Debian Bug report logs -
#969471
cryptsetup: CVE-2020-14382
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 3 Sep 2020 15:30:03 UTC
Severity: important
Tags: security, upstream
Found in version cryptsetup/2:2.3.3-2
Fixed in version cryptsetup/2:2.3.4-1
Done: Guilhem Moulin <guilhem@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>:
Bug#969471; Package src:cryptsetup.
(Thu, 03 Sep 2020 15:30:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>.
(Thu, 03 Sep 2020 15:30:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cryptsetup
Version: 2:2.3.3-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for cryptsetup.
CVE-2020-14382[0]:
| Out-of-bounds write when validating segments
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-14382
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14382
[1] https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/102
[2] https://gitlab.com/cryptsetup/cryptsetup/-/commit/52f5cb8cedf22fb3e14c744814ec8af7614146c7
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>:
Bug#969471; Package src:cryptsetup.
(Thu, 03 Sep 2020 15:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Guilhem Moulin <guilhem@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>.
(Thu, 03 Sep 2020 15:45:07 GMT) (full text, mbox, link).
Message #10 received at 969471@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thu, 03 Sep 2020 at 17:28:27 +0200, Salvatore Bonaccorso wrote:
> The following vulnerability was published for cryptsetup.
>
> CVE-2020-14382[0]:
> | Out-of-bounds write when validating segments
Oh, thanks Salvatore! Missed that somehow :-( Will get to this
tonight.
--
Guilhem.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>:
Bug#969471; Package src:cryptsetup.
(Thu, 03 Sep 2020 15:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Milan Broz <gmazyland@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>.
(Thu, 03 Sep 2020 15:48:02 GMT) (full text, mbox, link).
Message #15 received at 969471@bugs.debian.org (full text, mbox, reply):
FYI There will be upstream stable release in a few hours fixing this.
If you are going to only backport the fix for this CVE, these master branch
git commits should be backported (the fix with followed simplification
of the validation code).
52f5cb8cedf22fb3e14c744814ec8af7614146c7
46ee71edcd13e1dad50815ad65c28779aa6f7503
752c9a52798f11d3b765b673ebaa3058eb25316e
Milan
Reply sent
to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility.
(Thu, 03 Sep 2020 23:21:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 03 Sep 2020 23:21:07 GMT) (full text, mbox, link).
Message #20 received at 969471-close@bugs.debian.org (full text, mbox, reply):
Source: cryptsetup
Source-Version: 2:2.3.4-1
Done: Guilhem Moulin <guilhem@debian.org>
We believe that the bug you reported is fixed in the latest version of
cryptsetup, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 969471@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated cryptsetup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 04 Sep 2020 00:30:40 +0200
Source: cryptsetup
Architecture: source
Version: 2:2.3.4-1
Distribution: unstable
Urgency: high
Maintainer: Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 969471
Changes:
cryptsetup (2:2.3.4-1) unstable; urgency=high
.
* New upstream bugfix release, including fix for CVE-2020-14382:
possible out-of-bounds memory write while validating LUKS2 data
segments metadata on 32-bits platforms. (Closes: #969471)
Checksums-Sha1:
ec1485dc6abf847c66ea340b4d18d5c00b00b4ab 2865 cryptsetup_2.3.4-1.dsc
d8e220f1a4939e6ce6c67bf5082c16de7693ad49 11239076 cryptsetup_2.3.4.orig.tar.gz
596b5b19a540d66829536f3ee19333bb5b0ca04f 114332 cryptsetup_2.3.4-1.debian.tar.xz
b19ee55505ba857ce6da05a4fef95f1beb485b91 9221 cryptsetup_2.3.4-1_amd64.buildinfo
Checksums-Sha256:
384d3944b36e5ac8ccf6c66ba07a00c20ea9ad77adac08d121c64fcfbcf74e97 2865 cryptsetup_2.3.4-1.dsc
b45c0f2038e48ed5f68e7ee2e3e38089d8b5c930fcc0eeff5a8583943fc39a74 11239076 cryptsetup_2.3.4.orig.tar.gz
52db6d92969201a4ad76af5e9e9b8747df60a0864be00338a0265aa288eabbbd 114332 cryptsetup_2.3.4-1.debian.tar.xz
b7eb988f414af0df2699adc409c490ea1c823dd42c49812b438afb4582a23d46 9221 cryptsetup_2.3.4-1_amd64.buildinfo
Files:
f09feebb753208ee4b0eb9e7d5c4dbda 2865 admin optional cryptsetup_2.3.4-1.dsc
ae2d275f9e97fd973c77f1c3b7d6c687 11239076 admin optional cryptsetup_2.3.4.orig.tar.gz
d92da72c43d0268a97152cefa727dc83 114332 admin optional cryptsetup_2.3.4-1.debian.tar.xz
b95952184e651a42d1034969d4a77df0 9221 admin optional cryptsetup_2.3.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAl9RcGIACgkQ05pJnDwh
pVIBwQ//XADTh70wAbSEAT7AKLq1UpouV9Xb70eAtx6HH/DdUfbbxaoe+VNirVGU
JZ0ztl38l8mWPLsQNv0C3H3XcYqThFiuN9O0/r2pb5t14kDEhqumwSVlhCMD9KIt
a5JkF2YSYPghd4sHxWVYyGaRpahdDqqOdSb9lghVugCX0ZzKE4ej9poRmkc3Bg9h
XaKc4v24ZrfL1jCfBKiLalt1n0jEy5OseYabJPR+ahMrZdLChrZWXtyttDvRIMd1
cAhhf49m1kHbUnyl+V0LmESVo6XwE14rgeKWlwdzk/JwwfD0nQo9jnu/1cah49O3
vZVWE+HfP8E0QSuqIo9cPSn/EuhevHyHtNna5Yf3XQw9N/VsYVsqvVOp21QGHJFV
54vsZcc4+vrH8VRoeWwfxdDwpnHjGnFm1XKM6tzgI7uxJP0U/oiH6Eismxl7pV81
rKo0DRYbyiNVZ6K9pATSo9X5amWRw3E6SYuSqAWHsdk5i9QztKvVwOeNiLtgDl7R
CPXyiZpJHuvyQV9qOa00rJ9xRdrVpICx0jrm6wtVgxKey7NhVZXwsKc2V5CTHk3m
yHzLYTDFbUULB2FziioJxAWo0NOHP+6W4SgymVzCGrRPwXYL3fAXMToXeALlb3Tz
8BhnCZaBvW6+wqnqlTK0pyy8L+0CeqIV34i56slXTgWHH+UCTBk=
=nuw6
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Sep 4 05:33:56 2020;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon