[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#692767: unblock: cryptsetup/2:1.4.3-4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package cryptsetup

Hello,

cryptsetup 2:1.4.3-4 has only non-intrusive changes compared to
2:1.4.3-2. Nevertheless it fixes some annoying bugs. Most importantly,
it adds local keymap support to initramfs for encrypted root
filesystem by recommending initramfs-tools, busybox, kbd and
console-setup.

Only easy fixes, documentation and translation updates are included.
The debdiff is attached, relevant changelog follows:

cryptsetup (2:1.4.3-4) unstable; urgency=medium

  * change recommends for busybox to busybox | busybox-static. Thanks to
    Armin Haas for the bugreport. (closes: #692151)

 -- Jonas Meurer <mejo@debian.org>  Wed, 07 Nov 2012 16:12:25 +0100

cryptsetup (2:1.4.3-3) unstable; urgency=medium

  * add recommends for 'kbd, console-setup' to cryptsetup package.
Both are
    necessary to support local keymap in initramfs. Thanks to Raphaël
Hertzog

    for the bugreport. (closes: #689722)
  * move suggestion for 'initramfs-tools (>= 0.91) | linux-initramfs-tool,
    busybox' to recommends. Both are required for encrypted root fs.
  * remove suggestion for udev, most debian systems have it installed
anyway.
  * mention option to use UUID=<luks_uuid> for source device in
crypttab(5).
    Thanks to Felicitus for the bug report. (closes: #688786)
  * add a paragraph in README.initramfs: Describe, why renaming the target
    name is not supported for encrypted root devices. Thanks to Adam
Lee for
    bugreport and proposed workaround for this limitation. (closes:
#671037)
  * fix keyfile permission checks in cryptdisks init scripts to follow
    symlinks. Thanks to intrigeri for the bugreport. (closes: #691517)
  * fix owner group check for keyfile in cryptdisks init scripts to really
    check owner group.
  * update debconf translations:
    - brasilian portuguese, thanks to Adriano Rafael Gomes. (closes:
#685762)
    - japanese, thanks to victory. (closes: #690784)
  * fix typo in manpages: s/passphase/passphrase. Thanks to Milan Broz for
    the bugreport. (closes: #684086)

 -- Jonas Meurer <mejo@debian.org>  Thu, 01 Nov 2012 15:34:09 +0100

unblock cryptsetup/2:1.4.3-4

Regards,
 jonas

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQm95LAAoJEFJi5/9JEEn+D/8P/R9cf2BGuWw5/1yUkxgtJ0xK
2UKIbFKrlh/FH4VE6G+w774yhfTalKoZnXfl3HrY0b9mJBkGxt5a8lAt296nnw3I
VlBhwSJkruqG2xrWw30xQOiOjFERm/xHmYSxGNVU70hdBro8oapdF4MHZKWFP6qf
hiBkpTlNgF1dawyOEJn7nu7ZxsJw/hyvNfY/veJD7LjvBxiH0i3njIMADbCnmAn+
cK3r3V9Q1JBkpKD4iqcEUZ/2k5bROsq8PTXj3Z/h5OLtUzSro7naB6HbuFMLNOoO
6/1E8W0h9f71rGisYavl+gjNqmriRar8Y3dE4GGdfpd4MIRAeJqXf3RkgAoZG17B
PACuprfQ2cQp+Q4nuh7G8C01m9fwNTVzlR3f7+Gm4u/D+q2WOxxM0dKKuRVhuE3E
iN+itLjhqXPDF4zLllR3QL2e5Omo8wmKrC16DabByN6JVo+0UKO6WLhGNNvq4kJj
/UoLIWcRnyLm+dopqCH0hkAiFqV0NMtddojzwCiEA9xnUCxOzCMQpsoLnqkYL0Mi
5dEwkS8h8DstKHlH3ynsZ6yPyEGDbj1A1YIANaL4rF0+CEmzctYeX1cl8OPtWkv2
Kw3+DvJWQx5KIwe3Wi9fm5g8l8dboqr29sNWED9IPF9vnrr2RkuegI5pLrgoW2x4
m9pgVNTN2Iw8NurRwKnC
=7KF6
-----END PGP SIGNATURE-----

