diff -Nru cryptsetup-2.2.2/debian/changelog cryptsetup-2.2.2/debian/changelog --- cryptsetup-2.2.2/debian/changelog 2020-09-10 11:47:50.000000000 +0000 +++ cryptsetup-2.2.2/debian/changelog 2022-01-18 17:36:47.000000000 +0000 @@ -1,3 +1,39 @@ +cryptsetup (2:2.2.2-3ubuntu2.4) focal-security; urgency=medium + + * SECURITY UPDATE: decryption through LUKS2 reencryption crash recovery + - debian/patches/CVE-2021-4122.patch: add disable-luks2 reencryption + configure option in configure.ac, lib/luks2/luks2_keyslot.c, + lib/luks2/luks2_reencrypt.c, lib/setup.c, tests/api-test-2.c, + tests/luks2-reencryption-test. + - debian/rules: Disable LUKS2 reencryption by adding new + --disable-luks2-reencryption build option. + - CVE-2021-4122 + + -- Marc Deslauriers Tue, 18 Jan 2022 12:36:47 -0500 + +cryptsetup (2:2.2.2-3ubuntu2.3) focal; urgency=medium + + * Introduce retry logic for external invocations after mdadm (LP: #1879980) + - Currently, if an encrypted rootfs is configured on top of a MD RAID1 + array and such array gets degraded (e.g., a member is removed/failed) + the cryptsetup scripts cannot mount the rootfs, and the boot fails. + We fix that issue here by allowing the cryptroot script to be re-run + by initramfs-tools/local-block stage, as mdadm can activate degraded + arrays at that stage. + There is an initramfs-tools counter-part for this fix, but alone the + cryptsetup portion is harmless. + - d/cryptsetup-initramfs.install: ship the new local-bottom script. + - d/functions: declare variables for local-top|block|bottom scripts + (flag that local-block is running and external invocation counter.) + - d/i/s/local-block/cryptroot: set flag that local-block is running. + - d/i/s/local-bottom/cryptroot: clean up the flag and counter files. + - d/i/s/local-top/cryptroot: change the logic from just waiting 180 + seconds to waiting 5 seconds first, then allowing initramfs-tools + to run mdadm (to activate degraded arrays) and call back at least + 30 times/seconds more. + + -- Guilherme G. Piccoli Wed, 16 Sep 2020 17:40:05 -0300 + cryptsetup (2:2.2.2-3ubuntu2.2) focal-security; urgency=medium * SECURITY UPDATE: Out-of-bounds write diff -Nru cryptsetup-2.2.2/debian/cryptsetup-initramfs.install cryptsetup-2.2.2/debian/cryptsetup-initramfs.install --- cryptsetup-2.2.2/debian/cryptsetup-initramfs.install 2020-02-04 13:11:12.000000000 +0000 +++ cryptsetup-2.2.2/debian/cryptsetup-initramfs.install 2020-09-16 20:40:05.000000000 +0000 @@ -5,5 +5,6 @@ debian/initramfs/scripts/local-block/cryptroot /usr/share/initramfs-tools/scripts/local-block/ debian/initramfs/scripts/local-bottom/cryptgnupg-sc /usr/share/initramfs-tools/scripts/local-bottom/ debian/initramfs/scripts/local-bottom/cryptopensc /usr/share/initramfs-tools/scripts/local-bottom/ +debian/initramfs/scripts/local-bottom/cryptroot /usr/share/initramfs-tools/scripts/local-bottom/ debian/initramfs/scripts/local-top/cryptopensc /usr/share/initramfs-tools/scripts/local-top/ debian/initramfs/scripts/local-top/cryptroot /usr/share/initramfs-tools/scripts/local-top/ diff -Nru cryptsetup-2.2.2/debian/functions cryptsetup-2.2.2/debian/functions --- cryptsetup-2.2.2/debian/functions 2020-02-04 13:11:12.000000000 +0000 +++ cryptsetup-2.2.2/debian/functions 2020-09-16 20:40:05.000000000 +0000 @@ -9,6 +9,8 @@ TABFILE="${TABFILE-/etc/crypttab}" fi