[pkg-cryptsetup-devel] Security issue (CVE-2021-4122) in cryptsetup 2:2.3.5-1
Christoph Anton Mitterer
calestyo at scientia.org
Tue Feb 1 17:10:22 GMT 2022
Am 1. Februar 2022 11:11:45 MEZ schrieb Yves-Alexis Perez <corsac at debian.org>:
>I don't think [disable-reencryption] alone is really a good idea. We risk
>preventing legitimate users to reencrypt their devices easily
Cryptsetup's main purpose is security... any features unrelated to that, especially when these can be implemented in another way... should stand back.
>, while in the
>attacker model I'm not sure it wouldn't be possible to replace the cryptsetup
>binaries in the initramfs with an older, vulnerable one anyway (same thing for
>any fixed version actually).
Anyone who has kernel/initramfs on the system can anyway protect himself only against one time attacks like theft or to prevent data leakage on decommissioned hardware.
However, when the issue wouldn't be fixed or at least disabled completely, any valid user who has his kernel/initramfs secured (or e.g. always with him) would be still left at risk for no good reason.
Cheers,
Chris
More information about the pkg-cryptsetup-devel
mailing list