diff -Nru cryptsetup-1.4.3/debian/changelog cryptsetup-1.4.3/debian/changelog
--- cryptsetup-1.4.3/debian/changelog	2012-06-12 21:26:35.000000000 +0200
+++ cryptsetup-1.4.3/debian/changelog	2012-11-07 16:12:30.000000000 +0100
@@ -1,3 +1,35 @@
+cryptsetup (2:1.4.3-4) unstable; urgency=medium
+
+  * change recommends for busybox to busybox | busybox-static. Thanks to
+    Armin Haas for the bugreport. (closes: #692151)
+
+ -- Jonas Meurer <mejo@debian.org>  Wed, 07 Nov 2012 16:12:25 +0100
+
+cryptsetup (2:1.4.3-3) unstable; urgency=medium
+
+  * add recommends for 'kbd, console-setup' to cryptsetup package. Both are
+    necessary to support local keymap in initramfs. Thanks to Raphaël Hertzog
+    for the bugreport. (closes: #689722)
+  * move suggestion for 'initramfs-tools (>= 0.91) | linux-initramfs-tool,
+    busybox' to recommends. Both are required for encrypted root fs.
+  * remove suggestion for udev, most debian systems have it installed anyway.
+  * mention option to use UUID=<luks_uuid> for source device in crypttab(5).
+    Thanks to Felicitus for the bug report. (closes: #688786)
+  * add a paragraph in README.initramfs: Describe, why renaming the target
+    name is not supported for encrypted root devices. Thanks to Adam Lee for
+    bugreport and proposed workaround for this limitation. (closes: #671037)
+  * fix keyfile permission checks in cryptdisks init scripts to follow
+    symlinks. Thanks to intrigeri for the bugreport. (closes: #691517)
+  * fix owner group check for keyfile in cryptdisks init scripts to really
+    check owner group.
+  * update debconf translations:
+    - brasilian portuguese, thanks to Adriano Rafael Gomes. (closes: #685762)
+    - japanese, thanks to victory. (closes: #690784)
+  * fix typo in manpages: s/passphase/passphrase. Thanks to Milan Broz for
+    the bugreport. (closes: #684086)
+
+ -- Jonas Meurer <mejo@debian.org>  Thu, 01 Nov 2012 15:34:09 +0100
+
 cryptsetup (2:1.4.3-2) unstable; urgency=medium
 
   * fix the shared library symbols magic: so far, the symbols file for
diff -Nru cryptsetup-1.4.3/debian/control cryptsetup-1.4.3/debian/control
--- cryptsetup-1.4.3/debian/control	2012-06-08 13:31:06.000000000 +0200
+++ cryptsetup-1.4.3/debian/control	2012-11-07 16:11:49.000000000 +0100
@@ -12,7 +12,8 @@
 Package: cryptsetup
 Architecture: linux-any
 Depends: ${shlibs:Depends}, ${misc:Depends}, dmsetup, cryptsetup-bin
-Suggests: udev, initramfs-tools (>= 0.91) | linux-initramfs-tool, busybox, dosfstools, liblocale-gettext-perl
+Recommends: kbd, console-setup, initramfs-tools (>= 0.91) | linux-initramfs-tool, busybox | busybox-static
+Suggests: dosfstools, liblocale-gettext-perl
 Provides: cryptsetup-luks
 Conflicts: cryptsetup-luks
 Replaces: cryptsetup-luks, hashalot (<< 0.3-2)
diff -Nru cryptsetup-1.4.3/debian/cryptdisks.functions cryptsetup-1.4.3/debian/cryptdisks.functions
--- cryptsetup-1.4.3/debian/cryptdisks.functions	2012-05-10 12:14:55.000000000 +0200
+++ cryptsetup-1.4.3/debian/cryptdisks.functions	2012-11-01 14:00:23.000000000 +0100
@@ -219,7 +219,7 @@
 	fi
 
 	# Check ownership of $key
-	OWNER="$(ls -l "$key" | sed 's/^.\{10\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')"
+	OWNER="$(/bin/ls -l "$(readlink -f $key)" | sed 's/^.\{10\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')"
 	if [ "$OWNER" != "root" ]; then
 		log_warning_msg "$dst: INSECURE OWNER FOR $key, see /usr/share/doc/cryptsetup/README.Debian."
 	fi
@@ -230,14 +230,14 @@
 	fi
 
 	# Check owner group of $key
-	GROUP="$(ls -l "$key" | sed 's/^.\{10\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')"
+	GROUP="$(/bin/ls -l "$(readlink -f $key)" | sed 's/^.\{12\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')"
 	if [ "$GROUP" != "root" ]; then
 		log_warning_msg "$dst: INSECURE OWNER GROUP FOR $key, see /usr/share/doc/cryptsetup/README.Debian."
 	fi
 
