4: add EXT4_IOC_ALLOC_DA_BLKS ioctl
  * SAUCE: (drop after 2.6.28) ext4: Automatically allocate delay allocated
    blocks on close
  * SAUCE: (drop after 2.6.28) ext4: Automatically allocate delay allocated
    blocks on rename
    - LP: #317781

  [ Tyler Hicks ]

  * SAUCE: (drop after 2.6.28) eCryptfs: Don't encrypt file key with
    filename key
    - LP: #342128

  [ Upstream Kernel Changes ]

  * ALS: hda - Add support of iMac 24 Aluminium
  * USB: fix broken OTG makefile reference
  * ALSA: hda - add another MacBook Pro 3,1 SSID
  * ALSA: hda - Add model entry for HP dv4
  * x86-64: fix int $0x80 -ENOSYS return
    - LP: #339743

 -- Tim Gardner <email address hidden> Thu, 12 Mar 2009 19:16:07 -0600

Changed in linux:
status: Fix Committed → Fix Released
Dustin Kirkland  (kirkland) wrote :

Thanks kernel team.

Tyler-

Would you please close the ecryptfs task when this patch makes it into Linus' git tree upstream?

Thanks,
:-Dustn

Tyler Hicks (tyhicks) wrote :
Changed in ecryptfs:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers