package/cryptsetup: security bump to version 2.3.4
authorFabrice Fontaine <fontaine.fabrice@gmail.com>
Sun, 25 Oct 2020 14:39:12 +0000 (15:39 +0100)
committerThomas Petazzoni <thomas.petazzoni@bootlin.com>
Sun, 25 Oct 2020 14:54:20 +0000 (15:54 +0100)
commitbaa28856f15723a1c492d8afbe9e3be797d53659
tree2c3195acb0e7da8fc56123c11f644dc656432182
parentbc52fc7426e97ea6b6ca7e7cbb3b21d7b1049ddd
package/cryptsetup: security bump to version 2.3.4

Fix CVE-2020-14382: A vulnerability was found in upstream release
cryptsetup-2.2.0 where, there's a bug in LUKS2 format validation code,
that is effectively invoked on every device/image presenting itself as
LUKS2 container. The bug is in segments validation code in file
'lib/luks2/luks2_json_metadata.c' in function
hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj)
where the code does not check for possible overflow on memory allocation
used for intervals array (see statement "intervals = malloc(first_backup
* sizeof(*intervals));"). Due to the bug, library can be *tricked* to
expect such allocation was successful but for far less memory then
originally expected. Later it may read data FROM image crafted by an
attacker and actually write such data BEYOND allocated memory.

https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.3/v2.3.4-ReleaseNotes

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
package/cryptsetup/cryptsetup.hash
package/cryptsetup/cryptsetup.mk