 	# Check group and other permissions
-	GMODE="$(ls -l "$key" | sed 's/[[:space:]].*//;s/^.\{4\}\(.\{3\}\).*/\1/')"
-	OMODE="$(ls -l "$key" | sed 's/[[:space:]].*//;s/^.\{7\}\(.\{3\}\).*/\1/')"
+	GMODE="$(/bin/ls -l "$(readlink -f $key)" | sed 's/[[:space:]].*//;s/^.\{4\}\(.\{3\}\).*/\1/')"
+	OMODE="$(/bin/ls -l "$(readlink -f $key)" | sed 's/[[:space:]].*//;s/^.\{7\}\(.\{3\}\).*/\1/')"
 	if [ "$GMODE" != "---" ] && [ "$OMODE" != "---" ]; then
 		log_warning_msg "$dst: INSECURE MODE FOR $key, see /usr/share/doc/cryptsetup/README.Debian."
 	fi
diff -Nru cryptsetup-1.4.3/debian/doc/cryptdisks_start.xml cryptsetup-1.4.3/debian/doc/cryptdisks_start.xml
--- cryptsetup-1.4.3/debian/doc/cryptdisks_start.xml	2011-09-19 12:46:18.000000000 +0200
+++ cryptsetup-1.4.3/debian/doc/cryptdisks_start.xml	2012-11-01 14:34:19.000000000 +0100
@@ -38,7 +38,7 @@
   </simpara>
   <simpara>
    Note that this wrapper passes <option>--key-file=-</option> to
-   <command moreinfo="refentry">cryptsetup</command>, so the passphase
+   <command moreinfo="refentry">cryptsetup</command>, so the passphrase
    in any referenced key file must not be followed by a newline character.
   </simpara>
  </refsect1>
diff -Nru cryptsetup-1.4.3/debian/doc/crypttab.xml cryptsetup-1.4.3/debian/doc/crypttab.xml
--- cryptsetup-1.4.3/debian/doc/crypttab.xml	2012-04-13 13:00:37.000000000 +0200
+++ cryptsetup-1.4.3/debian/doc/crypttab.xml	2012-11-01 14:34:33.000000000 +0100
@@ -46,13 +46,15 @@
   </simpara>
   <simpara>
    The second field, <emphasis>source device</emphasis>, describes either the
-   block special device or file that contains the encrypted data.
+   block special device or file that contains the encrypted data. Instead of
+   giving the <emphasis>source device</emphasis> explicitly, the UUID is
+   supported as well, using <emphasis>UUID=&lt;luks_uuid&gt;</emphasis>.
   </simpara>
   <simpara>
    The third field, <emphasis>key file</emphasis>, describes the file to use
    as a key for decrypting the data of the <emphasis>source device</emphasis>.
    Note that the <emphasis>entire</emphasis> key file will be used as the
-   passphase; the passphase must <emphasis>not</emphasis> be
+   passphrase; the passphrase must <emphasis>not</emphasis> be
    followed by a newline character.
   </simpara>
   <simpara>
@@ -400,8 +402,8 @@
 # Encrypted swap device
 cswap /dev/sda6 /dev/urandom cipher=aes-cbc-essiv:sha256,hash=ripemd160,size=256,swap
     
-# Encrypted LUKS disk with interactive password
-cdisk0 /dev/hda1 none luks
+# Encrypted LUKS disk with interactive password, identified by UUID
+cdisk0 UUID=12345678-9abc-def012345-6789abcdef01 none luks
     
