GMS-2022-179: Denial of service via insufficient metadata validation

March 1, 2022 (updated January 11, 2023)

The PAM module for fscrypt through v0.3.2 does not adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to v0.3.3 or above.

For more details, see CVE-2022-25327.

References

github.com/advisories/GHSA-p93v-m2r2-4387
github.com/google/fscrypt/security/advisories/GHSA-p93v-m2r2-4387

Code Behaviors & Features

Detect and mitigate GMS-2022-179 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →