| Name | CVE-2021-4122 |
| Description | It was found that a specially crafted LUKS header could trick cryptsetup into disabling encryption during the recovery of the device. An attacker with physical access to the medium, such as a flash disk, could use this flaw to force a user into permanently disabling the encryption layer of that medium. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-5070-1 |
| Debian Bugs | 1003686 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| cryptsetup (PTS) | buster | 2:2.1.0-5+deb10u2 | fixed |
| bullseye (security), bullseye | 2:2.3.7-1+deb11u1 | fixed | |
| bookworm | 2:2.6.1-4~deb12u2 | fixed | |
| trixie | 2:2.6.1-6 | fixed | |
| sid | 2:2.7.2-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| cryptsetup | source | stretch | (not affected) | |||
| cryptsetup | source | buster | (not affected) | |||
| cryptsetup | source | bullseye | 2:2.3.7-1+deb11u1 | DSA-5070-1 | ||
| cryptsetup | source | (unstable) | 2:2.4.3-1 | 1003686 |
[buster] - cryptsetup <not-affected> (Vulnerable code not present; does not support online LUKS2 reencryption)
[stretch] - cryptsetup <not-affected> (Vulnerable code not present; does not support LUKS2)
https://www.openwall.com/lists/oss-security/2022/01/13/2
https://bugzilla.redhat.com/show_bug.cgi?id=2032401
https://gitlab.com/cryptsetup/cryptsetup/-/commit/0113ac2d889c5322659ad0596d4cfc6da53e356c
2.4 branch: https://gitlab.com/cryptsetup/cryptsetup/-/commit/de98f011418c62e7b825a8ce3256e8fcdc84756e
2.3 branch: https://gitlab.com/cryptsetup/cryptsetup/-/commit/60addcffa6794c29dccf33d8db5347f24b75f2fc