oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation

From: Collin Funk <collin.funk1 () gmail com>
Date: Sat, 02 May 2026 15:38:57 -0700
Alexander Bochmann <ab () lists gxis de> writes:


...on 2026-05-02 20:05:00, Eric Biggers wrote:

 > What it does break are a small set of userspace programs that made the
 > shortsighted decision to use AF_ALG, instead of simply following the
 > standard practice of using a userspace crypto library.

For some added fun - I noticed that Debian 13, for example, 
ships an openssl build with an AF_ALG engine, so uh, yeah, 
depending on how you use your userspace crypto library... 

No idea if that has any actual consumers anywhere out there 
today.

$ openssl version
OpenSSL 3.5.5 27 Jan 2026 (Library: OpenSSL 3.5.5 27 Jan 2026)
$ openssl engine afalg -c
(afalg) AFALG engine support
 [AES-128-CBC, AES-192-CBC, AES-256-CBC]


You can build GNU coreutils with './configure --with-linux-crypto' if
you want. It is disabled by default since OpenSSL was faster when it was
tested (and I assume that is still the case). AFAIK, no distributions
use it though.

Collin
Previous By Date Next
Previous By Thread Next

Current thread: