831047 – (CVE-2021-3979) sys-cluster/ceph: volume does not respect configured osd_dmcrypt_key_size

Bug 831047 (CVE-2021-3979) - sys-cluster/ceph: volume does not respect configured osd_dmcrypt_key_size

Summary: sys-cluster/ceph: volume does not respect configured osd_dmcrypt_key_size

Status:	CONFIRMED

Alias:	CVE-2021-3979

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	B4 [upstream]
Keywords:

Depends on:
Blocks:

Reported:	2022-01-12 04:57 UTC by John Helmert III
Modified:	2022-01-12 20:39 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-01-12 04:57:29 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-3979

"Hi all,
The key length for encrypted devices created using ceph-volume is
incorrect. This is due to a bug in ceph_volume/util/encryption.py, where
upon writing a key using osd_dmcrypt_key_size it does not pass the key size
to the format and open operations following. The default key is then
applied in cryptsetup. All versions since Luminous are assumed affected."

Doesn't seem there's any patch at URL and don't see any report upstream.

Comment 1 John Helmert III archtester

2022-01-12 20:39:11 UTC

Possible patch (seems unupstreamed): https://www.openwall.com/lists/oss-security/2022/01/11/5

Might cause data corruption, though: https://www.openwall.com/lists/oss-security/2022/01/12/1