Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 10 Feb 2023 06:23:05 +0800
From:      "Ben Woods" <woodsb02@freebsd.org>
To:        freebsd-security@freebsd.org
Cc:        "Nathan Dorfman" <ndorf@rtfm.net>, "Mariusz Zaborski" <oshogbo@FreeBSD.org>, "Gordon Tetlow" <gordon@FreeBSD.org>, "Philip Paeps" <philip@freebsd.org>, "Alan Somers" <asomers@freebsd.org>, "Maksym Sobolyev" <sobomax@freebsd.org>
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-23:01.geli
Message-ID:  <b2994552-139d-4b11-b459-2d1fa087f183@app.fastmail.com>
In-Reply-To: <20230208190833.283D087C3@freefall.freebsd.org>
index | next in thread | previous in thread | raw e-mail 

On Thu, 9 Feb 2023, at 3:08 AM, FreeBSD Security Advisories wrote:
> FreeBSD-SA-23:01.geli                                       Security Advisory
>                                                           The FreeBSD Project
>
> Topic:          GELI silently omits the keyfile if read from stdin

Good morning,

I was scrolling through my emails yesterday and spat my coffee out when I read this one. I just wanted to put my hand up and say I believe this issue originates from my code, when I added the “geli init multiple providers” feature in 2018 just prior to the FreeBSD-12 release.

https://reviews.freebsd.org/D16115
https://reviews.freebsd.org/D17096

Apologies to anyone affected, and thank you to Nathan for reporting it, Marius, Gordon and Philip for fixing it, and anyone else on the security team for investigating/communicating the issue.

I’ll spend some time to review the fix to fully understand where I went wrong. I was also wondering why it wasn’t revealed by my testing at the time…. And then I realised this would not be visible to the user as they would still enter their user key to successfully add the device with a null master key. Slaps forehead.

I never got around to adding unit tests for init/attach multiple providers as was requested by Alan Somers at the time (sorry), but I suspect even if I had they would have passed because I wouldn’t have thought to test for this scenario.

Regards,
Ben

-- 
From: Ben Woods
woodsb02@freebsd.org
help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b2994552-139d-4b11-b459-2d1fa087f183>