[pkg-cryptsetup-devel] Security issue (CVE-2021-4122) in cryptsetup 2:2.3.5-1

[Yves-Alexis Perez]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, 2022-02-10 at 18:49 +0100, Guilhem Moulin wrote:
> Hi correct,
> 
> The text looks good to me, however I believe that
> 
> On Thu, 10 Feb 2022 at 16:43:21 +0100, Yves-Alexis Perez wrote:
> >    On Debian default configurations the installer uses the LUKS1 format.
> 
> is incorrect. 
> https://salsa.debian.org/installer-team/partman-crypto/-/blob/master/lib/crypto-base.sh#L223
> doesn't pass `--type luks1` hence cryptsetup's own compiled-in default
> version of the LUKS format is used.  Since 2:2.1.0-1 (uploaded during
> the Buster release cycle), that's LUKS2.  (And that lead to a d-i
> regression for D-I Buster RC1, namely #927165.)  I therefore suggest to
> replace that sentence with something like
> 
>     LUKS devices that were formatted using a cryptsetup binary from
>     Debian Stretch or earlier are using LUKS1.  However since Debian
>     Buster the default on-disk LUKS format version is LUKS2.  In
>     particular, encrypted devices formatted by the Debian Buster and
>     Bullseye installers are using LUKS2 by default.
> 
> 
Thanks, corrected the text (and added a bit about LUKS1). I'm processing the
package right now and will send the DSA as well.

Thanks again for your work on this!
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmIFZ/EACgkQ3rYcyPpX
RFvGdQf7BKzubJekMnmztMspCEesNODxemofS+y5WzDVCq2Nyl80yfrWkC9GeO7O
WpjE/hD2CUmJhZDSwp2D4hxVJE6N9TTr0CRdhkonU28cBC/DKPZG3y5oX92CeM7z
XZaxcHubOscJn3Nx1hyKAAPS/VjdwGOL2lkvv1P5+R6zV0sh9syHaj/GAawBRvJk
4gOgcRiZP5W+c/50EJHAPXVuQVOiw9dyvY/jfLIn5/2gFSs5juGLCZComLOIShRg
K2w6A6j8faatxS97ydpFsUMEEjqlqnKxuWYzWUUaab6vIYLazFoi9oqa44rYAAX/
5QWB+1Lo6NzCZpTV3ZUqjDCqFdxUjQ==
=Xhf3
-----END PGP SIGNATURE-----