Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 690830 (CVE-2019-13178, CVE-2019-13179) - <app-admin/calamares-3.2.12: key file permissions and initramfs information leak
Summary: <app-admin/calamares-3.2.12: key file permissions and initramfs information leak
Status: RESOLVED FIXED
Alias: CVE-2019-13178, CVE-2019-13179
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-27 22:12 UTC by Andreas Sturmlechner
Modified: 2019-08-22 18:14 UTC (History)
2 users (show)

See Also:
Package list:
app-admin/calamares-3.2.12
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Sturmlechner gentoo-dev 2019-07-27 22:12:06 UTC
Key File Permissions
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13178
https://github.com/calamares/calamares/issues/1190

A key file for LUKS encryption is generated by Calamares. This key file is sensitive information, because it is used to encrypt the hard disk where the installation takes place, and an attacker with access to the key file can use that to defeat disk encryption.


Initramfs Information Leak
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13179
https://github.com/calamares/calamares/issues/1191

Calamares versions 3.1 through 3.2.10 copies a LUKS encryption keyfile from /crypto_keyfile.bin (mode 0600 owned by root) to /boot within a globally readable initramfs image with insecure permissions, which allows this originally protected file to be read by any user, thereby disclosing decryption keys for LUKS containers created with Full Disk Encryption.


https://calamares.io/calamares-cve-2019/
https://calamares.io/calamares-3.2.11-is-out/
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-17 15:51:39 UTC
package is not in tree yet
Comment 2 Larry the Git Cow gentoo-dev 2019-08-18 11:26:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6706e2c90a89fbc7134957e5b3647d98811600b

commit a6706e2c90a89fbc7134957e5b3647d98811600b
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-08-17 08:54:02 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-08-18 11:20:47 +0000

    app-admin/calamares: 3.2.12 bump, CVE-2019-13178, CVE-2019-13179
    
    Bug: https://bugs.gentoo.org/690830
    Package-Manager: Portage-2.3.71, Repoman-2.3.17
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 app-admin/calamares/Manifest                |  1 +
 app-admin/calamares/calamares-3.2.12.ebuild | 95 +++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+)
Comment 3 Andreas Sturmlechner gentoo-dev 2019-08-22 11:07:36 UTC
Package is not stable. Stabilisation is up to maintainers, security cleanup was done anyway.