Re: [Tails-dev] LUKS 2 vulnerability

Delete this message

Reply to this message
Autore: geb
Data:  
To: tails-dev
Oggetto: Re: [Tails-dev] LUKS 2 vulnerability
Hi,

gagz:
> hsiffish@???:
>> ­Hi, does the new LUKS 2 vulnerability affect all previous and current
>> version
>> of Tails?
>> Should we be concerned about the persistent storage feature?
>
> If I understand correctly, no and no.
> If I'm not mistaken, the vulnerability affects LUKS2 volumes created
> using cryptsetup since version 2.2.0, but Tails ships 2.1.
>
> But I might be wrong.
>
> [...]
>
> This is sensitive topic so please double check what I'm saying!
>>
>> *CVE-2021-4122: cryptsetup 2.x: decryption through LUKS2 reencryption
>> crash
>> recovery*
>> https://seclists.org/oss-sec/2022/q1/34


Thanks for the link and the explanation.

After due verification, depending how much this bug gets public, it may
worth to issue a short simple language statement on tails.boum.org/news
or just even twitter, as the bug description and attack scenario could
IMHO be a bit scarring for Tails users:
https://bugzilla.redhat.com/show_bug.cgi?id=2032401 (through, well, an
attacker could also modify the system in that case).

cheers,
geb