encfs: Multiple vulnerabilities — GLSA 201512-09

Multiple vulnerabilities have been found in encfs, the worst of which can allow remote attackers to execute arbitrary code or cause a Denial of Service condition.

Affected Packages

sys-fs/encfs on all architectures
Affected versions < 1.7.5
Unaffected versions >= 1.7.5

Background

Encfs is an implementation of encrypted filesystem in user-space using FUSE.

Description

Multiple vulnerabilities have been discovered in encfs. Please review the CVE identifiers referenced below for details.

Impact

A local attacker can utilize a possible buffer overflow in the encodeName method of StreamNameIO and BlockNameIO to execute arbitrary code or cause a Denial of Service. Also multiple weak cryptographics practices have been found in encfs.

Workaround

There is no known workaround at this time.

Resolution

All encfs users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-fs/encfs-1.7.5"
 

References

Release Date
December 30, 2015

Latest Revision
December 30, 2015: 1

Severity
normal

Exploitable
local

Bugzilla entries