Bug#931428: marked as done (release-notes: Mention FDE security issue when installing with Calamares (CVE-2019-13179))

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 5 Jul 2019 21:38:27 +0200
with message-id <faa2775d-8087-69c5-57f2-2d2ec35aa49a@debian.org>
and subject line Re: Bug#931428: release-notes: Mention FDE security issue when installing with Calamares (CVE-2019-13179)
has caused the Debian Bug report #931428,
regarding release-notes: Mention FDE security issue when installing with Calamares (CVE-2019-13179)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
931428: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931428
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: release-notes: Mention FDE security issue when installing with Calamares (CVE-2019-13179)
• From: "jonathan" <jonathan@highvoltage.tv>
• Date: Thu, 04 Jul 2019 20:19:55 +0200
• Message-id: <[🔎] 156226439541.26376.4815155281485597671.reportbug@defiant.bluemosh.com>

Package: release-notes
Severity: normal

When installing Debian from live media using the Calamares installer and selecting the full disk encryption feature, the disk's unlock key is stored in the initramfs which is world readable. This allows users with local filesystem access to gain access to the private key and gain access to the filesystem again in the future.

This can be worked around by adding "UMASK=0077" to /etc/initramfs-tools/conf.d/initramfs-permissions and running "update-initramfs -u". This will recreate the initramfs without world-readable permissions.

A fix for the installer is being planned and will be uploaded to debian-security. In the meantime users of full disk encryption should apply the above workaround.

Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931373
CVE: https://security-tracker.debian.org/tracker/CVE-2019-13179

--- End Message ---

--- Begin Message ---

• To: jonathan <jonathan@highvoltage.tv>
• Cc: 931428-done@bugs.debian.org
• Subject: Re: Bug#931428: release-notes: Mention FDE security issue when installing with Calamares (CVE-2019-13179)
• From: Paul Gevers <elbrus@debian.org>
• Date: Fri, 5 Jul 2019 21:38:27 +0200
• Message-id: <faa2775d-8087-69c5-57f2-2d2ec35aa49a@debian.org>
• In-reply-to: <[🔎] 20190704192433.twuql7cedeeokbsx@jbr.me.uk>
• References: <[🔎] 156226439541.26376.4815155281485597671.reportbug@defiant.bluemosh.com> <[🔎] 20190704192433.twuql7cedeeokbsx@jbr.me.uk>

Hi Jonathan,

On 04-07-2019 21:24, Justin B Rye wrote:
> diff --git a/en/issues.dbk b/en/issues.dbk
> index b5c1d004..8cc72d44 100644
> --- a/en/issues.dbk
> +++ b/en/issues.dbk
> @@ -692,6 +692,33 @@ $ sudo update-initramfs -u
>      </para>
>    </section>
>  
> +  <section id="calamares-creates-readable-key">
> +    <!-- stretch to buster -->
> +    <title>
> +      Calamares installer leaves disk encryption keys readable
> +    </title>
> +    <para>
> +      When installing Debian from live media using the Calamares installer
> +      (<ulink url="&url-wiki;calamares-installer">new in buster</ulink>)
> +      and selecting the full disk encryption feature, the disk's unlock key
> +      is stored in the initramfs which is world readable. This allows users
> +      with local filesystem access to read the private key and gain access
> +      to the filesystem again in the future.
> +    </para>
> +    <para>
> +      This can be worked around by adding <literal>UMASK=0077</literal> to
> +      <filename>/etc/initramfs-tools/conf.d/initramfs-permissions</filename>
> +      and running <command>update-initramfs -u</command>. This will recreate
> +      the initramfs without world-readable permissions.
> +    </para>
> +    <para>
> +      A fix for the installer is being planned (see <ulink
> +      url="&url-bts;931373">bug #931373</ulink>) and will be uploaded to
> +      debian-security. In the meantime users of full disk encryption should
> +      apply the above workaround.
> +    </para>
> +  </section>
> +
>  </section>
>  
>  </chapter>
> 
> 
> evolution.diff
> 
> diff --git a/en/issues.dbk b/en/issues.dbk
> index b5c1d004..720bdfc0 100644
> --- a/en/issues.dbk
> +++ b/en/issues.dbk
> @@ -684,9 +684,9 @@ $ sudo update-initramfs -u
>        Users using <systemitem role="package">evolution</systemitem> as their
>        email client and connecting to a server running Exchange, Office365 or
>        Outlook using the <systemitem role="package">evolution-ews</systemitem>
> -      plugin should not upgrade to Buster without backing up data and finding an
> +      plugin should not upgrade to buster without backing up data and finding an
>        alternative solution beforehand, as evolution-ews has been dropped due to
> -      <ulink url="&url-bts;926712">bug (#926712)</ulink> and their email
> +      <ulink url="&url-bts;926712">bug #926712</ulink> and their email
>        inboxes, calendar, contact lists and tasks will be removed and will no
>        longer be usable.
>      </para>
> 

These are both pushed.

Thanks.

Paul

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---