Date: Fri, 10 Feb 2023 06:23:05 +0800 From: "Ben Woods" <woodsb02@freebsd.org> To: freebsd-security@freebsd.org Cc: "Nathan Dorfman" <ndorf@rtfm.net>, "Mariusz Zaborski" <oshogbo@FreeBSD.org>, "Gordon Tetlow" <gordon@FreeBSD.org>, "Philip Paeps" <philip@freebsd.org>, "Alan Somers" <asomers@freebsd.org>, "Maksym Sobolyev" <sobomax@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-23:01.geli Message-ID: <b2994552-139d-4b11-b459-2d1fa087f183@app.fastmail.com> In-Reply-To: <20230208190833.283D087C3@freefall.freebsd.org> References: <20230208190833.283D087C3@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 9 Feb 2023, at 3:08 AM, FreeBSD Security Advisories wrote: > FreeBSD-SA-23:01.geli Security A= dvisory > The FreeBSD = Project > > Topic: GELI silently omits the keyfile if read from stdin Good morning, I was scrolling through my emails yesterday and spat my coffee out when = I read this one. I just wanted to put my hand up and say I believe this = issue originates from my code, when I added the =E2=80=9Cgeli init multi= ple providers=E2=80=9D feature in 2018 just prior to the FreeBSD-12 rele= ase. https://reviews.freebsd.org/D16115 https://reviews.freebsd.org/D17096 Apologies to anyone affected, and thank you to Nathan for reporting it, = Marius, Gordon and Philip for fixing it, and anyone else on the security= team for investigating/communicating the issue. I=E2=80=99ll spend some time to review the fix to fully understand where= I went wrong. I was also wondering why it wasn=E2=80=99t revealed by my= testing at the time=E2=80=A6. And then I realised this would not be vis= ible to the user as they would still enter their user key to successfull= y add the device with a null master key. Slaps forehead. I never got around to adding unit tests for init/attach multiple provide= rs as was requested by Alan Somers at the time (sorry), but I suspect ev= en if I had they would have passed because I wouldn=E2=80=99t have thoug= ht to test for this scenario. Regards, Ben --=20 From: Ben Woods woodsb02@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b2994552-139d-4b11-b459-2d1fa087f183>