Your message dated Thu, 13 Jan 2022 18:50:05 +0000 with message-id <e1n85aj-0006er...@fasolo.debian.org> and subject line Bug#1003685: fixed in cryptsetup 2:2.4.3-1 has caused the Debian Bug report #1003685, regarding CVE-2021-4122: cryptsetup 2.x: decryption through LUKS2 reencryption crash recovery to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1003685: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003685 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: cryptsetup Severity: grave Tags: security upstream Justification: root security hole Control: found -1 2:2.3.5-1 Control: found -1 2:2.4.2-1 X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Quoting <https://seclists.org/oss-sec/2022/q1/34>: | CVE-2021-4122 describes a possible attack against data confidentiality | through LUKS2 online reencryption extension crash recovery. | | An attacker can modify on-disk metadata to simulate decryption in | progress with crashed (unfinished) reencryption step and persistently | decrypt part of the LUKS device. | | This attack requires repeated physical access to the LUKS device but | no knowledge of user passphrases. | | The decryption step is performed after a valid user activates | the device with a correct passphrase and modified metadata. | There are no visible warnings for the user that such recovery happened | (except using the luksDump command). The attack can also be reversed | afterward (simulating crashed encryption from a plaintext) with | possible modification of revealed plaintext. | […] | The issue was found by Milan Broz as cryptsetup maintainer. Upstream fixes: 2.3 branch: https://gitlab.com/cryptsetup/cryptsetup/-/commit/60addcffa6794c29dccf33d8db5347f24b75f2fc 2.4 branch: https://gitlab.com/cryptsetup/cryptsetup/-/commit/de98f011418c62e7b825a8ce3256e8fcdc84756e Buster and earlier are not affected since their respective (lib)cryptsetup don't support LUKS2 online reencryption. I'll provide a debdiff for bullseye-security. -- Guilhem.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: cryptsetup Source-Version: 2:2.4.3-1 Done: Guilhem Moulin <guil...@debian.org> We believe that the bug you reported is fixed in the latest version of cryptsetup, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1003...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guilhem Moulin <guil...@debian.org> (supplier of updated cryptsetup package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 13 Jan 2022 19:07:05 +0100 Source: cryptsetup Architecture: source Version: 2:2.4.3-1 Distribution: unstable Urgency: high Maintainer: Debian Cryptsetup Team <pkg-cryptsetup-de...@alioth-lists.debian.net> Changed-By: Guilhem Moulin <guil...@debian.org> Closes: 1001063 1003685 1003686 Changes: cryptsetup (2:2.4.3-1) unstable; urgency=high . [ Guilhem Moulin ] * New upstream security release 2.4.3, with fix for CVE-2021-4122: decryption through LUKS2 reencryption crash recovery. (Closes: #1003685, #1003686) * Remove cryptsetup-initramfs.preinst. (Closes: #1001063) . [ Christoph Anton Mitterer ] * d/rules: don't expand here-document. Checksums-Sha1: 7b0e47c9d6b2919d1fcfc531a0e9b82ab79e17ec 3008 cryptsetup_2.4.3-1.dsc a35acf0d69229888089f31ad9b56ad3ea96b902b 11434956 cryptsetup_2.4.3.orig.tar.gz f4eaf016918c644346cd9242818f57156d4d07e9 127364 cryptsetup_2.4.3-1.debian.tar.xz 2352fee4f22b11355ecbcfd33b8ed2aa89eeee53 10383 cryptsetup_2.4.3-1_amd64.buildinfo Checksums-Sha256: cfaeab454ad8f8745ab9972a577363bf8e4c187e19135b24ab4719345989ce7e 3008 cryptsetup_2.4.3-1.dsc 95ee4ec84d59e582eba2409281d8a41a1cc3eff3b4df91fed6dbe1df65b0614f 11434956 cryptsetup_2.4.3.orig.tar.gz e0ae663b539bf76b914ddee7b0b96a5d817b2e1db0655e6034955514075affc2 127364 cryptsetup_2.4.3-1.debian.tar.xz 37f442c3f15fd883dce8025568d0c96a6fe5b8ab925a753065b378a347afa97b 10383 cryptsetup_2.4.3-1_amd64.buildinfo Files: 2d9ba9aca62e7b3ed88e713ff2326434 3008 admin optional cryptsetup_2.4.3-1.dsc d6f5b44b4a775980c7f57b029e878cfd 11434956 admin optional cryptsetup_2.4.3.orig.tar.gz a3bcb368c9ac84959c21a5212e461c40 127364 admin optional cryptsetup_2.4.3-1.debian.tar.xz 8cf3f0e2c7e5ea789b2764b8421d125f 10383 admin optional cryptsetup_2.4.3-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmHga7YACgkQ05pJnDwh pVJUSA//RmdVk71zU1g2C5AuYhKh+MSk8kAzVKI3Vux0LNZ0yhkyUMRVtAvyFrf1 hw045l9oWfTSaeskSeyPKd5t6OWK7WOW52f1ZZtMJ7LGvFvEcm47tbBF1oPiEZUF VHAvHouSDDiHggs3nR05Gda1dGxyoZx1gTYAOKiak9iYUr/qQmQkyvcya5KSarIl etojCGya/8qvL26jX00Uv8v6t4+Ya0kJlcQw5i+ZRVIl17GMiE8YbGE56vOnf7uY rEEGQ70/6NcxQocErA3xhTfkggGoAgqV+Ojb2LtLgrT5kWZVBnNnKehx/gVPQKoO uZ3XopYUv2iLXtyjQp9oFuswTk03QOTSIebdIcAKqwHIgUqWT84bL/qodvjIUBld 31y9il+PMcIek4LyWbqhJFufrJSlOIVgnBOqGXhS4HvSVbF0L+8lTJzsQpi6hEuJ F+03NC/NZ8W7vQGXg10sk7fmXFlXub6npgDCMM590eXIp1Ez23WZfc7MWsrV6QNq RR4ejtdvToAALTB6MsqQFWfVnoZKPj1G9/+oKpbe9bcBLy/jXTFmnrSFegUaHenH WFffPVJG2Pe8mzJa43rG6LvJEqqTVZMa2ilV7c1kqtZi2rbyBL5AO8X+lO9KOl86 caDyH8W+ToB5ceiNw2sS5U1c1H30guapmIv8Ngz2WtMU31h/4+0= =O1tU -----END PGP SIGNATURE-----
--- End Message ---
