[pkg-cryptsetup-devel] Security issue (CVE-2021-4122) in cryptsetup 2:2.3.5-1

Guilhem Moulin guilhem at debian.org
Thu Jan 13 23:44:20 GMT 2022 

Dear security team,

In a recent post cryptsetup upstream has announced [0] a fix for
CVE-2021-4122: decryption through LUKS2 reencryption crash recovery.

Unlike what I claimed in #1003686, 60addcffa6794c29dccf33d8db5347f24b75f2fc
alone isn't enough and I had to cherry-pick quite a few other commits.  It's
essentially https://salsa.debian.org/cryptsetup-team/cryptsetup/-/compare/c80fce5f479231a95fcd91e54cd00350b0cc292b...d6649293a5fd3c0e08c6cd13e6d4b25d6479bf11
minus d45e6788e8f55f1b3cf92893ecc66435edd43426 .  debdiff against 2:2.3.5-1
tested and attached.  (The new unit test file ‘tests/luks2-reencryption-mangle-test’
needs root privileges so won't run on our build daemons, but I tested it
locally.)

Of course, I assume you're not thrilled about the size of that debdiff,
and I'm not either :-/  You might find a more “surgical” fix but I
wasn't able to.  (That vulnerability stems mostly from a design decision
and the redesign seems to span over quite a few commits.)

An alternative is to backport https://salsa.debian.org/cryptsetup-team/cryptsetup/-/commit/d45e6788e8f55f1b3cf92893ecc66435edd43426
alone and build with --disable-luks2-reencryption, but I guess it's not
an option to remove a feature (namely LUKS2 online reencryption) in a
stable release.

If we want to reduce the delta between Debian and upstream's 2.3 branch
we could ship v2.3.7 instead, at the expense of a larger diff between
bullseye and bullseye-security.  I leave that to you, but note that
v2.3.6 was released during the freeze and while it fixed a rather nasty
bug we decided not to ask the release team for an unblock request — see
the discussion at https://bugs.debian.org/949336#78 .

Cheers,
-- 
Guilhem.

[0] https://seclists.org/oss-sec/2022/q1/34
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cryptsetup.debdiff.gz
Type: application/gzip
Size: 32127 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20220114/8b6890cb/attachment.gz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20220114/8b6890cb/attachment.sig>

More information about the pkg-cryptsetup-devel mailing list