Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87zf2he8se.fsf@gmail.com>
Date: Sat, 02 May 2026 15:38:57 -0700
From: Collin Funk <collin.funk1@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Re: CVE-2026-31431: CopyFail: linux local
 privilege scalation

Alexander Bochmann <ab@...ts.gxis.de> writes:

> ...on 2026-05-02 20:05:00, Eric Biggers wrote:
>
>  > What it does break are a small set of userspace programs that made the
>  > shortsighted decision to use AF_ALG, instead of simply following the
>  > standard practice of using a userspace crypto library.
>
> For some added fun - I noticed that Debian 13, for example, 
> ships an openssl build with an AF_ALG engine, so uh, yeah, 
> depending on how you use your userspace crypto library... 
>
> No idea if that has any actual consumers anywhere out there 
> today.
>
> $ openssl version
> OpenSSL 3.5.5 27 Jan 2026 (Library: OpenSSL 3.5.5 27 Jan 2026)
> $ openssl engine afalg -c
> (afalg) AFALG engine support
>  [AES-128-CBC, AES-192-CBC, AES-256-CBC]

You can build GNU coreutils with './configure --with-linux-crypto' if
you want. It is disabled by default since OpenSSL was faster when it was
tested (and I assume that is still the case). AFAIK, no distributions
use it though.

Collin

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.