Bug 878257 (CVE-2014-3462) - VUL-1: CVE-2014-3462: encfs: Editing Configuration File Disables MACs
Summary: VUL-1: CVE-2014-3462: encfs: Editing Configuration File Disables MACs
Status: RESOLVED FIXED
Alias: CVE-2014-3462
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 42.1
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/98834/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-16 08:33 UTC by Johannes Segitz
Modified: 2017-04-24 15:12 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-05-16 08:33:01 UTC 
Multiple security issues were discovered during a 10 hour security audit. The results can be seen here:
https://defuse.ca/audits/encfs.htm

One of those security issues was assigned a CVE: CVE-2014-3462

I expect, that the other issues identified in the audit will be resolved in future versions of encfs. So this bug is intended to track this.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3462
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3462.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3462
Comment 1 Swamp Workflow Management 2014-05-16 22:00:12 UTC 
bugbot adjusting priority
Comment 3 Andreas Stieger 2016-03-04 14:16:35 UTC 
Upstream has the following:

https://github.com/vgough/encfs/issues/9 - Stream Cipher Used to Encrypt Last File Block
This seems to be scheduled for 2.x, considered a general short-coming, and fixes would not really be back-portable or compatible.

But there is a workaround:
https://github.com/vgough/encfs/issues/14 - Editing Configuration File Disables MACs

That's a new option released in 1.8.1:
> add option --require-macs

This was committed here:
https://github.com/vgough/encfs/commit/9d06412f1c68b0607f27f2a4434a2801fa807a2d

openSUSE 13.2 is on 1.7.4
openSUSE Leap 42.1 is on 1.8

Denisart, the old maintainer is no longer active. You last updated this package,a are you willing to take this on?
Comment 4 Denisart Benjamin 2016-03-04 19:51:16 UTC 
No really but it's ok. Is the commit a fix for the issue ? If so, I integrate the patch atm.
Comment 5 Andreas Stieger 2016-03-06 07:14:21 UTC 
(In reply to Denisart Benjamin from comment #4)
> No really but it's ok. Is the commit a fix for the issue ? If so, I
> integrate the patch atm.

For openSUSE Leap 42.1 adding the patch only adds and option that the user still needs to enable. With that in mind, we could go from 1.8 to 1.8.1 altogether which does the same thing.

For openSUSE 13.2, we can go from 1.7.4 to the same version current version.
Comment 6 Andreas Stieger 2016-12-22 10:28:38 UTC 
Denisart, Ping would you like to fix this bug?
Comment 7 Andreas Stieger 2016-12-31 22:00:48 UTC 
https://build.opensuse.org/request/show/448351
Comment 8 Swamp Workflow Management 2017-01-16 18:24:10 UTC 
openSUSE-SU-2017:0158-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 878257
CVE References: CVE-2014-3462
Sources used:
openSUSE Leap 42.2 (src):    encfs-1.8.1-5.1
openSUSE Leap 42.1 (src):    encfs-1.8.1-4.1
openSUSE 13.2 (src):    encfs-1.8.1-25.3.1
Comment 9 Andreas Stieger 2017-04-24 15:12:41 UTC 
done