fscrypt-0.3.3-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11902 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z fscrypt-0.3.3-1.1 on GA media These are all security issues fixed in the fscrypt-0.3.3-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11902 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11902 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-25326/ SUSE CVE CVE-2022-25326 page https://www.suse.com/security/cve/CVE-2022-25327/ SUSE CVE CVE-2022-25327 page https://www.suse.com/security/cve/CVE-2022-25328/ SUSE CVE CVE-2022-25328 page openSUSE Tumbleweed fscrypt-0.3.3-1.1 pam-fscrypt-0.3.3-1.1 fscrypt-0.3.3-1.1 as a component of openSUSE Tumbleweed pam-fscrypt-0.3.3-1.1 as a component of openSUSE Tumbleweed fscrypt through v0.3.2 creates a world-writable directory by default when setting up a filesystem, allowing unprivileged users to exhaust filesystem space. We recommend upgrading to fscrypt 0.3.3 or above and adjusting the permissions on existing fscrypt metadata directories where applicable. CVE-2022-25326 openSUSE Tumbleweed:fscrypt-0.3.3-1.1 openSUSE Tumbleweed:pam-fscrypt-0.3.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-25326.html CVE-2022-25326 The PAM module for fscrypt doesn't adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to version 0.3.3 or above CVE-2022-25327 openSUSE Tumbleweed:fscrypt-0.3.3-1.1 openSUSE Tumbleweed:pam-fscrypt-0.3.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-25327.html CVE-2022-25327 The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially escalate their privileges if they create a malicious mountpoint path and if the system administrator happens to be using the fscrypt bash completion script to complete mountpoint paths. We recommend upgrading to version 0.3.3 or above CVE-2022-25328 openSUSE Tumbleweed:fscrypt-0.3.3-1.1 openSUSE Tumbleweed:pam-fscrypt-0.3.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-25328.html CVE-2022-25328