The "cryptsetup initrd root shell" vulnerability

First, some precision on the timeline: the bug was reported privately to us (Debian security team) on nov 3rd, requesting an embargo until nov 11th for the DeepSec 16 presentation. Considering the low-impact vulnerability and the fact we're not really fan of embargo when it can be avoided, we pushed for publishing a fix early, and it was uploaded to Debian unstable on nov 7th (https://tracker.debian.org/news/813298)

Then, the bug itself. It's *not* a bug in upstream cryptsetup but in the glue added in Debian (and thus propagated to Ubuntu and other Debian derivatives) to support unlocking an encrypted root partition from the initramfs (https://sources.debian.net/src/cryptsetup/2:1.6.6-5/debia...). I don't think it affects Fedora/RedHat, Suse, Arch etc. Also, in our opinion, and as stated earlier, it's a low impact bug. Sure it's bad (and we want to thanks the reporters for that), so the maintainers fixed it in unstable, but it's not considered important enough to warrant a Debian Security Advisory (https://security-tracker.debian.org/tracker/CVE-2016-4484). What you gain is a root access to the initramfs, which you usually can access in other ways if you already have physical access to enter a passphrase to unlock the encrypted partition.

That beeing said, security is in the big picture and how tiny pieces fit together, and I'm all for defense in depth, so yes, the point is still valid. Just not the noise.