Re: FreeBSD Security Advisory FreeBSD-SA-23:01.geli
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 09 Feb 2023 22:23:05 UTC
On Thu, 9 Feb 2023, at 3:08 AM, FreeBSD Security Advisories wrote: > FreeBSD-SA-23:01.geli Security Advisory > The FreeBSD Project > > Topic: GELI silently omits the keyfile if read from stdin Good morning, I was scrolling through my emails yesterday and spat my coffee out when I read this one. I just wanted to put my hand up and say I believe this issue originates from my code, when I added the “geli init multiple providers” feature in 2018 just prior to the FreeBSD-12 release. https://reviews.freebsd.org/D16115 https://reviews.freebsd.org/D17096 Apologies to anyone affected, and thank you to Nathan for reporting it, Marius, Gordon and Philip for fixing it, and anyone else on the security team for investigating/communicating the issue. I’ll spend some time to review the fix to fully understand where I went wrong. I was also wondering why it wasn’t revealed by my testing at the time…. And then I realised this would not be visible to the user as they would still enter their user key to successfully add the device with a null master key. Slaps forehead. I never got around to adding unit tests for init/attach multiple providers as was requested by Alan Somers at the time (sorry), but I suspect even if I had they would have passed because I wouldn’t have thought to test for this scenario. Regards, Ben -- From: Ben Woods woodsb02@freebsd.org