Original bug: http://bugs.debian.org/576687
udisks exports the device-mapper table data to udev. This data includes encryption keys.
UDISKS_DM_TARGETS_PARAMS includes the complete table entry, in case of the crypt target this includes the key and iv type.
udisks only needs UDISKS_DM_TARGETS_PARAMS for UDISKS_DM_TARGETS_TYPE == "linear", and is only interested in the major/minor of the device and the offset.
So we should drop the key information for UDISKS_DM_TARGETS_TYPE == "crypt" or only explicitly set major/minor/offset, and/or not set UDISKS_DM_TARGETS_TYPE for anything != "linear".
I committed a test for this, which fails right now:
FAIL: LUKS create/teardown
Traceback (most recent call last):
File "tests/run", line 735, in test_0_create_teardown
self.failIf('essiv:sha' in out, 'key information in udev properties')
AssertionError: key information in udev properties
(In reply to comment #0)
> So we should drop the key information for UDISKS_DM_TARGETS_TYPE == "crypt" or
> only explicitly set major/minor/offset, and/or not set UDISKS_DM_TARGETS_TYPE
> for anything != "linear".
How about just keeping it for linear mappings for the time being? In the future we can keep it for other device mapper targets as well - for example, we want this data for multipath in order to display state about each path etc. etc. etc.
Before I go and touch any code, I added a new test case which exercises this code path by ensuring that DM partitions (kpartx'ed on a LV) have a correct PartitionSlave property (it involves parsing UDISKS_DM_TARGETS_PARAMS and various DM_* properties). When I disable the UDISKS_DM_TARGETS_PARAMS reading in udisks-part-id, this test case fails.
(In reply to comment #2)
> How about just keeping it for linear mappings for the time being?
Works for me. Now that I have test cases for both ends, I'll work on that tomorrow (bedtime now).
David, I think it's worth pushing out an 1.0.1 with this fix (I also made a couple of other fixes in trunk). Or do you want to wait for the CVE to arrive? (Someone requested one, as far as I understood from #udev).
From: Josh Bressers 4/7/10 7:08 PM
Re: [oss-security] CVE Request -- udisks v1.0.0 -- (serious)information disclosure
Please use CVE-2010-1149 for this.