This release contains fixes for three security vulnerabilities and related security hardening:
- Correctly handle malicious mountpoint paths in the
fscryptbash completion script (CVE-2022-25328, command injection). - Validate the size, type, and owner (for login protectors) of policy and protector files (CVE-2022-25327, denial of service).
- Make the
fscryptmetadata directories non-world-writable by default (CVE-2022-25326, denial of service). - When running as a non-root user, ignore policy and protector files that aren't owned by the user or by root.
- Also require that the metadata directories themselves and the mountpoint root directory be owned by the user or by root.
- Make policy and protector files mode
0600rather than0644. - Make all relevant files owned by the user when
rootencrypts a directory with a user's login protector, not just the the login protector itself. - Make
pam_fscryptignore system users completely.
Thanks to Matthias Gerstner (SUSE) for reporting the above vulnerabilities and suggesting additional hardening.
Note: none of these vulnerabilities or changes are related to the cryptography used. The main issue was that it wasn't fully considered how fscrypt's metadata storage method could lead to denial-of-service attacks if a local user is malicious.
Although upgrading to v0.3.3 shouldn't break existing users, there may be some edge cases where users were relying on functionality in ways we didn't anticipate. If you encounter any issues, please report them as soon as possible so that we can find a solution for you.