[Bug 1781912] Re: [18.10 FEAT] Upgrade cryptsetup >= 2.0.3
Launchpad Bug Tracker
1781912 at bugs.launchpad.net
Wed Jul 18 14:14:51 UTC 2018
This bug was fixed in the package cryptsetup - 2:2.0.3-6ubuntu1
---------------
cryptsetup (2:2.0.3-6ubuntu1) cosmic; urgency=low
* Merge from Debian unstable. LP: #1781912.
* Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Invert the "busybox | busybox-static" Recommends, as the latter
is the one we ship in main as part of the ubuntu-standard task.
- Apply patch from Trent Nelson to fix cryptroot-unlock for busybox
compatibility. LP: #1651818
* Dropped changes, included in Debian:
- Drop explicit libgcrypt20 dependency from libcryptsetup4.
- Drop the CRYPTSETUP variable warning from the initramfs hook, as
overlayroot package ships a dropin in conf-hooks.d triggering false
warnings.
- Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
- Drop c99 std, as the default is now higher than that
* Dropped changes, no longer needed:
- Add maintscript to drop removed upstart system jobs.
cryptsetup (2:2.0.3-6) unstable; urgency=medium
* debian/TODO.md: Remove mention of parent device detection for mdadm
(#629236) as it's fixed since 2:2.0.3-2.
* debian/README.gnupg, debian/TODO.md, debian/doc/crypttab.xml: minor typo
fixes.
* debian/rules, debian/patches/disable-internal-tests.patch: Remove patch to
add configure flag '--disable-internal-tests'. The internal test suite is
run by dh_auto_test(1), and it is skipped if DEB_BUILD_OPTIONS environment
variable contains the string "nocheck".
* debian/cryptdisks-functions, debian/initramfs/scripts/local-top/cryptroot:
When the 2nd column of a crypttab entry denodes a block special device,
resolve the device but don't convert it to /dev/block/$major:$minor.
(Closes: #903246.)
* debian/initramfs/hooks/cryptroot:
+ Treat null device numbers as invalid in resolve_device(), cf.
/Documentation/admin-guide/devices.txt in the kernel source tree.
+ generate_initrd_crypttab(): add '\n' to the local IFS since
get_resume_devno() prints one major:minor pair per line.
* debian/initramfs/scripts/local-{top,bottom}/cryptopensc:
+ Save process ID of the pcscd daemon at local-top stage, and kill it at
local-bottom stage. Thanks to Pascal Vibet for the patch.
(Closes: #903574.)
+ Fix path to the pcscd executable (the fix for #880750 was incomplete).
* debian/README.opensc: Remove mention of 'README.openct.gz' as it's gone
since 2:2.0.3-2.
* debian/scripts/decrypt_opensc: Fix plymouth prompt message (use
$CRYPTTAB_NAME not $crypttarget).
cryptsetup (2:2.0.3-5) unstable; urgency=medium
[ Jonas Meurer ]
* debian/askpass.c, debian/scripts/passdev.c, debian/rules:
+ Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
+ Drop c99 std, as the default is now higher than that
* debian/control:
+ Drop explicit dependencies on libgcrypt20 and libgpg-error0 from
libcryptsetup12. They're pulled in by ${shlibs:Depends} automatically.
[ Guilhem Moulin ]
* debian/initramfs/cryptroot-unlock: Keep looping forever (as long as the
disk is locked) if the CRYPTTAB_OPTION_tries variable is set to 0, cf.
crypttab(5).
* debian/doc/crypttab.xml: Clarify that the 'readonly' flag sets up a
read-only mapping. Cf. `cryptsetup --readonly`.
* debian/initramfs/hooks/cryptroot:
+ Fix generation of initrd crypttab(5) with `update-initramfs -u -v` for
key files matching $KEYFILE_PATTERN, or when a 'keyscript' is specified
in the crypttab options. Regression since 2:2.0.3-2. (Closes: #902733.)
+ Avoid processing entries multiple times in get_crypttab_entry(), which
could happen with 'keyscript=decrypt_derived' for instance.
+ Don't complain that the sysfs dir can't be found when the hook failed to
normalize the device (another warning is shown already).
+ If source device is mapped (for instance if it's a logical volume), put
its dm name into the initrd crypttab. LVM2's local-block script doesn't
work with UUIDs, and giving it a VG+LV is better anyway as we avoid to
activate all volumes at initramfs stage. (Closes: #902943.)
