[dm-crypt] About CVE-2016-4484: - Cryptsetup Initrd root Shell

Arno Wagner arno at wagner.name
Wed Dec 7 14:00:12 CET 2016

Hi Jonas,

one thing I find particularly telling is that CVE-2016-4484
is still unpublished and there is only a placeholder:


This rather strongly indicates to me that this was all about
publicity and not about security at all. If they cannot
even be bothered to have that CVE actually out some 20 days
after making a splash at a conference and hyping it to the 
press, this cannot be of any importance, security-wise...


On Wed, Dec 07, 2016 at 12:37:04 CET, Jonas Meurer wrote:
> Hi there,
> Am 15.11.2016 um 13:34 schrieb Milan Broz:
> > just little bit clarification about CVE-2016-4484
> > http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html
> > 
> > This bug is *NOT* cryptsetup/LUKS upstream bug, it is a minor problem in scripts
> > unlocking an encrypted system.
> > 
> > It allows attacker to drop to initramdisk shell (without decryption of LUKS data).
> > 
> > The scripts are part of Debian cryptsetup package (as an addition to upstream)
> > or part of dracut package (if dracut is used).
> I decided to write down my thoughts on CVE-2016-4484 and published them
> in a blog post:
> https://blog.freesources.org/posts/2016/12/CVE-2016-4484/
> Feel free to share your comments, criticism, opinion either in the blog
> comments or here on the list.
> Cheers,
>  jonas

> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

More information about the dm-crypt mailing list