| 2009-11-04 15:54:21 |
Sergey Dolgov |
bug |
|
|
added bug |
| 2009-11-27 17:34:42 |
LimCore |
security vulnerability |
no |
yes |
|
| 2009-11-27 17:35:28 |
LimCore |
cryptsetup (Ubuntu): status |
New |
Confirmed |
|
| 2009-12-15 07:16:47 |
Steve Langasek |
security vulnerability |
yes |
no |
|
| 2010-02-04 12:54:06 |
C de-Avillez |
cryptsetup (Ubuntu): importance |
Undecided |
High |
|
| 2010-02-04 14:07:24 |
LimCore |
attachment added |
|
cryptsetup_1.0.6+20090405.svn49-1ubuntu7.3.debdiff http://launchpadlibrarian.net/38752314/cryptsetup_1.0.6%2B20090405.svn49-1ubuntu7.3.debdiff |
|
| 2010-02-04 14:10:58 |
LimCore |
summary |
/lib/cryptsetup/checks/{un_,}vol_id should fail if vol_id from udev is not available |
Overwrite/destroy not-empty partition due to lack of vol_id from udev |
|
| 2010-02-04 17:24:42 |
Steve Langasek |
cryptsetup (Ubuntu): importance |
High |
Medium |
|
| 2010-02-04 18:31:13 |
Brian Murray |
tags |
|
patch |
|
| 2010-02-04 20:26:25 |
Brian Murray |
removed subscriber Ubuntu Review Team |
|
|
|
| 2010-02-08 17:41:42 |
LimCore |
description |
Binary package hint: cryptsetup
/lib/cryptsetup/checks/{un_,}vol_id are supposed to check for a type of file system on a disk volume. Functions from /lib/cryptsetup/cryptdisks.functions use those checks to determine whether it is safe to destroy the contents of a volume by e.g calling luks create on it:
PRECHECK="/lib/cryptsetup/checks/un_vol_id"
[...]
if ! pre_out=$("$PRECHECK" "$src" 2> /dev/null) && \
[ "$MAKESWAP" != "yes" ] && \
! /lib/cryptsetup/checks/vol_id "$src" swap >/dev/null; then
log_warning_msg "$dst: the precheck for '$src' failed: $pre_out"
return 1
fi
[...]
cryptsetup $PARAMS create "$dst" "$src"
/lib/cryptsetup/checks/{un_,}vol_id rely on /lib/udev/vol_id from the udev package. In Karmic, vol_id it is no longer present. Most unfortunately, in this case the checks *pass* with mere warning:
if test ! -x "/lib/udev/vol_id"; then
echo " - WARNING: vol_id from udev is not available, impossible to run checks."
exit 0
fi
I would argue that exit 0 should be exit 1 instead, otherwise it can lead to silent data corruption in case the disks connected to the machine change. Here is how it happend to me:
I installed Karmic on HDD1; at that time it was the only drive in the box, and thus it was detected as sda. The installer created this entry in /etc/crypttab:
cryptswap1 /dev/sda3 /dev/urandom swap,cipher=aes-cbc-essiv:sha256
After that, I connected my second drive, HDD2, to the box. It happend to be connected to the first port of the SATA controller, so when I booted off HDD1, hard drive were detected as follows: HDD2: sda, HDD1: sdb. As a result, my ext3 partition on HDD2 ("new" sda3) became corrupted because of missing vol_id in udev and this bug.
It looks like the move from vol_id to blkid from util-linux is uderway; Debian already has /mnt/lib/cryptsetup/checks/blkid, but the same problem is present there too:
if test ! -x "/sbin/blkid"; then
echo " - WARNING: blkid from util-linux is not available, impossible to run checks."
exit 0
fi
which means data corruption if blkid is missing and your disks changed since the time /etc/crypttab was created. |
Binary package hint: cryptsetup
SRU update rationale:
1. impact of the bug on users:
Bugs which may, under realistic circumstances, directly cause a loss of user data.
Bug can destroy entire partition on user system while booting, if the user change hard drivers order.
2. how the bug has been addressed
In Lucid we are using blk_id, which works.
3. A minimal patch applicable to the stable version
the one-liner patch is attached
4. Detailed instructions how to reproduce the bug
Was described below by the reporter
5. A discussion of the regression potential of the patch
Very unlikely IMHO.
