Package: cryptsetup Version: 2:1.7.3-3 Severity: critical When logging in to an encrypted system, just press the ENTER button for about half an hour (or you may just put a stone on your keyboard) and you will be provided with a initramfs shell in which you or someone nasty can modify something and do an evil-maid attack, similar to CVE-2016-4484 just with a longer time. In short, the vulnerability is not resolved.
In [setup_mapping()](https://anonscm.debian.org/cgit/pkg-cryptsetup/cryptsetup.git/tree/debian/initramfs/cryptroot-script#n372) it exits rather than halts, and there is no check for the result of the decryption in [local](https://anonscm.debian.org/cgit/kernel/initramfs-tools.git/tree/scripts/local). The quick-and-dirty solution of this is to add `panic=3600` in the kernel parameters, forbidding the shell as in [panic()](https://anonscm.debian.org/cgit/kernel/initramfs-tools.git/tree/scripts/functions#n44). Thank you very much! I am using Debian GNU/Linux 9.0, kernel 4.9.0-2-amd64 and libc6 2.24-10.
