Your message dated Sun, 13 Feb 2022 22:32:17 +0000 with message-id <e1njnpl-000j55...@fasolo.debian.org> and subject line Bug#1003686: fixed in cryptsetup 2:2.3.7-1+deb11u1 has caused the Debian Bug report #1003686, regarding CVE-2021-4122: cryptsetup 2.x: decryption through LUKS2 reencryption crash recovery to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1003686: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003686 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: cryptsetup Severity: grave Tags: security upstream Justification: root security hole Control: found -1 2:2.3.5-1 Control: found -1 2:2.4.2-1 X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Quoting <https://seclists.org/oss-sec/2022/q1/34>: | CVE-2021-4122 describes a possible attack against data confidentiality | through LUKS2 online reencryption extension crash recovery. | | An attacker can modify on-disk metadata to simulate decryption in | progress with crashed (unfinished) reencryption step and persistently | decrypt part of the LUKS device. | | This attack requires repeated physical access to the LUKS device but | no knowledge of user passphrases. | | The decryption step is performed after a valid user activates | the device with a correct passphrase and modified metadata. | There are no visible warnings for the user that such recovery happened | (except using the luksDump command). The attack can also be reversed | afterward (simulating crashed encryption from a plaintext) with | possible modification of revealed plaintext. | […] | The issue was found by Milan Broz as cryptsetup maintainer. Upstream fixes: 2.3 branch: https://gitlab.com/cryptsetup/cryptsetup/-/commit/60addcffa6794c29dccf33d8db5347f24b75f2fc 2.4 branch: https://gitlab.com/cryptsetup/cryptsetup/-/commit/de98f011418c62e7b825a8ce3256e8fcdc84756e Buster and earlier are not affected since their respective (lib)cryptsetup don't support LUKS2 online reencryption. I'll provide a debdiff for bullseye-security. -- Guilhem.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: cryptsetup Source-Version: 2:2.3.7-1+deb11u1 Done: Guilhem Moulin <guil...@debian.org> We believe that the bug you reported is fixed in the latest version of cryptsetup, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1003...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guilhem Moulin <guil...@debian.org> (supplier of updated cryptsetup package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 01 Feb 2022 15:36:35 +0100 Source: cryptsetup Architecture: source Version: 2:2.3.7-1+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian Cryptsetup Team <pkg-cryptsetup-de...@alioth-lists.debian.net> Changed-By: Guilhem Moulin <guil...@debian.org> Closes: 949336 1003686 Changes: cryptsetup (2:2.3.7-1+deb11u1) bullseye-security; urgency=high . * New upstream security/bugfix release, with fixes for: + CVE-2021-4122: decryption through LUKS2 reencryption crash recovery. (Closes: #1003686) + Key truncation for standalone dm-integrity devices using HMAC integrity protection. (Closes: #949336) * Update d/gbp.conf and d/salsa-ci.yml to use d/bullseye branch. Checksums-Sha1: 01cd2b61ba65d8b15800a6b555a2f49f66a38b56 2905 cryptsetup_2.3.7-1+deb11u1.dsc a2eec22f8355334ecb532ce76c5c8e2ffabb846f 10852556 cryptsetup_2.3.7.orig.tar.xz d52eba11a31a546d3cbf2d5a5d01732433083b58 115516 cryptsetup_2.3.7-1+deb11u1.debian.tar.xz 47f629a21d133ce5637c8b1f3dd2eeccecee7941 10163 cryptsetup_2.3.7-1+deb11u1_amd64.buildinfo Checksums-Sha256: b483266b87b57bcd07f670f55b2c8aa89557a97611e7fea4a287f57e32ee21a3 2905 cryptsetup_2.3.7-1+deb11u1.dsc 545808e126c84aee06c18a9ebd1ac6ff9ca0ced4632e6bb5d3ee5cf4e048771e 10852556 cryptsetup_2.3.7.orig.tar.xz 43ee3e3674a7faf92a694299c66bc9245b4936d0d586d6924b00b9f7ecb5e042 115516 cryptsetup_2.3.7-1+deb11u1.debian.tar.xz e0c656f39d7e5046a6a58a81da615877a66448314eae6bf91b475ae264f8a22c 10163 cryptsetup_2.3.7-1+deb11u1_amd64.buildinfo Files: 2c263c447cddb2646c4195e318d2b322 2905 admin optional cryptsetup_2.3.7-1+deb11u1.dsc de3f6d111c94ed64a1738c2ffa518d3f 10852556 admin optional cryptsetup_2.3.7.orig.tar.xz 46b117f59fecb8538c169f650fba4aa5 115516 admin optional cryptsetup_2.3.7-1+deb11u1.debian.tar.xz c0aa3ba4bdc3c16f16088a34c1b46e95 10163 admin optional cryptsetup_2.3.7-1+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmIDsg8ACgkQ05pJnDwh pVLUTg//ZpRyvlPOlLdtIb+U6j9dLw0NKSW3e4ijb8Di+11IjdB6dbnwqDu7+axB XBHGkWsC/iuElSnCKPejdkqEKXmPl89QLYOaRnWx27uA+Lw3Ylebt6+1hK2jcC7a IP8+h3gNCjT8e6eIfTlBxmaY8kKDCxx5WRA3PLL6/L5oy6CN3cuG0BjJAx1gX/KK DuFBoy7/ybtkMjbPaebDMd2vIykANzC/tcrqxn3PN7sfKHU0Byts43QZjGzszYz/ 1xG6Krs4EolRWkVoGBqyAA5WKDICRMjcUqsG6GnK0tbP9p4f/1XQqpdpQtMq7tY4 b4ZMl7Q1K/B36LASk3Vx9XIs8jRZb03Q0FbiqOhvr7aOGVPpAyKdRkJrmw5dJvSk Yjf9/I8zQ1ZN/LsdoAt1rLkiyJf1EgArXILP9b3RwzxQC6VOiMZCE0PTW2aseGqo 0sPyTiSDbRxUopNIEl/5IMOcdc4pVTwMrE8fuwZH5Ha3xFGobFbbnGhbGQGbHlLg uBHyztewfJEb7YnQj6kptqLvI3guRmkOX59gBJSu5FBhhdEyXkFIpytQPNEH433R WaJI4ekYLUuulpd+v3MLAhFyX08n51/CZtkwP7HGEqC6EFIK5SuzQvBnLQKd6ZEP PFAkkRlQAQWWkVyDYQScS4W8kTFdfd+p1BTm1xA2BvSTZq1qY5o= =f8// -----END PGP SIGNATURE-----
--- End Message ---