export DM_DEFAULT_NAME_MANGLING_MODE=hex # for dmsetup(8) +export CRYPTR_LOCAL_BLOCK="/run/cryptroot.local-block" +export CRYPTR_CNT_FILE="/run/cryptroot.initrd.cnt" # Logging helpers. Send the argument list to plymouth(1), or fold it # and print it to the standard error. diff -Nru cryptsetup-2.2.2/debian/initramfs/scripts/local-block/cryptroot cryptsetup-2.2.2/debian/initramfs/scripts/local-block/cryptroot --- cryptsetup-2.2.2/debian/initramfs/scripts/local-block/cryptroot 2020-02-04 13:11:12.000000000 +0000 +++ cryptsetup-2.2.2/debian/initramfs/scripts/local-block/cryptroot 2020-09-16 20:40:05.000000000 +0000 @@ -15,6 +15,10 @@ ;; esac +[ -f /lib/cryptsetup/functions ] || return 0 +. /lib/cryptsetup/functions + if [ -x /scripts/local-top/cryptroot ]; then + touch ${CRYPTR_LOCAL_BLOCK} exec /scripts/local-top/cryptroot fi diff -Nru cryptsetup-2.2.2/debian/initramfs/scripts/local-bottom/cryptroot cryptsetup-2.2.2/debian/initramfs/scripts/local-bottom/cryptroot --- cryptsetup-2.2.2/debian/initramfs/scripts/local-bottom/cryptroot 1970-01-01 00:00:00.000000000 +0000 +++ cryptsetup-2.2.2/debian/initramfs/scripts/local-bottom/cryptroot 2020-09-16 20:40:05.000000000 +0000 @@ -0,0 +1,23 @@ +#!/bin/sh +set +x +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +# If we reached this stage, we do have a rootfs mounted +# so let's clean-up cryptroot setup mess... +[ -f /lib/cryptsetup/functions ] || return 0 +. /lib/cryptsetup/functions + +rm -f ${CRYPTR_LOCAL_BLOCK} +rm -f ${CRYPTR_CNT_FILE} diff -Nru cryptsetup-2.2.2/debian/initramfs/scripts/local-top/cryptroot cryptsetup-2.2.2/debian/initramfs/scripts/local-top/cryptroot --- cryptsetup-2.2.2/debian/initramfs/scripts/local-top/cryptroot 2020-02-04 13:11:12.000000000 +0000 +++ cryptsetup-2.2.2/debian/initramfs/scripts/local-top/cryptroot 2020-09-16 20:40:05.000000000 +0000 @@ -31,8 +31,8 @@ # wait_for_source() -# Wait for encrypted $CRYPTTAB_SOURCE for up to 180s. Set -# $CRYPTTAB_SOURCE to its normalized device name when it shows up; +# Wait for encrypted $CRYPTTAB_SOURCE . Set $CRYPTTAB_SOURCE +# to its normalized device name when it shows up; # return 1 if timeout. wait_for_source() { wait_for_udev 10 @@ -42,17 +42,27 @@ return 0 fi - # The lines below has been taken from - # /usr/share/initramfs-tools/scripts/local's local_device_setup(), - # as suggested per https://launchpad.net/bugs/164044 - # If the source device hasn't shown up yet, give it a little while # to allow for asynchronous device discovery (e.g. USB). + # + # We also need to take into account RAID or other devices that may + # only be available on local-block stage. So, wait 5 seconds upfront, + # in local-top; if that fails, end execution relying on local-block + # invocations. Allow $ROOTDELAY/3 invocations with 1s sleep times (with + # a minimum of 30 invocations), and if after that we still fail, then it's + # really time to give-up. Variable $initrd_cnt tracks the re-invocations. + # + # Part of the lines below has been taken from initramfs-tools + # scripts/local's local_device_setup(), as suggested per + # https://launchpad.net/bugs/164044 . + + local slumber=1 + if [ ! -f "${CRYPTR_LOCAL_BLOCK}" ]; then # we are running on local-top + slumber=5 + fi cryptsetup_message "Waiting for encrypted source device $CRYPTTAB_SOURCE..." - # Default delay is 