* debian/initramfs/conf-hook: Clarify that if KEYFILE_PATTERN if null or
unset then no key file is copied.
* debian/initramfs/*, debian/functions, debian/cryptdisks-functions:
+ Use major:minor device IDs internally, as this facilitate discovery of
sysfs directories, and we don't have to take care of the udev mangling.
+ Decode octal sequences when reading /etc/crypttab or /etc/fstab. This
means that key files and option values can contain blanks and special
characters encoded as octal sequences.
+ Refactor crypttab(5) parsing logic, to avoid duplication of boilerplate
code.
* debian/functions: If the key file is a symlink, warn about insecure
permissions of the target, not the link itself.
* debian/scripts/decrypt_derived: For devices with keys in the kernel
keyring (e.g., LUKS2 by default), refuse to derive anything.
* debian/patches/disable-internal-tests.patch: Add configure option
'--disable-internal-tests' to disable the internal test suite.
* debian/rules: Don't run upstream's internal test suite if
$DEB_BUILD_OPTIONS contains the string "skip-internal-tests". (Tests are
still run by default.)
* debian/cryptdisks-functions: Restore support for crypttab(5) entries with
regular files as source device. Regression since 2:2.0.3-2.
(Closes: #902879.)
* debian/control: Bump Standards-Version to 4.1.5 (no changes necessary).
cryptsetup (2:2.0.3-4) unstable; urgency=low
* debian/initramfs/hooks/cryptroot:
+ Fix typo in warning message. (Closes: #901971.)
+ sysfs_devdir(): don't croak when the normalized device pathname isn't of
the form /dev/$blk. This is the case in the Debian installer, where the
devtmpfs pseudo-filesystem exposes /dev/mapper/$name as a block device
instead of a symlink to /dev/dm-$index.
+ sysfs_devdir(): return /sys/dev/block/$maj:$min (a symlink pointing the
sysfs directory corresponding to the device) rather than /sys/block/$blk.
While the latter is present for mapped devices, it's not present for
block devices corresponding to disk partitions. See sysfs(5) for
details. (Closes: #902183.)
+ get_crypttab_entry(): skip (harmless) warning if blkid_tag() fails to
get the UUID of a dm-crypt device's slave (it's normal with plain
dm-crypt devices).
+ get_crypttab_entry(): don't warn that key file doesn't exist if it's
e.g., an existing character special device.
* debian/functions:unlock_mapping(): translate crypttab(5) option
'size=<size>' to `cryptsetup --key-size=<size>`, not `--size` (which
doesn't set the key size but the size of the device in number of 512 byte
sectors). Regression since 2:2.0.3-2. (Closes: #902245.)
* debian/initramfs/scripts/local-top/cryptroot, debian/cryptdisks-functions,
debian/initramfs/cryptroot-unlock: Fix off-by-one unlock count. Some
keyscripts (such as decrypt_keyctl) don't work properly if on first try
the CRYPTTAB_TRIED environment variable isn't set to 0. Regression since
2:2.0.3-2. (Closes: #902116.)
* debian/scripts/decrypt_keyctl: replace the source device path with the
mapped device name in messages, to match the new askpass behavior.
cryptsetup (2:2.0.3-3) unstable; urgency=low
[ Jonas Meurer ]
* debian/*: run wrap-and-sort(1)
* debian/control:
+ Add Conflicts and Breaks on 'cryptsetup-bin (<< 2:2.0.3-2)' to
cryptsetup-run. Needed since we moved luksformat between the
packages. (Closes: #901773)
+ Remove all traces of package 'cryptsetup-luks' from dependency
headers. This package has never been part of an official Debian
release and the time it existed is more than 12 years ago.
+ Remove Conflicts/Breaks headers from the split of cryptsetup into
cryptsetup/cryptsetup-bin in release 2:1.4.1-3. The conflicting
version is from Debian Wheezy, which means that there's three
releases in between. We don't support dist-upgrades with skipped
releases anyway.
+ Remove obsolete 'Breaks: hashalot (<< 0.3-2)' from cryptsetup-run.
+ Remove versioned depends of libcryptsetup12 on libgcrypt20 and
libgpg-error0. Both versions are satisfied since more than three
releases.
+ Remove versioned build-depends on docbook-xsl, dpkg-dev,
libdevmapper-dev, libgcrypt20-dev and libtool. All versions are
satisfied since more than three releases.
