Key File Permissions https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13178 https://github.com/calamares/calamares/issues/1190 A key file for LUKS encryption is generated by Calamares. This key file is sensitive information, because it is used to encrypt the hard disk where the installation takes place, and an attacker with access to the key file can use that to defeat disk encryption. Initramfs Information Leak https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13179 https://github.com/calamares/calamares/issues/1191 Calamares versions 3.1 through 3.2.10 copies a LUKS encryption keyfile from /crypto_keyfile.bin (mode 0600 owned by root) to /boot within a globally readable initramfs image with insecure permissions, which allows this originally protected file to be read by any user, thereby disclosing decryption keys for LUKS containers created with Full Disk Encryption. https://calamares.io/calamares-cve-2019/ https://calamares.io/calamares-3.2.11-is-out/
package is not in tree yet
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6706e2c90a89fbc7134957e5b3647d98811600b commit a6706e2c90a89fbc7134957e5b3647d98811600b Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2019-08-17 08:54:02 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2019-08-18 11:20:47 +0000 app-admin/calamares: 3.2.12 bump, CVE-2019-13178, CVE-2019-13179 Bug: https://bugs.gentoo.org/690830 Package-Manager: Portage-2.3.71, Repoman-2.3.17 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> app-admin/calamares/Manifest | 1 + app-admin/calamares/calamares-3.2.12.ebuild | 95 +++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+)
Package is not stable. Stabilisation is up to maintainers, security cleanup was done anyway.