Candidate: CVE-2022-25328
PublicDate: 2022-02-25 11:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25328
 https://www.openwall.com/lists/oss-security/2022/02/24/1
 https://github.com/google/fscrypt/commit/fa1a1fdbdea65829ce24a6b6f86ce2961e465b02
Description:
 The bash_completion script for fscrypt allows injection of commands via
 crafted mountpoint paths, allowing privilege escalation under a specific
 set of circumstances. A local user who has control over mountpoint paths
 could potentially escalate their privileges if they create a malicious
 mountpoint path and if the system administrator happens to be using the
 fscrypt bash completion script to complete mountpoint paths. We recommend
 upgrading to version 0.3.3 or above
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H [7.3 HIGH]


Patches_fscrypt:
 upstream: https://github.com/google/fscrypt/commit/fa1a1fdbdea65829ce24a6b6f86ce2961e465b02
upstream_fscrypt: released (0.3.3)
trusty_fscrypt: ignored (out of standard support)
xenial_fscrypt: ignored (out of standard support)
bionic_fscrypt: not-affected (code not present)
focal_fscrypt: not-affected (code not present)
impish_fscrypt: not-affected (code not present)
jammy_fscrypt: not-affected (0.3.3-1)
devel_fscrypt: not-affected (0.3.3-1)