* debian/*: Change maintainer contact address to @alioth-lists.debian.net.
[ Guilhem Moulin ]
* debian/control: Replace 2:2.0.2-2 with 2:2.0.3-1 in Breaks/Replaces/Depends
fields. (2:2.0.2-2 was never released, the version we released after the
package split was 2:2.0.3-1.)
* debian/initramfs/cryptroot-script: exit immediately when
/lib/cryptsetup/functions is not present. (Closes: #901830.)
* debian/cryptsetup-run.prerm: use `dmsetup table --target crypt` to avoid
manually excluding mapped devices using another subsystem.
* d/initramfs/hooks/cryptroot:
+ Fix parser for cipher specifications in mapping table of crypt targets.
In particular, the cipher mode wasn't parsed properly, potentially
causing missing modules in initrd.img compiled with MODULES=dep.
Regression introduced in 2:2.0.3-2. (Closes: #901884.)
+ Print a warning when the mapping table specifies the cipher in kernel
crypto API format ("capi:" prefix). We don't support these yet.
cryptsetup (2:2.0.3-2) unstable; urgency=medium
The "nights are long in summer" cryptsetup sprint release :-)
Guilhem and Jonas hacked together for three days (and nights), refactored
almost all of the cryptsetup packages, squashed (at least) 19 bugs and
started work on several new features. Yay!
[ Guilhem Moulin ]
* cryptsetup-initramfs: Demote "Depends: console-setup, kbd" to Recommends:
(Closes: #901641.)
* debian/initramfs/*-hook: complete refactoring. Common functions are now in
/lib/cryptsetup/functions (source-able from shell scripts).
(Closes: #784881.)
* debian/initramfs/cryptroot-hook:
+ Use sysfs(5) block (resp. fs) hierarchies to detect slave dm-crypt
devices such as LVM2 on top of LUKS (resp. multiple device filesystems
such as btrfs). This approach is more robust than parsing the output of
`lvs` or `btrfs filesystem`.
+ Export relevant crypttab(5) snippet (for devices that need to be
unlocked at initramfs stage) to the initramfs' /cryptroot/crypttab.
+ Print a warning inviting the user to uninstall 'cryptsetup-initramfs'
if 1/ the CRYPTSETUP configuration option is unset or null (the
default), and 2/ the hook didn't detect any device to be unlocked at
initramfs stage. The benefit is two-fold: it guides users through the
package split, and warns them that their system might not reboot if the
hook script didn't work properly.
* Remove the 'decrypt_openct' keyscript since openct was last seen in
oldoldstable, cf. #760258 (ROM).
* debian/initramfs/cryptroot-script: refactoring, using functions from
/lib/cryptsetup/functions. (Closes: #720952, #826124.)
+ One can disable the cryptsetup initramfs scripts for a particular boot
by passing "cryptopts=" as kernel boot argument. (Closes: #873840.)
+ No longer sleep for a full minute after exceeding the maximum number of
unlocking tries. (This was added in 2:1.7.3-2 as an attempt to mitigate
CVE-2016-4484.) Instead, the script sleeps for 1 second after each failed
attempt in order to defeat online brute-force attacks. (Closes: #898495.)
* debian/README.initramfs: Remove mention that the initramfs scripts and the
crypsetup binary are using a different hash algorithm for plain dm-crypt
volumes. This is no longer true since 2:1.0.6~pre1+svn45-1, cf. #406317.
* debian/cryptdisks.functions:
+ Refactoring, using functions from /lib/cryptsetup/functions.
(Closes: #859953, #891219.)
+ Install to /lib/cryptsetup/cryptdisks-functions.
* crypttab(5):
+ Remove support for the 'precheck' option. The precheck for LUKS devices
is still hardcoded to `cryptsetup isLuks`; the script refuses to unlock
non-LUKS devices (plain dm-crypt and tcrypt devices) containing a known
filesystem (other that swap).
+ Don't ignore the 'plain' option: disable auto-detection and treat the
device as a plain dm-crypt device. (Closes: #886007.)
+ Add support for some option aliases to unify with systemd's crypttab(5)
options. Namely, 'read-only' is an alias for 'readonly', 'key-slot=' is
an alias for 'keyslot=', 'tcrypt-hidden' is an alias for 'tcrypthidden',
and 'tcrypt-veracrypt' is an alias for 'veracrypt'.