 # Encrypted ext4 disk with interactive password
 # - retry 5 times if the check fails
diff -Nru cryptsetup-1.4.3/debian/po/ja.po cryptsetup-1.4.3/debian/po/ja.po
--- cryptsetup-1.4.3/debian/po/ja.po	1970-01-01 01:00:00.000000000 +0100
+++ cryptsetup-1.4.3/debian/po/ja.po	2012-11-01 15:49:50.000000000 +0100
@@ -0,0 +1,54 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# victory <victory.deb@gmail.com>, 2012.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2011-09-15 12:30+0200\n"
+"PO-Revision-Date: 2012-06-17 00:27+09:00\n"
+"Last-Translator: victory <victory.deb@gmail.com>\n"
+"Language-Team: Japanese <debian-japanese@lists.debian.org>\n"
+"Language: ja\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "cryptsetup ã?®å??é?¤ã??ç¶?è¡?ã??ã?¾ã??ã???"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr ""
+"ã??ã?®ã?·ã?¹ã??ã? ã?«ã?¯ã?­ã??ã?¯ã??ã??ã?¦ã??ã?ªã?? dm-crypt ã??ã??ã?¤ã?¹ã??ã??ã??ã?¾ã??: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"cryptsetup ã?«ã??ã??管ç??ã??ã??ã?¦ã??ã??ã??ã??ã?¤ã?¹ã??ã??ã??å ´å??ã??ã??ã??ã?±ã?¼ã?¸å??é?¤å¾?ã?«ã??ã??ã?¤ã?¹"
+"ã??ã?­ã??ã?¯ã?§ã??ã?ªã??ã?ªã??å?¯è?½æ?§ã??ã??ã??ã?¾ã??ã??ã??ä»?ã?®ã??ã?¼ã?«ã??使ã?£ã?¦ dm-crypt ã??ã??ã?¤ã?¹"
+"ã??管ç??ã??ã??ã??ã?¨ã??ã?§ã??ã?¾ã??ã??ã?·ã?¹ã??ã? ã?®ã?·ã?£ã??ã??ã??ã?¦ã?³ã??å??èµ·å??ã??ç?ºç??ã??ã??ã?¨ã??ã??ã?¤"
+"ã?¹ã?¯ã?­ã??ã?¯ã??ã??ã?¾ã??ã??"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"ã??ã??ã?±ã?¼ã?¸å??é?¤ã?®å??ã?« dm-crypt ã??ã??ã?¤ã?¹ã??ã?­ã??ã?¯ã??ã??ã??å ´å??ã?¯ã??ã?®ã?ªã??ã?·ã?§ã?³ã??é?¸"
+"æ??ã??ã?ªã??ã?§ã??ã? ã??ã??ã??"
diff -Nru cryptsetup-1.4.3/debian/po/pt_BR.po cryptsetup-1.4.3/debian/po/pt_BR.po
--- cryptsetup-1.4.3/debian/po/pt_BR.po	1970-01-01 01:00:00.000000000 +0100
+++ cryptsetup-1.4.3/debian/po/pt_BR.po	2012-11-01 13:20:47.000000000 +0100
@@ -0,0 +1,55 @@
+# Debconf translations for cryptsetup.
+# Copyright (C) 2011 THE cryptsetup'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the cryptsetup package.
+# Adriano Rafael Gomes <adrianorg@gmail.com>, 2011.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2011-09-15 12:30+0200\n"
+"PO-Revision-Date: 2011-10-09 17:56-0300\n"
+"Last-Translator: Adriano Rafael Gomes <adrianorg@gmail.com>\n"
+"Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian."
+"org>\n"
+"Language: pt_BR\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "Continuar com a remoção do cryptsetup?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr "Esse sistema tem dispositivos dm-crypt desbloqueados: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Se esses dispositivos são gerenciados com o cryptsetup, você pode não "
+"conseguir bloquear os dispositivos depois da remoção do pacote, embora "
+"outras ferramentas possam ser usadas para gerenciar dispositivos dm-crypt. "
+"Qualquer desligamento ou reinicialização do sistema bloqueará os "
+"dispositivos."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"Não escolha essa opção se você quiser bloquear os dispositivos dm-crypt "
+"antes da remoção do pacote."
diff -Nru cryptsetup-1.4.3/debian/README.initramfs cryptsetup-1.4.3/debian/README.initramfs
--- cryptsetup-1.4.3/debian/README.initramfs	2012-03-10 02:06:31.000000000 +0100
+++ cryptsetup-1.4.3/debian/README.initramfs	2012-11-01 13:47:25.000000000 +0100
@@ -207,4 +207,20 @@
 the initramfs. This can be done by listing the required modules in
 /etc/initramfs-tools/modules.
 
--- David Härdeman <david@hardeman.nu>
+11. Limitation: renaming of target name for encrypted root device
+-----------------------------------------------------------------
+As spotted by Adam Lee in bugreport #671037[1], it's not possible to simply
+rename the target name for encrypted root devices. It breaks the initramfs
+creation process. The bugreport submitter found a solution to workaround this
+limitation:
+
+0. enter another system(like livecd)
+1. luksOpen with the new name, change the target name to the new one
+2. chroot into it(now, the living target name is the same as it in conf)
+3. update-initramfs -u
+4. reboot
+
+[1] http://bugs.debian.org/671037
+
+ -- David Härdeman <david@hardeman.nu>
+ -- Jonas Meurer <mejo@debian.org>  Thu, 01 Nov 2012 13:44:31 +0100
Reply to: