Re: Bug#931428: release-notes: Mention FDE security issue when installing with Calamares (CVE-2019-13179)

[Justin B Rye <justin.byam.rye@gmail.com>]

Bug 931428, amending "issues":

(Can we call this package-specific for calamares?)

jonathan wrote:
> When installing Debian from live media using the Calamares installer

(add a link to the what's-new entry)

> and selecting the full disk encryption feature, the disk's unlock key
> is stored in the initramfs which is world readable. This allows users
> with local filesystem access to gain access to the private key and
> gain access to the filesystem again in the future.

Can we take out one of these repeats of "access"?  Make it "to read
the private key and"...

> This can be worked around by adding "UMASK=0077" to
> /etc/initramfs-tools/conf.d/initramfs-permissions and running
> "update-initramfs -u". This will recreate the initramfs without
> world-readable permissions.
> 
> A fix for the installer is being planned and will be uploaded to
> debian-security. In the meantime users of full disk encryption should
> apply the above workaround.
> 
> Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931373
> CVE: https://security-tracker.debian.org/tracker/CVE-2019-13179

I'm still a bit unclear about how the fix for this is going to
propagate - if it's an issue that people delaying their dist-upgrade
until next year won't need to know about then perhaps the text should
say something that won't go stale as quickly.  But for now here's a
patch.


Bug 931429, amending "whats-new":

jonathan wrote:
> Debian live images now ship an additional installer called
> Calamares. Calamares is a distribution agnostic project that aims to
> create a univeral installer. Calamare is an easy to use graphical
                 ^                     ^
"Universal" and presumably "Calamares", but it's clumsy to repeat
"Calamares" (and "installer") like this, especially with two different
definitions!  Could we say

             Calamares is a distribution-agnostic project that aims to
  create a universal installer, providing an easy-to-use graphical
  interface designed for typical laptop and desktop users. It doesn't
  yet support advanced partitioning options like RAID, but for advanced
  users, debian-installer is still available from the installation media
  boot menu.


And meanwhile in issues.dbk I see some text about evolution has crept
in without me noticing, so here's an extra diff for that too.
-- 
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package

diff --git a/en/whats-new.dbk b/en/whats-new.dbk
index d5fcaa36..02ab0451 100644
--- a/en/whats-new.dbk
+++ b/en/whats-new.dbk
@@ -677,5 +677,18 @@ Among many others, this release also includes the following software updates:
   </para>
 </section>
 
+<section id="calamares-installer">
+  <!-- stretch to buster -->
+  <title>Calamares installer</title>
+  <para>
+   Debian live images now ship an additional installer called Calamares.
+   Calamares is a distribution-agnostic project that aims to create a
+   universal installer, providing an easy-to-use graphical interface
+   designed for typical laptop and desktop users. It doesn't yet support
+   advanced partitioning options like RAID, but for advanced users,
+   debian-installer is still available from the installation media boot menu.
+  </para>
+</section>
+
 </section>
 </chapter>

diff --git a/en/issues.dbk b/en/issues.dbk
index b5c1d004..8cc72d44 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -692,6 +692,33 @@ $ sudo update-initramfs -u
     </para>
   </section>
 
+  <section id="calamares-creates-readable-key">
+    <!-- stretch to buster -->
+    <title>
+      Calamares installer leaves disk encryption keys readable
+    </title>
+    <para>
+      When installing Debian from live media using the Calamares installer
+      (<ulink url="&url-wiki;calamares-installer">new in buster</ulink>)
+      and selecting the full disk encryption feature, the disk's unlock key
+      is stored in the initramfs which is world readable. This allows users
+      with local filesystem access to read the private key and gain access
+      to the filesystem again in the future.
+    </para>
+    <para>
+      This can be worked around by adding <literal>UMASK=0077</literal> to
+      <filename>/etc/initramfs-tools/conf.d/initramfs-permissions</filename>
+      and running <command>update-initramfs -u</command>. This will recreate
+      the initramfs without world-readable permissions.
+    </para>
+    <para>
+      A fix for the installer is being planned (see <ulink
+      url="&url-bts;931373">bug #931373</ulink>) and will be uploaded to
+      debian-security. In the meantime users of full disk encryption should
+      apply the above workaround.
+    </para>
+  </section>
+
 </section>
 
 </chapter>

diff --git a/en/issues.dbk b/en/issues.dbk
index b5c1d004..720bdfc0 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -684,9 +684,9 @@ $ sudo update-initramfs -u
       Users using <systemitem role="package">evolution</systemitem> as their
       email client and connecting to a server running Exchange, Office365 or
       Outlook using the <systemitem role="package">evolution-ews</systemitem>
-      plugin should not upgrade to Buster without backing up data and finding an
+      plugin should not upgrade to buster without backing up data and finding an
       alternative solution beforehand, as evolution-ews has been dropped due to
-      <ulink url="&url-bts;926712">bug (#926712)</ulink> and their email
+      <ulink url="&url-bts;926712">bug #926712</ulink> and their email
       inboxes, calendar, contact lists and tasks will be removed and will no
       longer be usable.
     </para>