180s, cf. initramfs-tools(8) - local slumber="${ROOTDELAY:-180}" while [ $slumber -gt 0 ]; do sleep 1 @@ -75,7 +85,23 @@ # Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME, # $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS. setup_mapping() { - local dev + local dev initrd_cnt + + # We control here the number of re-invocations of this script from + # local-block - the heuristic is $ROOTDELAY/3, with a minimum of 30. + # This number is somewhat dictated by mdadm, we want to run more times + # than that script, to allow decrypting volumes on top of arrays. + + if [ -f "${CRYPTR_CNT_FILE}" ]; then + initrd_cnt=$(cat ${CRYPTR_CNT_FILE}) + else + initrd_cnt=${ROOTDELAY:-90} + initrd_cnt=$((initrd_cnt/3)) + if [ "${initrd_cnt}" -lt 30 ]; then + initrd_cnt=30 + fi + echo ${initrd_cnt} > "${CRYPTR_CNT_FILE}" + fi # The same target can be specified multiple times # e.g. root and resume lvs-on-lvm-on-crypto @@ -86,17 +112,23 @@ crypttab_parse_options --export --missing-path=fail || return 1 if ! wait_for_source; then - # we've given up - if [ -n "$panic" ]; then - panic "ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME." - else - # let the user fix matters if they can - echo " ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME." - echo " Check cryptopts=source= bootarg: cat /proc/cmdline" - echo " or missing modules, devices: cat /proc/modules; ls /dev" - panic "Dropping to a shell." - fi - return 1 # can't continue because environment is lost + if [ ${initrd_cnt} -le 0 ]; then + # we've given up + if [ -n "$panic" ]; then + panic "ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME." + else + # let the user fix matters if they can + echo " ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME." + echo " Check cryptopts=source= bootarg: cat /proc/cmdline" + echo " or missing modules, devices: cat /proc/modules; ls /dev" + panic "Dropping to a shell." + fi + return 1 # can't continue because environment is lost + else + initrd_cnt=$((initrd_cnt - 1)) + echo ${initrd_cnt} > "${CRYPTR_CNT_FILE}" + return 0 # allow some attempts on local-block stage + fi fi # our `cryptroot-unlock` script searches for cryptsetup processes @@ -170,6 +202,10 @@ done cryptsetup_message "ERROR: $CRYPTTAB_NAME: maximum number of tries exceeded" + + if [ -f "${CRYPTR_CNT_FILE}" ]; then + echo 0 > "${CRYPTR_CNT_FILE}" + fi exit 1 } diff -Nru cryptsetup-2.2.2/debian/patches/CVE-2021-4122.patch cryptsetup-2.2.2/debian/patches/CVE-2021-4122.patch --- cryptsetup-2.2.2/debian/patches/CVE-2021-4122.patch 1970-01-01 00:00:00.000000000 +0000 +++ cryptsetup-2.2.2/debian/patches/CVE-2021-4122.patch 2022-01-18 17:36:38.000000000 +0000 @@ -0,0 +1,340 @@ +From 0fd1c62de9c53958a8ef5d436273284e166254c9 Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Sun, 2 Jan 2022 16:57:31 +0100 +Subject: [PATCH] Add disable-luks2 reencryption configure option. + +The option --disable-luks2-reencryption completely disable +LUKS2 reencryption code. + +When used, the libcryptsetup library can read metadata with +reencryption code, but all reencryption API calls and cryptsetup +reencrypt commands are disabled. + +Devices with online reencryption in progress cannot be activated. + +This option can cause some incompatibilities. Please use with care. +--- + configure.ac | 8 ++++++ + lib/luks2/luks2_keyslot.c | 2 ++ + lib/luks2/luks2_reencrypt.c | 36 ++++++++++++++++-------- + lib/setup.c | 53 +++++++++++++++++++++++++---------- + tests/api-test-2.c | 7 +++-- + tests/luks2-reencryption-test | 2 ++ + 6 files changed, 78 insertions(+), 30 deletions(-) + +--- a/configure.ac ++++ b/configure.ac +@@ -139,6 +139,14 @@ AC_DEFUN([NO_FIPS], [ + fi + ]) + ++dnl LUKS2 online reencryption ++AC_ARG_ENABLE([luks2-reencryption], ++ AS_HELP_STRING([--disable-luks2-reencryption], [disable LUKS2 online reencryption extension]), ++ [], [enable_luks2_reencryption=yes]) ++if test "x$enable_luks2_reencryption" = "xyes"; then ++ AC_DEFINE(USE_LUKS2_REENCRYPTION, 1, [Use LUKS2 online reencryption extension]) ++fi ++ + dnl ========================================================================== + dnl pwquality library (cryptsetup CLI only) + AC_ARG_ENABLE([pwquality], +--- a/lib/luks2/luks2_keyslot.c ++++ b/lib/luks2/luks2_keyslot.c +@@ -27,7 +27,9 @@ extern const keyslot_handler reenc_keysl + + static const keyslot_handler *keyslot_handlers[LUKS2_KEYSLOTS_MAX] = { + &luks2_keyslot, ++#if USE_LUKS2_REENCRYPTION + &reenc_keyslot, ++#endif + NULL + }; + +--- a/lib/luks2/luks2_reencrypt.c ++++ b/lib/luks2/luks2_reencrypt.c +@@ -22,6 +22,7 @@ + #include "luks2_internal.h" + #include "utils_device_locking.h" + ++#if USE_LUKS2_REENCRYPTION + static json_object *reencrypt_segment(struct luks2_hdr *hdr, unsigned new) + { + return LUKS2_get_segment_by_flag(hdr, new ? "backup-final" : "backup-previous"); +@@ -85,7 +86,7 @@ static uint64_t reencrypt_get_data_offse + { + return reencrypt_data_offset(hdr, 0); + } +- ++#endif + static int reencrypt_digest(struct luks2_hdr *hdr, unsigned new) + { + int segment = LUKS2_get_segment_id_by_flag(hdr, new ? "backup-final" : "backup-previous"); +@@ -144,7 +145,7 @@ static const char *reencrypt_resilience_ + + return json_object_get_string(jobj_hash); + } +- ++#if USE_LUKS2_REENCRYPTION + static uint32_t reencrypt_alignment(struct luks2_hdr *hdr) + { + json_object *jobj_keyslot, *jobj_area, *jobj_type, *jobj_hash, *jobj_sector_size; +@@ -560,7 +561,7 @@ static int reencrypt_make_post_segments( + + return rh->jobj_segs_post ? 0 : -EINVAL; + } +- ++#endif + static uint64_t reencrypt_data_shift(struct luks2_hdr *hdr) + { + json_object *jobj_keyslot, *jobj_area, *jobj_data_shift; +@@ -666,7 +667,7 @@ void LUKS2_reenc_context_free(struct cry + crypt_unlock_internal(cd, rh->reenc_lock); + free(rh); + } +- ++#if USE_LUKS2_REENCRYPTION + static size_t reencrypt_get_alignment(struct crypt_device *cd, + struct luks2_hdr *hdr) + { +@@ -2545,7 +2546,7 @@ static int reencrypt_load(struct crypt_d + + return 0; + } +- ++#endif + /* internal only */ + int crypt_reencrypt_lock(struct crypt_device *cd, const char *uuid, struct crypt_lock_handle **reencrypt_lock) + { +@@ -2587,7 +2588,7 @@ void crypt_reencrypt_unlock(struct crypt + { + crypt_unlock_internal(cd, reencrypt_lock); + } +- ++#if USE_LUKS2_REENCRYPTION + static int reencrypt_lock_and_verify(struct crypt_device *cd, struct luks2_hdr *hdr, + struct crypt_lock_handle **reencrypt_lock) + { +@@ -2842,7 +2843,7 @@ static int reencrypt_recovery_by_passphr + crypt_reencrypt_unlock(cd, reencrypt_lock); + return r; + } +- ++#endif + static int reencrypt_init_by_passphrase(struct crypt_device *cd, + const char *name, + const char *passphrase, +@@ -2853,6 +2854,7 @@ static int reencrypt_init_by_passphrase( + const char *cipher_mode, + const struct crypt_params_reencrypt *params) + { ++#if USE_LUKS2_REENCRYPTION + int r; + crypt_reencrypt_info ri; + struct volume_key *vks = NULL; +@@ -2908,6 +2910,10 @@ out: + crypt_drop_keyring_key(cd, vks); + crypt_free_volume_key(vks); + return r < 0 ? r : LUKS2_find_keyslot(hdr, "reencrypt"); ++#else ++ log_err(cd, _("This operation is not supported for this device type.")); ++ return -ENOTSUP; ++#endif + } + + int crypt_reencrypt_init_by_keyring(struct crypt_device *cd, +@@ -2960,6 +2966,7 @@ int crypt_reencrypt_init_by_passphrase(s + return reencrypt_init_by_passphrase(cd, name, passphrase, passphrase_size, keyslot_old, keyslot_new, cipher, cipher_mode, params); + } + ++#if USE_LUKS2_REENCRYPTION + static reenc_status_t reencrypt_step(struct crypt_device *cd, + struct luks2_hdr *hdr, + struct luks2_reenc_context *rh, +@@ -3200,10 +3207,11 @@ static int reencrypt_teardown(struct cry + + return r; + } +- ++#endif + int crypt_reencrypt(struct crypt_device *cd, + int (*progress)(uint64_t size, uint64_t offset, void *usrptr)) + { ++#if USE_LUKS2_REENCRYPTION + int r; + crypt_reencrypt_info ri; + struct luks2_hdr *hdr; +@@ -3261,8 +3269,12 @@ int crypt_reencrypt(struct crypt_device + + r = reencrypt_teardown(cd, hdr, rh, rs, quit, progress); + return r; ++#else ++ log_err(cd, _("This operation is not supported for this device type.")); ++ return -ENOTSUP; ++#endif + } +- ++#if USE_LUKS2_REENCRYPTION + static int reencrypt_recovery(struct crypt_device *cd, + struct luks2_hdr *hdr, + uint64_t device_size, +@@ -3298,7 +3310,7 @@ err: + + return r; + } +- ++#endif + /* + * use only for calculation of minimal data device size. + * The real data offset is taken directly from segments! +@@ -3313,7 +3325,7 @@ int LUKS2_reencrypt_data_offset(struct l + + return blockwise ? data_offset : data_offset << SECTOR_SHIFT; + } +- ++#if USE_LUKS2_REENCRYPTION + /* internal only */ + int luks2_check_device_size(struct crypt_device *cd, struct luks2_hdr *hdr, uint64_t check_size, uint64_t *dev_size, bool activation, bool dynamic) + { +@@ -3403,7 +3415,7 @@ err: + + return r < 0 ? r : keyslot; + } +- ++#endif + crypt_reencrypt_info LUKS2_reencrypt_status(struct crypt_device *cd, struct crypt_params_reencrypt *params) + { + crypt_reencrypt_info ri; +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -3708,21 +3708,6 @@ out: + return r; + } + +-static int load_all_keys(struct crypt_device *cd, struct luks2_hdr *hdr, struct volume_key *vks) +-{ +- int r; +- struct volume_key *vk = vks; +- +- while (vk) { +- r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk)); +- if (r < 0) +- return r; +- vk = vk->next; +- } +- +- return 0; +-} +- + /* See fixmes in _open_and_activate_luks2 */ + int update_reencryption_flag(struct crypt_device *cd, int enable, bool commit); + +@@ -3764,6 +3749,22 @@ out: + return r < 0 ? r : keyslot; + } + ++#if USE_LUKS2_REENCRYPTION ++static int load_all_keys(struct crypt_device *cd, struct luks2_hdr *hdr, struct volume_key *vks) ++{ ++ int r; ++ struct volume_key *vk = vks; ++ ++ while (vk) { ++ r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk)); ++ if (r < 0) ++ return r; ++ vk = vk->next; ++ } ++ ++ return 0; ++} ++ + static int _open_all_keys(struct crypt_device *cd, + struct