Key File Permissions
A key file for LUKS encryption is generated by Calamares. This key file is sensitive information, because it is used to encrypt the hard disk where the installation takes place, and an attacker with access to the key file can use that to defeat disk encryption.
Initramfs Information Leak
Calamares versions 3.1 through 3.2.10 copies a LUKS encryption keyfile from /crypto_keyfile.bin (mode 0600 owned by root) to /boot within a globally readable initramfs image with insecure permissions, which allows this originally protected file to be read by any user, thereby disclosing decryption keys for LUKS containers created with Full Disk Encryption.
package is not in tree yet
The bug has been referenced in the following commit(s):
Author: Andreas Sturmlechner <email@example.com>
AuthorDate: 2019-08-17 08:54:02 +0000
Commit: Andreas Sturmlechner <firstname.lastname@example.org>
CommitDate: 2019-08-18 11:20:47 +0000
app-admin/calamares: 3.2.12 bump, CVE-2019-13178, CVE-2019-13179
Package-Manager: Portage-2.3.71, Repoman-2.3.17
Signed-off-by: Andreas Sturmlechner <email@example.com>
app-admin/calamares/Manifest | 1 +
app-admin/calamares/calamares-3.2.12.ebuild | 95 +++++++++++++++++++++++++++++
2 files changed, 96 insertions(+)
Package is not stable. Stabilisation is up to maintainers, security cleanup was done anyway.