Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 831047 (CVE-2021-3979) - sys-cluster/ceph: volume does not respect configured osd_dmcrypt_key_size
Summary: sys-cluster/ceph: volume does not respect configured osd_dmcrypt_key_size
Status: CONFIRMED
Alias: CVE-2021-3979
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B4 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-01-12 04:57 UTC by John Helmert III
Modified: 2022-01-12 20:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2022-01-12 04:57:29 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-3979

"Hi all,
The key length for encrypted devices created using ceph-volume is
incorrect. This is due to a bug in ceph_volume/util/encryption.py, where
upon writing a key using osd_dmcrypt_key_size it does not pass the key size
to the format and open operations following. The default key is then
applied in cryptsetup. All versions since Luminous are assumed affected."

Doesn't seem there's any patch at URL and don't see any report upstream.
Comment 1 John Helmert III gentoo-dev Security 2022-01-12 20:39:11 UTC
Possible patch (seems unupstreamed): https://www.openwall.com/lists/oss-security/2022/01/11/5

Might cause data corruption, though: https://www.openwall.com/lists/oss-security/2022/01/12/1