registry team mailing list archive

Thread
Date
[Bug 556651] Re: publicly exports dm key information

To: registry@xxxxxxxxxxxxxxxxxxx
From: Bug Watch Updater <556651@xxxxxxxxxxxxxxxxxx>
Date: Tue, 14 Sep 2010 11:49:44 -0000
Reply-to: Bug 556651 <556651@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Launchpad has imported 8 comments from the remote bug at
http://bugs.freedesktop.org/show_bug.cgi?id=27494.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2010-04-06T09:32:12+00:00 Martin Pitt wrote:

Original bug: http://bugs.debian.org/576687


udisks exports the device-mapper table data to udev. This data includes encryption keys.

| E:UDISKS_DM_TARGETS_COUNT=1
| E:UDISKS_DM_TARGETS_TYPE=crypt
| E:UDISKS_DM_TARGETS_START=0
| E:UDISKS_DM_TARGETS_LENGTH=1467585
| E:UDISKS_DM_TARGETS_PARAMS=aes-cbc-essiv:sha256\x20XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\x200\x208:5\x200

UDISKS_DM_TARGETS_PARAMS includes the complete table entry, in case of
the crypt target this includes the key and iv type.


udisks only needs UDISKS_DM_TARGETS_PARAMS for UDISKS_DM_TARGETS_TYPE == "linear", and is only interested in the major/minor of the device and the offset.

So we should drop the key information for UDISKS_DM_TARGETS_TYPE ==
"crypt" or only explicitly set major/minor/offset, and/or not set
UDISKS_DM_TARGETS_TYPE for anything != "linear".

Reply at: https://bugs.launchpad.net/udisks/+bug/556651/comments/0

------------------------------------------------------------------------
On 2010-04-06T11:36:10+00:00 Martin Pitt wrote:

I committed a test for this, which fails right now:

http://cgit.freedesktop.org/udisks/commit/?id=4670d2edfb615af94bd9d82d8fd12b7cf8d23b9d

======================================================================
FAIL: LUKS create/teardown
----------------------------------------------------------------------
Traceback (most recent call last):
  File "tests/run", line 735, in test_0_create_teardown
    self.failIf('essiv:sha' in out, 'key information in udev properties')
AssertionError: key information in udev properties

Reply at: https://bugs.launchpad.net/udisks/+bug/556651/comments/1

------------------------------------------------------------------------
On 2010-04-06T12:58:15+00:00 Zeuthen wrote:

(In reply to comment #0)
> So we should drop the key information for UDISKS_DM_TARGETS_TYPE == "crypt" or
> only explicitly set major/minor/offset, and/or not set UDISKS_DM_TARGETS_TYPE
> for anything != "linear".

How about just keeping it for linear mappings for the time being? In the
future we can keep it for other device mapper targets as well - for
example, we want this data for multipath in order to display state about
each path etc. etc. etc.

Reply at: https://bugs.launchpad.net/udisks/+bug/556651/comments/2

------------------------------------------------------------------------
On 2010-04-06T14:08:09+00:00 Martin Pitt wrote:

Before I go and touch any code, I added a new test case which exercises
this code path by ensuring that DM partitions (kpartx'ed on a LV) have a
correct PartitionSlave property (it involves parsing
UDISKS_DM_TARGETS_PARAMS and various DM_* properties). When I disable
the UDISKS_DM_TARGETS_PARAMS reading in udisks-part-id, this test case
fails.

Reply at: https://bugs.launchpad.net/udisks/+bug/556651/comments/3

------------------------------------------------------------------------
On 2010-04-06T14:08:50+00:00 Martin Pitt wrote:

(In reply to comment #2)
> How about just keeping it for linear mappings for the time being?

Works for me. Now that I have test cases for both ends, I'll work on
that tomorrow (bedtime now).

Thanks!

Reply at: https://bugs.launchpad.net/udisks/+bug/556651/comments/4

------------------------------------------------------------------------
On 2010-04-06T23:16:27+00:00 Martin Pitt wrote:

http://cgit.freedesktop.org/udisks/commit/?id=0fcc7cb3b66f23fac53ae08647aa0007a2bd56c4

Reply at: https://bugs.launchpad.net/udisks/+bug/556651/comments/7

------------------------------------------------------------------------
On 2010-04-07T08:06:42+00:00 Martin Pitt wrote:

David, I think it's worth pushing out an 1.0.1 with this fix (I also
made a couple of other fixes in trunk). Or do you want to wait for the
CVE to arrive? (Someone requested one, as far as I understood from
#udev).

Reply at: https://bugs.launchpad.net/udisks/+bug/556651/comments/9

------------------------------------------------------------------------
On 2010-04-07T19:01:52+00:00 Kurt-seifried wrote:

From: 	Josh Bressers   	4/7/10 7:08 PM 	  	
Re: [oss-security] CVE Request -- udisks v1.0.0 -- (serious)information disclosure
Please use CVE-2010-1149 for this.
Thanks.
-- 
   JB

Reply at: https://bugs.launchpad.net/udisks/+bug/556651/comments/14


** Changed in: udisks
       Status: Unknown => Fix Released

** Changed in: udisks
   Importance: Unknown => High

-- 
publicly exports dm key information
https://bugs.launchpad.net/bugs/556651
You received this bug notification because you are a member of Registry
Administrators, which is the registrant for Debian.