Muva nje izindaba zikuqedile lokho kwatholakala ukuthi kusengozini (sekuvele kuhlu ngaphansi kwe-CVE-2021-4122) kuphakheji ye-Crypsetup, esetshenziselwa ukubethela izingxenye zediski ku-Linux.
Kushiwo lokho ukusebenzisa ubungozi, umhlaseli kufanele abe nokufinyelela ngokomzimba endaweni ebethelwe, okungukuthi, indlela inengqondo ikakhulukazi ukuhlasela amadrayivu angaphandle abethelwe, njengama-flash drive, umhlaseli akwazi ukufinyelela kuwo, kodwa akalazi igama-mfihlo lokususa ukubethela idatha.
Ukuhlasela isebenza kuphela kufomethi ye-LUKS2 futhi ihlotshaniswa nokukhohlisa imethadatha onesibophezelo sokuvula isandiso «sokubethelwa kabusha kwe-inthanethi», okuvumela, uma kunesidingo, ukushintsha ukhiye wokufinyelela, qala inqubo yokubethela kabusha idatha kundiza ngaphandle kokumisa umsebenzi ngokuhlukanisa.
Njengoba inqubo yokubhala nokubethela ngokhiye omusha ithatha isikhathi eside, "ukubethela kabusha ku-inthanethi" kuvumela ukuthi ungaphazamisi umsebenzi ngokuhlukanisa futhi wenze ukubethela kabusha ngemuva, kancane kancane ukudlulisa idatha kusuka kukhiye owodwa kuya komunye. Ikakhulukazi, kungenzeka ukuthi ukhethe ukhiye ongenalutho oqondiwe, okuvumela ukuthi uhumushe isigaba efomini elingabhaliwe.
Umhlaseli angenza izinguquko kumethadatha ye-LUKS2 elingisa ukuhoxiswa komsebenzi wokukhipha ukubethela njengomphumela wokwehluleka futhi azuze ukuchithwa kwemfihlo kwengxenye yesahlukaniso ngemva kokwenza kusebenze okulandelayo kanye nokusetshenziswa kwedrayivu eguquliwe umnikazi. Kulokhu, umsebenzisi oxhume idrayivu eguquliwe futhi wayivula ngephasiwedi efanele akatholi isexwayiso mayelana nokubuyiselwa kokusebenza okuphazamisekile kokubethela kabusha futhi angathola ukuqhubeka kwalo msebenzi kuphela ngomyalo othi "luks Dump" . Inani ledatha umhlaseli angakwazi ukulihlehlisa lincike kusayizi wenhlokweni ye-LUKS2, kodwa ngosayizi ozenzakalelayo (16 MiB) lingadlula u-3 GB.
Inkinga isuka eqinisweni lokuthi nakuba umsebenzi wokubethela kabusha udinga ukubala kanye nokuqinisekiswa kwama-hashe wezinkinobho ezintsha nezindala, i-hashi ayidingeki ukuze kubuyiselwe inqubo yokubhala ephazamisekile uma isimo esisha sisho ukungabi khona kokhiye wokubethela (umbhalo ongenalutho).
Futhi, Imethadatha ye-LUKS2 ecacisa i-algorithm yokubethela ayivikelekile ekulungisweni uma bewela ezandleni zomhlaseli. Ukuze uvimbele ukuba sengozini, onjiniyela bengeze ukuvikeleka okwengeziwe kwemethadatha ku-LUKS2, lapho i-hashi eyengeziwe manje isiqinisekiswa khona, ibalwe ngokusekelwe kokhiye abaziwayo nokuqukethwe kwemethadatha, okungukuthi umhlaseli ngeke esakwazi ukushintsha imethadatha ngokunyenya ngaphandle kokwazi iphasiwedi yokususa ukubethela.
Isimo sokuhlasela esijwayelekile sidinga umhlaseli ukuthi abe nethuba ukubeka izandla kudiski izikhathi eziningana. Okokuqala, umhlaseli, ongayazi iphasiwedi yokufinyelela, wenza izinguquko endaweni yemethadatha eqala ukuchithwa kwengxenye yedatha ngesikhathi esilandelayo lapho idrayivu icushwa.
Idrayivu ibe isibuyiselwa endaweni yayo futhi umhlaseli uyalinda kuze kube yilapho umsebenzisi eyixhuma ngokufaka iphasiwedi. Ngesikhathi sokwenza kusebenze umsebenzisi wedivayisi, inqubo yokubethela kabusha iqala ngemuva, lapho ingxenye yedatha ebethelwe ithathelwa indawo idatha esusiwe. Futhi, uma umhlaseli ekwazi ukuthola izandla zakhe kudivayisi futhi, enye idatha ekudrayivu izosuswa ukubethela.
Inkinga ikhonjwe umnakekeli wephrojekthi ye-cryptsetup futhi yalungiswa kuzibuyekezo ze-cryptsetup 2.4.3 kanye no-2.3.7.
Isimo sokwenziwa kwezibuyekezo ngesixazululo senkinga ekusabalaliseni singalandelelwa kulawa makhasi: RHEL, SUSE, Fedora, Ubuntu, Arch. Ubungozi buvela kuphela kusukela ekukhululweni kwe-cryptsetup 2.2.0, eyethula ukusekelwa komsebenzi "wokubethela kabusha ku-inthanethi". Ukuqala ngenketho ethi “-disable-luks2-reencryption” ingasetshenziswa njengesixazululo sokuvikeleka.
Okokugcina uma unesifiso sokwazi okwengeziwe ngakho mayelana nezindaba, ungabheka imininingwane ku isixhumanisi esilandelayo.