It just stops overwriting existing partition and using it to create without a question encrypted swap
----
/lib/cryptsetup/checks/{un_,}vol_id are supposed to check for a type of file system on a disk volume. Functions from /lib/cryptsetup/cryptdisks.functions use those checks to determine whether it is safe to destroy the contents of a volume by e.g calling luks create on it:
PRECHECK="/lib/cryptsetup/checks/un_vol_id"
[...]
if ! pre_out=$("$PRECHECK" "$src" 2> /dev/null) && \
[ "$MAKESWAP" != "yes" ] && \
! /lib/cryptsetup/checks/vol_id "$src" swap >/dev/null; then
log_warning_msg "$dst: the precheck for '$src' failed: $pre_out"
return 1
fi
[...]
cryptsetup $PARAMS create "$dst" "$src"
/lib/cryptsetup/checks/{un_,}vol_id rely on /lib/udev/vol_id from the udev package. In Karmic, vol_id it is no longer present. Most unfortunately, in this case the checks *pass* with mere warning:
if test ! -x "/lib/udev/vol_id"; then
echo " - WARNING: vol_id from udev is not available, impossible to run checks."
exit 0
fi
I would argue that exit 0 should be exit 1 instead, otherwise it can lead to silent data corruption in case the disks connected to the machine change. Here is how it happend to me:
I installed Karmic on HDD1; at that time it was the only drive in the box, and thus it was detected as sda. The installer created this entry in /etc/crypttab:
cryptswap1 /dev/sda3 /dev/urandom swap,cipher=aes-cbc-essiv:sha256
After that, I connected my second drive, HDD2, to the box. It happend to be connected to the first port of the SATA controller, so when I booted off HDD1, hard drive were detected as follows: HDD2: sda, HDD1: sdb. As a result, my ext3 partition on HDD2 ("new" sda3) became corrupted because of missing vol_id in udev and this bug.
It looks like the move from vol_id to blkid from util-linux is uderway; Debian already has /mnt/lib/cryptsetup/checks/blkid, but the same problem is present there too:
if test ! -x "/sbin/blkid"; then
echo " - WARNING: blkid from util-linux is not available, impossible to run checks."
exit 0
fi
which means data corruption if blkid is missing and your disks changed since the time /etc/crypttab was created.
|
|
| 2010-02-08 17:41:53 |
LimCore |
nominated for series |
|
Ubuntu Karmic |
|
| 2010-02-08 17:45:49 |
LimCore |
description |
Binary package hint: cryptsetup
SRU update rationale:
1. impact of the bug on users:
Bugs which may, under realistic circumstances, directly cause a loss of user data.
Bug can destroy entire partition on user system while booting, if the user change hard drivers order.
2. how the bug has been addressed
In Lucid we are using blk_id, which works.
3. A minimal patch applicable to the stable version
the one-liner patch is attached
4. Detailed instructions how to reproduce the bug
Was described below by the reporter
5. A discussion of the regression potential of the patch
Very unlikely IMHO.
It just stops overwriting existing partition and using it to create without a question encrypted swap
----
/lib/cryptsetup/checks/{un_,}vol_id are supposed to check for a type of file system on a disk volume. Functions from /lib/cryptsetup/cryptdisks.functions use those checks to determine whether it is safe to destroy the contents of a volume by e.g calling luks create on it:
PRECHECK="/lib/cryptsetup/checks/un_vol_id"
[...]
if ! pre_out=$("$PRECHECK" "$src" 2> /dev/null) && \
[ "$MAKESWAP" != "yes" ] && \
! /lib/cryptsetup/checks/vol_id "$src" swap >/dev/null; then
log_warning_msg "$dst: the precheck for '$src' failed: $pre_out"
return 1
fi
[...]
cryptsetup $PARAMS create "$dst" "$src"
/lib/cryptsetup/checks/{un_,}vol_id rely on /lib/udev/vol_id from the udev package. In Karmic, vol_id it is no longer present. Most unfortunately, in this case the checks *pass* with mere warning:
if test ! -x "/lib/udev/vol_id"; then
echo " - WARNING: vol_id from udev is not available, impossible to run checks."
exit 0
fi
I would argue that exit 0 should be exit 1 instead, otherwise it can lead to silent data corruption in case the disks connected to the machine change. Here is how it happend to me:
I installed Karmic on HDD1; at that time it was the only drive in the box, and thus it was detected as sda. The installer created this entry in /etc/crypttab:
cryptswap1 /dev/sda3 /dev/urandom swap,cipher=aes-cbc-essiv:sha256
After that, I connected my second drive, HDD2, to the box. It happend to be connected to the first port of the SATA controller, so when I booted off HDD1, hard drive were detected as follows: HDD2: sda, HDD1: sdb. As a result, my ext3 partition on HDD2 ("new" sda3) became corrupted because of missing vol_id in udev and this bug.
It looks like the move from vol_id to blkid from util-linux is uderway; Debian already has /mnt/lib/cryptsetup/checks/blkid, but the same problem is present there too:
if test ! -x "/sbin/blkid"; then
echo " - WARNING: blkid from util-linux is not available, impossible to run checks."
exit 0
fi
which means data corruption if blkid is missing and your disks changed since the time /etc/crypttab was created.
|
Binary package hint: cryptsetup
SRU update rationale:
1. impact of the bug on users:
Bugs which may, under realistic circumstances, directly cause a loss of user data.
Bug can destroy entire partition on user system while booting, if the user change hard drivers order.
2. how the bug has been addressed
In Lucid we are using blk_id, which works.
In Karmic the solution is different - the attached patch makes no_vol_id return failure instead of success if vol_id program is missing, therefore it will stop the overwrite of user partition.
3. A minimal patch applicable to the stable version
the one-liner patch is attached
4. Detailed instructions how to reproduce the bug
Was described below by the reporter
5. A discussion of the regression potential of the patch
Very unlikely IMHO.
It just stops overwriting existing partition and using it to create without a question encrypted swap
----
/lib/cryptsetup/checks/{un_,}vol_id are supposed to check for a type of file system on a disk volume. Functions from /lib/cryptsetup/cryptdisks.functions use those checks to determine whether it is safe to destroy the contents of a volume by e.g calling luks create on it:
PRECHECK="/lib/cryptsetup/checks/un_vol_id"
[...]
if ! pre_out=$("$PRECHECK" "$src" 2> /dev/null) && \
[ "$MAKESWAP" != "yes" ] && \
! /lib/cryptsetup/checks/vol_id "$src" swap >/dev/null; then
log_warning_msg "$dst: the precheck for '$src' failed: $pre_out"
return 1
fi
[...]
cryptsetup $PARAMS create "$dst" "$src"
/lib/cryptsetup/checks/{un_,}vol_id rely on /lib/udev/vol_id from the udev package. In Karmic, vol_id it is no longer present. Most unfortunately, in this case the checks *pass* with mere warning:
if test ! -x "/lib/udev/vol_id"; then
echo " - WARNING: vol_id from udev is not available, impossible to run checks."
exit 0
fi
I would argue that exit 0 should be exit 1 instead, otherwise it can lead to silent data corruption in case the disks connected to the machine change. Here is how it happend to me:
I installed Karmic on HDD1; at that time it was the only drive in the box, and thus it was detected as sda. The installer created this entry in /etc/crypttab:
cryptswap1 /dev/sda3 /dev/urandom swap,cipher=aes-cbc-essiv:sha256
After that, I connected my second drive, HDD2, to the box. It happend to be connected to the first port of the SATA controller, so when I booted off HDD1, hard drive were detected as follows: HDD2: sda, HDD1: sdb. As a result, my ext3 partition on HDD2 ("new" sda3) became corrupted because of missing vol_id in udev and this bug.
It looks like the move from vol_id to blkid from util-linux is uderway; Debian already has /mnt/lib/cryptsetup/checks/blkid, but the same problem is present there too:
if test ! -x "/sbin/blkid"; then
echo " - WARNING: blkid from util-linux is not available, impossible to run checks."
exit 0
fi
which means data corruption if blkid is missing and your disks changed since the time /etc/crypttab was created.
|
|
| 2010-02-22 17:54:07 |
Martin Pitt |
bug task added |
|
cryptsetup (Ubuntu Karmic) |
|
| 2010-02-22 17:56:14 |
Martin Pitt |
cryptsetup (Ubuntu Karmic): importance |
Undecided |
High |
|
| 2010-02-22 17:56:20 |
Martin Pitt |
cryptsetup (Ubuntu): status |
Confirmed |
Triaged |
|
| 2010-02-22 17:56:24 |
Martin Pitt |
cryptsetup (Ubuntu): importance |
Medium |
Low |
|
| 2010-02-22 18:47:51 |
Martin Pitt |
cryptsetup (Ubuntu Karmic): status |
New |
Fix Committed |
|
| 2010-02-22 18:48:02 |
Martin Pitt |
tags |
patch |
patch verification-needed |
|
| 2010-02-22 19:14:23 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/karmic-proposed/cryptsetup |
|
| 2010-03-15 11:34:08 |
Daniel Holbach |
removed subscriber Ubuntu Sponsors for main |
|
|
|
| 2010-04-03 19:00:54 |
Benjamin Drung |
removed subscriber Ubuntu Sponsors Team |
|
|
|
| 2010-05-30 19:25:43 |
Carlos Scarabucci |
branch unlinked |
lp:ubuntu/karmic-proposed/cryptsetup |
|
|
| 2010-07-28 07:31:31 |
Martin Pitt |
cryptsetup (Ubuntu): status |
Triaged |
Invalid |
|
| 2010-07-28 07:31:57 |
Martin Pitt |
cryptsetup (Ubuntu Karmic): status |
Fix Committed |
Won't Fix |
|
