| Name | CVE-2022-25327 |
| Description | The PAM module for fscrypt doesn't adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to version 0.3.3 or above |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1006485 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| fscrypt (PTS) | buster | 0.2.4-2 | vulnerable |
| buster (security) | 0.2.4-2+deb10u1 | vulnerable | |
| bullseye | 0.2.9-1 | vulnerable | |
| bookworm | 0.3.3-1 | fixed | |
| sid, trixie | 0.3.4-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| fscrypt | source | (unstable) | 0.3.3-1 | 1006485 |
[bullseye] - fscrypt <no-dsa> (Minor issue)
[buster] - fscrypt <no-dsa> (Minor issue)
https://www.openwall.com/lists/oss-security/2022/02/24/1
https://github.com/google/fscrypt/commit/1a47718420317f893831b0223153d56005d5b02b
https://github.com/google/fscrypt/commit/74e870b7bd1585b4b509da47e0e75db66336e576
https://github.com/google/fscrypt/commit/b44fbe71e1e93c47050322af51725bac997641e0