-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 20 Jul 2019 23:18:18 +0200 Source: libblockdev Binary: python3-blockdev Architecture: all Version: 2.20-7+deb10u1 Distribution: buster Urgency: medium Maintainer: all Build Daemon (x86-csail-02) Changed-By: Michael Biebl Description: python3-blockdev - Python 3 gobject-introspection bindings for libblockdev Closes: 928893 Changes: libblockdev (2.20-7+deb10u1) buster; urgency=medium . [ intrigeri ] * Use existing cryptsetup API for changing keyslot passphrase. Cherry-pick upstream fix to use existing cryptsetup API for atomically changing a keyslot passphrase, instead of deleting the old keyslot before adding the new one. This avoids data loss when attempting to change the passphrase of a LUKS2 device via udisks2, e.g. from GNOME Disks. Deleting a keyslot and then adding one is risky: if anything goes wrong before the new keyslot is successfully added, no usable keyslot is left and the device cannot be unlocked anymore. There's little chances this causes actual problems with LUKS1, but LUKS2 defaults to the memory-hard Argon2 key derivation algorithm, which is implemented in cryptsetup with the assumption that it runs as root with no MEMLOCK ulimit; this assumption is wrong when run by udisks2.service under LimitMEMLOCK=65536, which breaks adding the new keyslot, and makes us hit the problematic situation (user data loss) every time. With this change, changing a LUKS2 passphrase via udisks2 will still fail in some cases, until the MEMLOCK ulimit problem is solved in cryptsetup or workaround'ed in udisks2. But at least, if it fails, it will fail _atomically_ and the original passphrase will still work. (Closes: #928893) Checksums-Sha1: 17d477813ac3073d0caf62e73f26c90018fede62 10773 libblockdev_2.20-7+deb10u1_all.buildinfo daac6b7fc224c86d5a6d131c7e987e7fb38f9eb9 12360 python3-blockdev_2.20-7+deb10u1_all.deb Checksums-Sha256: f4b500f1bda259d4d57bc9b14e235c07fb67351ce8506db297ef2b85d86dc885 10773 libblockdev_2.20-7+deb10u1_all.buildinfo a074c30c6cbed29dd3ddcd6f697818a3aafd98e9efd589dacadff2aa7b256825 12360 python3-blockdev_2.20-7+deb10u1_all.deb Files: aa06baeb5f44641fc57e3bc946dc6fc0 10773 libs optional libblockdev_2.20-7+deb10u1_all.buildinfo 86fa18e7529031a2c303653ca4ff6f3f 12360 python optional python3-blockdev_2.20-7+deb10u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUT6sJkHnJYUGfmnJQl1fD/W8hvcFAl01LGAACgkQQl1fD/W8 hvezDg//TU5t0LxMLzpiT/7mfM2hPIWSRn90LN9N4H8Bq0zSQtj8X6hNp9G3qKfN 9ZqrFaKyJsAiZXsvqLsBJlLMs9fZJoyNdqZpqFge0wM/iKbCmiIvCS7YG3VrCsRM vS/pjaiMr4op5s3pkt/pvXEn6JulAZ8+H/DcMYEakieYtDtIiPWrVROm8SoXeSLA N6cBcipO9dPzm9/9qmNoZzHcoaO4i4BWaoqsnvW0zDBE1JRhC8QcKolZeb+mmZpL bF9caH18I4PeBNKQTEo6nndtY43J3J6dMZWZVkercKbkxKXX9Gg6l56gzYNi2S16 P7j55S8x/3czZHhftTuiUwd8WaiUPnYXumIK+hApxV3VjiKEKms5tkHnJkZ/okoV sYzPdh83H2n1PBbwFElWJPFhqerkYRfMmA6kzKHUYikBPFKjeQeFDtJRcREqpm+C wDvnJkb3PflnI/PYNSbNU5F0hL8/WvYXZ2xOGpyYUgTwBGATZPImS6dW0buT6rRq VUtLG/5dVSdJAiRuvVYv4KEKroVXPNysZMEMOfv/8nHdrqJ6AXObs9w6yvZ3wNoC nZuzmb4aCdTrEpipFNUfg6epMmhCfRYR8+Uhdq6TPnzSLeprW7yfa1HB2ANVSNux m2NsdrGwla6wd4cDf2o81eRKBxLZsi6hGuqyD3bEhH0fiCo007g= =KzMV -----END PGP SIGNATURE-----