Re: Bug#931428: release-notes: Mention FDE security issue when installing with Calamares (CVE-2019-13179)
Bug 931428, amending "issues":
(Can we call this package-specific for calamares?)
jonathan wrote:
> When installing Debian from live media using the Calamares installer
(add a link to the what's-new entry)
> and selecting the full disk encryption feature, the disk's unlock key
> is stored in the initramfs which is world readable. This allows users
> with local filesystem access to gain access to the private key and
> gain access to the filesystem again in the future.
Can we take out one of these repeats of "access"? Make it "to read
the private key and"...
> This can be worked around by adding "UMASK=0077" to
> /etc/initramfs-tools/conf.d/initramfs-permissions and running
> "update-initramfs -u". This will recreate the initramfs without
> world-readable permissions.
>
> A fix for the installer is being planned and will be uploaded to
> debian-security. In the meantime users of full disk encryption should
> apply the above workaround.
>
> Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931373
> CVE: https://security-tracker.debian.org/tracker/CVE-2019-13179
I'm still a bit unclear about how the fix for this is going to
propagate - if it's an issue that people delaying their dist-upgrade
until next year won't need to know about then perhaps the text should
say something that won't go stale as quickly. But for now here's a
patch.
Bug 931429, amending "whats-new":
jonathan wrote:
> Debian live images now ship an additional installer called
> Calamares. Calamares is a distribution agnostic project that aims to
> create a univeral installer. Calamare is an easy to use graphical
^ ^
"Universal" and presumably "Calamares", but it's clumsy to repeat
"Calamares" (and "installer") like this, especially with two different
definitions! Could we say
Calamares is a distribution-agnostic project that aims to
create a universal installer, providing an easy-to-use graphical
interface designed for typical laptop and desktop users. It doesn't
yet support advanced partitioning options like RAID, but for advanced
users, debian-installer is still available from the installation media
boot menu.
And meanwhile in issues.dbk I see some text about evolution has crept
in without me noticing, so here's an extra diff for that too.
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
diff --git a/en/whats-new.dbk b/en/whats-new.dbk
index d5fcaa36..02ab0451 100644
--- a/en/whats-new.dbk
+++ b/en/whats-new.dbk
@@ -677,5 +677,18 @@ Among many others, this release also includes the following software updates:
</para>
</section>
+<section id="calamares-installer">
+ <!-- stretch to buster -->
+ <title>Calamares installer</title>
+ <para>
+ Debian live images now ship an additional installer called Calamares.
+ Calamares is a distribution-agnostic project that aims to create a
+ universal installer, providing an easy-to-use graphical interface
+ designed for typical laptop and desktop users. It doesn't yet support
+ advanced partitioning options like RAID, but for advanced users,
+ debian-installer is still available from the installation media boot menu.
+ </para>
+</section>
+
</section>
</chapter>
diff --git a/en/issues.dbk b/en/issues.dbk
index b5c1d004..8cc72d44 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -692,6 +692,33 @@ $ sudo update-initramfs -u
</para>
</section>
+ <section id="calamares-creates-readable-key">
+ <!-- stretch to buster -->
+ <title>
+ Calamares installer leaves disk encryption keys readable
+ </title>
+ <para>
+ When installing Debian from live media using the Calamares installer
+ (<ulink url="&url-wiki;calamares-installer">new in buster</ulink>)
+ and selecting the full disk encryption feature, the disk's unlock key
+ is stored in the initramfs which is world readable. This allows users
+ with local filesystem access to read the private key and gain access
+ to the filesystem again in the future.
+ </para>
+ <para>
+ This can be worked around by adding <literal>UMASK=0077</literal> to
+ <filename>/etc/initramfs-tools/conf.d/initramfs-permissions</filename>
+ and running <command>update-initramfs -u</command>. This will recreate
+ the initramfs without world-readable permissions.
+ </para>
+ <para>
+ A fix for the installer is being planned (see <ulink
+ url="&url-bts;931373">bug #931373</ulink>) and will be uploaded to
+ debian-security. In the meantime users of full disk encryption should
+ apply the above workaround.
+ </para>
+ </section>
+
</section>
</chapter>
diff --git a/en/issues.dbk b/en/issues.dbk
index b5c1d004..720bdfc0 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -684,9 +684,9 @@ $ sudo update-initramfs -u
Users using <systemitem role="package">evolution</systemitem> as their
email client and connecting to a server running Exchange, Office365 or
Outlook using the <systemitem role="package">evolution-ews</systemitem>
- plugin should not upgrade to Buster without backing up data and finding an
+ plugin should not upgrade to buster without backing up data and finding an
alternative solution beforehand, as evolution-ews has been dropped due to
- <ulink url="&url-bts;926712">bug (#926712)</ulink> and their email
+ <ulink url="&url-bts;926712">bug #926712</ulink> and their email
inboxes, calendar, contact lists and tasks will be removed and will no
longer be usable.
</para>
Reply to: