severity 403075 normal
tags 403075 -security
tags 403075 +moreinfo
thanks
On Thu, Dec 14, 2006 at 01:46:33PM +0000, Rob Walker wrote:
Package: cryptsetup
Version: 2:1.0.4-8
Severity: grave
Tags: security
Justification: user security hole
If I run cryptsetup luksOpen, giving it a file instead of a device, it tries
to allocate lots of memory, eventually triggering the oomkiller to kill
processes.
A normal user can do this, so this could be used for some kind of
denial of service attack: system performance will be impaired and processes of
other users may be killed. Hence the grave serverity.
Ehh..any user can run a process which uses any amount of memory
unless you use ulimit.
I agree this would be a bug in crypsetup, but calling it a user security
hole is not correct.
To reproduce
# produce a dummy file
dd if=/dev/zero of=/tmp/foo bs=1k count=1024
# try to run cryptsetup
/sbin/cryptsetup luksOpen /tmp/foo /dev/mapper/_tmp_foo
The first argument after luksOpen should be a device, the second should
be a mapping name.
/tmp/foo is no device, it's a file.
/dev/mapper/_tmp_foo is no mapping name, it's a complete path.
The correct syntax would be something like:
/sbin/cryptsetup luksOpen /dev/something tmpfoo
Furthermore, I can't reproduce this (using the version currently in unstable):
# dd if=/dev/zero of=/tmp/foo bs=1k count=1024
# losetup -f /tmp/foo
# crypsetup luksOpen /dev/loop0 tmpfoo
# Enter LUKS passphrase:
# /dev/loop0 is not a LUKS partition
# cryptsetup luksFormat /dev/loop0
WARNING!
========
This will overwrite data on /dev/loop0 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
# cryptsetup luksOpen /dev/loop0 footmp
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
# ls -al /dev/mapper/footmp
brw-rw---- 1 root disk 254, 3 2006-12-14 19:14 /dev/mapper/footmp
# cryptsetup remove footmp
# losetup -d /dev/loop0
--
David Härdeman
