Bug#931428: release-notes: Mention FDE security issue when installing with Calamares (CVE-2019-13179)

Discussion:

(too old to reply)

jonathan

2019-07-04 18:30:01 UTC

Package: release-notes
Severity: normal

When installing Debian from live media using the Calamares installer and selecting the full disk encryption feature, the disk's unlock key is stored in the initramfs which is world readable. This allows users with local filesystem access to gain access to the private key and gain access to the filesystem again in the future.

This can be worked around by adding "UMASK=0077" to /etc/initramfs-tools/conf.d/initramfs-permissions and running "update-initramfs -u". This will recreate the initramfs without world-readable permissions.

A fix for the installer is being planned and will be uploaded to debian-security. In the meantime users of full disk encryption should apply the above workaround.

Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931373
CVE: https://security-tracker.debian.org/tracker/CVE-2019-13179

Justin B Rye

2019-07-04 19:30:01 UTC

Permalink

Bug 931428, amending "issues":

(Can we call this package-specific for calamares?)

Post by jonathan
When installing Debian from live media using the Calamares installer

(add a link to the what's-new entry)

Post by jonathan
and selecting the full disk encryption feature, the disk's unlock key
is stored in the initramfs which is world readable. This allows users
with local filesystem access to gain access to the private key and
gain access to the filesystem again in the future.

Can we take out one of these repeats of "access"? Make it "to read
the private key and"...

Post by jonathan
This can be worked around by adding "UMASK=0077" to
/etc/initramfs-tools/conf.d/initramfs-permissions and running
"update-initramfs -u". This will recreate the initramfs without
world-readable permissions.
A fix for the installer is being planned and will be uploaded to
debian-security. In the meantime users of full disk encryption should
apply the above workaround.
Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931373
CVE: https://security-tracker.debian.org/tracker/CVE-2019-13179

I'm still a bit unclear about how the fix for this is going to
propagate - if it's an issue that people delaying their dist-upgrade
until next year won't need to know about then perhaps the text should
say something that won't go stale as quickly. But for now here's a
patch.

Post by jonathan
Debian live images now ship an additional installer called
Calamares. Calamares is a distribution agnostic project that aims to
create a univeral installer. Calamare is an easy to use graphical

^ ^
"Universal" and presumably "Calamares", but it's clumsy to repeat
"Calamares" (and "installer") like this, especially with two different
definitions! Could we say

Calamares is a distribution-agnostic project that aims to
create a universal installer, providing an easy-to-use graphical
interface designed for typical laptop and desktop users. It doesn't
yet support advanced partitioning options like RAID, but for advanced
users, debian-installer is still available from the installation media
boot menu.

And meanwhile in issues.dbk I see some text about evolution has crept
in without me noticing, so here's an extra diff for that too.

--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package

Debian Bug Tracking System

2019-07-05 19:50:01 UTC

Permalink

Your message dated Fri, 5 Jul 2019 21:38:27 +0200
with message-id <faa2775d-8087-69c5-57f2-***@debian.org>
and subject line Re: Bug#931428: release-notes: Mention FDE security issue when installing with Calamares (CVE-2019-13179)
has caused the Debian Bug report #931428,
regarding release-notes: Mention FDE security issue when installing with Calamares (CVE-2019-13179)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)

--
931428: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931428
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems