[Bug 805426] New: cryptsetup cannot remove LUKS keys for devices with a blocksize of 4096 bytes
https://bugzilla.novell.com/show_bug.cgi?id=805426 https://bugzilla.novell.com/show_bug.cgi?id=805426#c0 Summary: cryptsetup cannot remove LUKS keys for devices with a blocksize of 4096 bytes Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: All OS/Version: openSUSE 12.2 Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: f+novell@congenio.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 I cannot remove (luksRemoveKey) or wipe (luksKillSlot) a LUKS key slot on a disk with a blocksize of 4096 bytes. I get errors like: #cryptsetup luksKillSlot /dev/volume/anything 1 Enter any remaining LUKS passphrase: Cannot wipe device /dev/volume/anything. This works when a device with a blocksize of 512 bytes is used. I think that this is major because it affects security: a known-to-be-compromised LUKS passphrase cannot be removed. Reproducible: Always Steps to Reproduce: 1. cryptsetup luksKillSlot /dev/volume/anything 1 2. enter any existing passphrase 3. Actual Results: Cannot wipe device /dev/volume/anything. Expected Results: Removed key This happens to be a fixed upstream error that has been reported and allegedly fixed already (cf. http://code.google.com/p/cryptsetup/issues/detail?id=129). However, even a cryptsetup 1.5.1 from openSUSE factory exhibits the same behaviour. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805426 https://bugzilla.novell.com/show_bug.cgi?id=805426#c Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com AssignedTo|security-team@suse.de |lnussel@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805426 https://bugzilla.novell.com/show_bug.cgi?id=805426#c1 --- Comment #1 from Ludwig Nussel <lnussel@suse.com> 2013-04-22 11:46:29 CEST --- *** Bug 805427 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=805427 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805426 https://bugzilla.novell.com/show_bug.cgi?id=805426#c2 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |f+novell@congenio.de --- Comment #2 from Ludwig Nussel <lnussel@suse.com> 2013-04-22 14:08:14 CEST --- I don't have a 4k device here for testing. The fix is indeed supposed to be in 1.5. Can you re-try using 12.3? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805426 https://bugzilla.novell.com/show_bug.cgi?id=805426#c3 --- Comment #3 from Uwe Meyer-Gruhl <f+novell@congenio.de> 2013-04-22 16:36:54 UTC --- Alas, my only device with 4096 bytes blocksize is attached to a production system that I cannot (yet) upgrade to openSUSE 12.3. Also, there seems to be no way to test this on a VM or via a loop device (they always have a 512 byte block size). When I just checked with cryptsetup-1.5.1-2.1.1 from openSUSE 12.3, I found that it makes use of libcryptsetup4, which in turn uses libdevmapper, which uses libudev1, which uses glibc-2.17. Given these dependencies, one cannot just install the openSUSE 12.3 versions over 12.2 in order to test it. But my previous comment about cryptsetup 1.5.1 may be wrong: cryptsetup >= 1.5 probably fixes the problem, because the real fix could be contained in the libcryptsetup4 and not in the cryptsetup package. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805426 https://bugzilla.novell.com/show_bug.cgi?id=805426#c4 Uwe Meyer-Gruhl <f+novell@congenio.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|f+novell@congenio.de | --- Comment #4 from Uwe Meyer-Gruhl <f+novell@congenio.de> 2013-04-23 14:33:45 UTC --- Now I have upgraded to 12.3 and voila: The bug is gone. During upgrade, there was another, cosmetic bug with respect to 4096 byte sectors (submitted as bug #816739). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805426 https://bugzilla.novell.com/show_bug.cgi?id=805426#c5 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #5 from Ludwig Nussel <lnussel@suse.com> 2013-07-05 09:06:28 CEST --- Unless there is a strong demand for a backport to 12.2 I'd recommend everyone with this problem to upgrade to 12.3. Closing as fixed in 12.3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com