luks2_hdr *hdr, + int keyslot, +@@ -3925,6 +3926,28 @@ static int _open_and_activate_luks2(stru + + return r; + } ++#else ++static int _open_and_activate_luks2(struct crypt_device *cd, ++ int keyslot, ++ const char *name, ++ const char *passphrase, ++ size_t passphrase_size, ++ uint32_t flags) ++{ ++ crypt_reencrypt_info ri; ++ ++ ri = LUKS2_reenc_status(&cd->u.luks2.hdr); ++ if (ri == CRYPT_REENCRYPT_INVALID) ++ return -EINVAL; ++ ++ if (ri > CRYPT_REENCRYPT_NONE) { ++ log_err(cd, _("This operation is not supported for this device type.")); ++ return -ENOTSUP; ++ } ++ ++ return _open_and_activate(cd, keyslot, name, passphrase, passphrase_size, flags); ++} ++#endif + + static int _activate_by_passphrase(struct crypt_device *cd, + const char *name, +--- a/tests/api-test-2.c ++++ b/tests/api-test-2.c +@@ -3622,7 +3622,7 @@ static void Luks2Flags(void) + + CRYPT_FREE(cd); + } +- ++#if KERNEL_KEYRING && USE_LUKS2_REENCRYPTION + static int test_progress(uint64_t size, uint64_t offset, void *usrptr) + { + while (--test_progress_steps) +@@ -3633,7 +3633,6 @@ static int test_progress(uint64_t size, + static void Luks2Reencryption(void) + { + /* reencryption currently depends on kernel keyring support */ +-#if KERNEL_KEYRING + /* NOTES: + * - reencryption requires luks2 parameters. can we avoid it? + */ +@@ -4302,8 +4301,8 @@ static void Luks2Reencryption(void) + CRYPT_FREE(cd); + + _cleanup_dmdevices(); +-#endif + } ++#endif + + static void Luks2Repair(void) + { +@@ -4419,7 +4418,9 @@ int main(int argc, char *argv[]) + RUN_(Luks2Integrity, "LUKS2 with data integrity"); + RUN_(Luks2Refresh, "Active device table refresh"); + RUN_(Luks2Flags, "LUKS2 persistent flags"); ++#if KERNEL_KEYRING && USE_LUKS2_REENCRYPTION + RUN_(Luks2Reencryption, "LUKS2 reencryption"); ++#endif + RUN_(Luks2Repair, "LUKS2 repair"); // test disables metadata locking. Run always last! + + _cleanup(); +--- a/tests/luks2-reencryption-test ++++ b/tests/luks2-reencryption-test +@@ -114,6 +114,7 @@ function fail() + function skip() + { + [ -n "$1" ] && echo "$1" ++ remove_mapping + exit 77 + } + +@@ -745,6 +746,7 @@ prepare sector_size=512 physblk_exp=3 de + echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail + wipe $PWD1 + check_hash $PWD1 $HASH1 ++echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON 2>&1 | tail -1 | grep -q "not supported" && skip " No reenryption support, test skipped." + echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail + check_hash $PWD1 $HASH1 + echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail diff -Nru cryptsetup-2.2.2/debian/patches/series cryptsetup-2.2.2/debian/patches/series --- cryptsetup-2.2.2/debian/patches/series 2020-09-10 11:16:58.000000000 +0000 +++ cryptsetup-2.2.2/debian/patches/series 2022-01-18 17:36:34.000000000 +0000 @@ -2,3 +2,4 @@ CVE-2020-14382-2.patch CVE-2020-14382-3.patch decrease_memlock_ulimit.patch +CVE-2021-4122.patch diff -Nru cryptsetup-2.2.2/debian/rules cryptsetup-2.2.2/debian/rules --- cryptsetup-2.2.2/debian/rules 2020-02-04 13:11:12.000000000 +0000 +++ cryptsetup-2.2.2/debian/rules 2022-01-18 17:36:47.000000000 +0000 @@ -24,7 +24,8 @@ --sbindir=/sbin \ --enable-libargon2 \ --enable-shared \ - --enable-cryptsetup-reencrypt + --enable-cryptsetup-reencrypt \ + --disable-luks2-reencryption override_dh_auto_build: dh_auto_build