Kutshanje iindaba ziye zaqhekeka kuchongwe ubungozi (sele zidweliswe phantsi kwe-CVE-2021-4122) kwiphakheji yeCrypsetup, esetyenziselwa ukufihla izahlulo zediski kwiLinux.
Kuyakhankanywa ukuba Ukuxhaphaza ubuthathaka, umhlaseli kufuneka abe nokufikelela ngokwasemzimbeni kwindlela efihliweyo, oko kukuthi, indlela yenza ingqiqo ikakhulu ekuhlaseleni iidrives zangaphandle ezifihliweyo, ezinje nge-flash drives, apho umhlaseli anofikelelo, kodwa akalazi igama eligqithisiweyo lokususa ukuntsonkotha kwedatha.
Uhlaselo isebenza kuphela kwifomathi ye-LUKS2 kwaye inxulunyaniswa nokukhohlisa kwemethadatha uxanduva lokuvula isandiso "sokubethelwa kwakhona kwe-intanethi", evumela, ukuba kuyimfuneko, ukutshintsha isitshixo sokufikelela, qalisa inkqubo yokubethelwa kwakhona kwedatha kwi-fly ngaphandle kokumisa umsebenzi kunye nokwahlula.
Ekubeni inkqubo yokubethelwa kunye ne-encryption kunye nesitshixo esitsha ithatha ixesha elide, "ukubethelwa kwakhona kwe-intanethi" kukuvumela ukuba ungaphazamisi umsebenzi kunye nokwahlula kwaye wenze ukubethelwa kwakhona ngasemva, ngokuthe ngcembe uhambisa idatha ukusuka kwelinye iqhosha ukuya kwelinye. Ngokukodwa, kunokwenzeka ukukhetha iqhosha elingenanto ekujoliswe kulo, elikuvumela ukuba uguqulele icandelo kwifom efihliweyo.
Umhlaseli unokwenza utshintsho kwimethadatha ye-LUKS2 elinganisa ukulahlwa kokusebenza kwe-decryption ngenxa yokungaphumeleli kunye nokufezekisa ukuchithwa kwenxalenye yesahlulo emva kokusebenza okulandelayo kunye nokusetyenziswa kwe-drive modified ngumnini. Kule meko, umsebenzisi oqhagamshele i-drive elungisiweyo kwaye wayivula nge-password echanekileyo akafumani nasiphi na isilumkiso malunga nokubuyiselwa komsebenzi ophazamisekileyo wokubethelwa kwakhona kwaye unokwazi inkqubela phambili yalo msebenzi kuphela ngomyalelo othi "luks Dump". Ubungakanani bedatha umhlaseli angakwazi ukuyiqhawula kuxhomekeke kubukhulu bentloko ye-LUKS2, kodwa kunye nobukhulu obungagqibekanga (16 MiB) bunokugqithisa i-3 GB.
Ingxaki Isuka kwinto yokuba nangona umsebenzi woguqulelo oluntsonkothileyo ufuna ubalo kunye nokuqinisekiswa kweeheshi zezitshixo ezintsha kunye nezidala, i-hash ayifuni ukubuyisela inkqubo yokuchithwa kwe-decryption ephazamisekileyo ukuba imeko entsha ithetha ukungabikho kwesitshixo soguqulelo (okubhaliweyo okucacileyo).
Kwakhona, Imetadata ye-LUKS2 echaza i-algorithm yoguqulelo oluntsonkothileyo ayikhuselwanga kulungiso ukuba bawela ezandleni zomhlaseli. Ukuthintela ukuba sesichengeni, abaphuhlisi bongeza ukhuseleko olongezelelweyo lwemetadata kwi-LUKS2, apho ihashi eyongezelelweyo ijongiwe ngoku, ibalwe ngokusekelwe kwizitshixo ezaziwayo kunye nomxholo wemetadata, oko kukuthi, umhlaseli akasayi kuphinda akwazi ukutshintsha imethadatha ngokufihlakeleyo ngaphandle kokwazi igama lokugqitha elifihliweyo.
Imeko yokuhlasela eqhelekileyo ifuna ukuba umhlaseli abe nethuba ukubeka izandla zakho kwidiski amaxesha amaninzi. Okokuqala, umhlaseli, ongayazi i-password yokufikelela, wenza utshintsho kwindawo yemetadata eqalisa ukuchithwa kwedatha enye ngexesha elizayo xa i-drive ivuliwe.
I-drive ibuyiselwa kwindawo yayo kwaye umhlaseli ulinda de umsebenzisi adibanise ngokufaka igama eliyimfihlo. Ngexesha lokusebenzisa isixhobo, inkqubo yoguqulelo oluntsonkothileyo iqalwa ngasemva, ngexesha apho inxalenye yedatha efihliweyo itshintshwa ngedatha efihliweyo. Ukongeza, ukuba umhlaseli unokuphinda afumane izandla kwisixhobo, enye yedatha kwi-drive iya kucinywa.
Umba wachongwa ngumgcini weprojekthi ye-cryptsetup kwaye ulungiswe kwi-cryptsetup 2.4.3 kunye ne-2.3.7 yohlaziyo.
Ubume bokuvelisa uhlaziyo ngesisombululo kwingxaki kunikezelo kunokulandelelwa kula maphepha: RHEL, USUSE, Fedora, Ubuntu, igophe. Ubuthathaka bubonakala kuphela ukususela ekukhutshweni kwe-cryptsetup 2.2.0, eyazisa inkxaso ye-"incryption re-encryption" ye-intanethi. Ukuqala ngo "-disable-luks2-reencryption" ukhetho lunokusetyenziswa njengesisombululo sokhuseleko.
Gqibela ukuba unomdla wokwazi okungakumbi ngayo malunga neendaba, ungajonga iinkcukacha kwi ukulandela ikhonkco.