+ Add support for 'keyfile-size=' and 'keyfile-offset=' options.
(Closes: #849335.)
+ Source devices can now be specified using their PARTUUID or PARTLABEL,
similar to fstab(5).
* debian/scripts/cryptdisks_start: Add support for '-r'/'--readonly' switch
to setup readonly mappings. (Closes: #782843.)
* debian/scripts/cryptdisks_stop: Add support for closing multiple disks at
once. (Closes: #783194.)
[ Jonas Meurer ]
* debian/doc/crypttab.xml:
+ Add a section about the different crypttab formats of our package and
the systemd cryptsetup wrapper.
+ Document, which options are ignored by the initramfs scripts and which
are unsupported by the systemd implementation. (Closes: #714380)
+ Clarify documentation of option 'tries'. It also applies when using
keyscripts, not only with interactive passphrases. (Closes: #826127)
+ Make it obvious that in case a keyscript is configured, the third option
is passed as argument to the keyscript. Mention the optional requirement
to quote the value. (Closes: #826122)
+ Some minor wording improvements.
* debian/control, debian/combat: Bump debhelper compatibility level to 11.
* debian/rules:
+ Completely refactor the rules file, adapt to debhelper 11 style.
(Closes: #901713)
+ Run the upstream build-time testsuite thanks to dh_auto_test.
+ Move the luksformat script from cryptsetup-bin to cryptsetup-run.
+ Install the bug-script into all packages.
+ No longer install the sysvinit initscripts into cryptsetup-udeb.
+ Remove many old build and compile flags, debhelper takes care of most of
them nowadays.
cryptsetup (2:2.0.3-1) unstable; urgency=medium
[ Guilhem Moulin ]
* Split cryptsetup package into cryptsetup-run (init scripts and libraries)
and cryptsetup-initramfs (initramfs integration). The 'cryptsetup'
package is now a transitional dummy package. (Closes: #783297.)
* debian/cryptsetup-run.preinst: remove logic for rm_conffile
/etc/udev/rules.d/z60_cryptsetup.rules, which was added for #493151 in
2:1.0.6-5.
* debian/cryptdisks.bash_completion: only complete cryptdisks_stop arguments
with crypttab(5) targets that already exist, and only complete
cryptdisks_start targets with crypttab(5) targets that don't exist yet.
(Closes: #827200.)
* debian/initramfs/cryptroot-hook:
+ use copy_file() from hook-functions to copy key files to the initrd.
This ensures that relevant messages are printed in verbose mode.
(Closes: #898516.)
+ remove backward compatibility support for setting CRYPTSETUP and
KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf. Since 2:1.7.2-1
they should be set in /etc/cryptsetup-initramfs/conf-hook.
+ add 'algif_skcipher' kernel module to large initramfs (if the MODULES
variable isn't "dep"). That module is required for unlocking LUKS2
devices.
[ Jonas Meurer ]
* New upstream release 2.0.3
* debian/control:
- Bump standards-version to 4.1.4, no changes required
- Change my mail address to 'jonas at freesources.org'
- Change Vcs links to the new repository on salsa.debian.org
* debian/README.source: minor improvements
* debian/doc/crypttab.xml: Fix typo in manpage
-- Steve Langasek <steve.langasek at ubuntu.com> Mon, 16 Jul 2018
08:27:58 -0400
** Changed in: cryptsetup (Ubuntu)
Status: New => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4484
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1781912
Title:
[18.10 FEAT] Upgrade cryptsetup >= 2.0.3
Status in Ubuntu on IBM z Systems:
Triaged
Status in cryptsetup package in Ubuntu:
Fix Released
Bug description:
Cryptsetup is utility used to conveniently setup disk encryption based
on DMCrypt kernel module.
These include plain dm-crypt volumes, LUKS volumes, loop-AES
and TrueCrypt (including VeraCrypt extension) format.
Project also includes veritysetup utility used to conveniently setup
DMVerity block integrity checking kernel module
and, since version 2.0, integritysetup to setup
DMIntegrity block integrity kernel module.
Version 2.0.3 include all z code for dm-crypt with protected keys
Without cryptsetup 2.0.3 (the 3 is important) we won't be able to use
secure key encryption with LUKS2 and the paes cipher. Only plain mode
will be usable with cryptsetup version 2.0.1.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1781912/+subscriptions
More information about the foundations-bugs
mailing list