Does CVE-2009-0787 affect Red Hat Enterprise Linux?

Updated -

The following information has been provided by Red Hat, but is outside the scope of the posted Service Level Agreements and support procedures. The information is provided as-is and any configuration settings or installed applications made from the information in this article could make the Operating System unsupported by Red Hat Global Support Services. The intent of this article is to provide information to accomplish the system's needs. Use of the information in this article at the user's own risk.

Release Found: The flaw identified by CVE-2009-0787 affected Red Hat Enterprise Linux 5.3. It did not affect Red Hat Enterprise Linux 5 prior to 5.3, Red Hat Enterprise Linux 2.1, 3, 4, or Red Hat Enterprise MRG.

Update 9th May 2009: This article has been updated to reflect the release of the Red Hat Security Advisory RHSA-2009:0473. This advisory addresses the flaw identified by CVE-2009-0787 for Red Hat Enterprise Linux 5.


eCryptfs is a cryptographic file system for Linux. eCryptfs was introduced in Red Hat Enterprise Linux 5.2 as a Technology Preview, and remains as a Technology Preview in Red Hat Enterprise Linux 5.3. Technology Previews may not be fully supported by Red Hat, may not be functionally complete, and in general, not suitable for production use.


The flaw identified by CVE-2009-0787 (Red Hat Bugzilla bug 491254) describes a flaw in the ecryptfs_write_metadata_to_contents() function of the Linux kernel, versions 2.6.29-rc8 and earlier (including This flaw was introduced into the Linux kernel version 2.6.28-rc3 via the upstream git commit 87b811c3. On systems with a 4096 byte page-size, this flaw may have caused 4096 bytes of uninitialized kernel memory to be written into the eCryptfs file headers, leading to an information leak.

Red Hat Enterprise Linux 5 is based on the Linux kernel version 2.6.18, and has a backport of the upstream eCryptfs implementation; therefore, it was affected by this vulnerability. To reiterate, this issue did not affect Red Hat Enterprise Linux 5 prior to 5.3. The Red Hat Security Advisory RHSA-2009:0473 has addressed this flaw; however, the encrypted files created on systems running the vulnerable version of eCryptfs, may continue to contain leaked data in the eCryptfs file headers.

The upstream ecryptfs-utils developers have created a script to help remove leaked information by re-encrypting all files inside an eCryptfs mount, by making a temporary copy of the files and replacing the originals with the copy, causing the files to be re-created and re-encrypted on the lower eCryptfs file system. Note: This script is not supported by Red Hat. The script and its manual page are available in the upstream ecryptfs-utils source code repository. Further information about the script can be found in the upstream bug report.

This approach, however, has limitations, as the eCryptfs files and mounts are under the control of individual users. The script is meant to be used on files inside of an eCryptfs mount, and as such, it cannot be used to fully resolve the consequences of this leak in all circumstances, as non-privileged users cannot use it to remove their data leaked into other users' eCryptfs files, and system administrators can only use it on eCryptfs mounts that are mounted or have pass phrases known to them. This script may appear in future updates of the ecryptfs-utils packages.