Bug#932069: buster-pu: calamares-settings-debian 10.0.20-1+deb10u1
Package: release.debian.org
Severity: normal
Below is a debfiff for CVE-2019-13179, as discussed with the
release team over e-mail:
This adds a snipet so that the initramfs will be created with safer
permissions when using an encrypted / on a full-disk encrypted system.
"""
diff -Nru calamares-settings-debian-10.0.20/debian/changelog calamares-settings-debian-10.0.20/debian/changelog
--- calamares-settings-debian-10.0.20/debian/changelog 2019-04-18 10:18:37.000000000 +0200
+++ calamares-settings-debian-10.0.20/debian/changelog 2019-07-03 15:05:47.000000000 +0200
@@ -1,3 +1,11 @@
+calamares-settings-debian (10.0.20-1+deb10u1) buster-security; urgency=medium
+
+ * New upstream release
+ - Fixes permissions for initramfs image when full-desk encryption
+ is enabled. (CVE-2019-13179) (Closes: #931373)
+
+ -- Jonathan Carter <jcc@debian.org> Wed, 03 Jul 2019 13:05:47 +0000
+
calamares-settings-debian (10.0.20-1) unstable; urgency=medium
* New upstream release
diff -Nru calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions
--- calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions 1970-01-01 02:00:00.000000000 +0200
+++ calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions 2019-07-03 15:05:47.000000000 +0200
@@ -0,0 +1,26 @@
+Description: fix umask for initramfs permissions
+ By default, initramfs is world-readable. This configures a snippet
+ to ensure that the initramfs that will be generated is only accessable
+ by root.
+Author: Jonathan Carter <jcc@debian.org>
+Bug-Debian: https://bugs.debian.org/931373
+Bug: https://github.com/calamares/calamares/issues/1191
+Last-Update: 2019-07-08
+
+--- calamares-settings-debian-10.0.20.orig/scripts/bootloader-config
++++ calamares-settings-debian-10.0.20/scripts/bootloader-config
+@@ -2,6 +2,14 @@
+
+ CHROOT=$(mount | grep proc | grep calamares | awk '{print $3}' | sed -e "s#/proc##g")
+
++# Set secure permissions for the initramfs if we're configuring
++# full-disk-encryption. The initramfs is re-generated later in the
++# installation process so we only set the permissions snippet without
++# regenerating the initramfs right now:
++if [ "$(mount | grep $CHROOT" " | cut -c -16)" = "/dev/mapper/luks" ]; then
++ echo "UMASK=0077" > $CHROOT/etc/initramfs-tools/conf.d/initramfs-permissions
++fi
++
+ echo "Running bootloader-config..."
+
+ if [ -d /sys/firmware/efi/efivars ]; then
diff -Nru calamares-settings-debian-10.0.20/debian/patches/series calamares-settings-debian-10.0.20/debian/patches/series
--- calamares-settings-debian-10.0.20/debian/patches/series 1970-01-01 02:00:00.000000000 +0200
+++ calamares-settings-debian-10.0.20/debian/patches/series 2019-07-03 15:05:47.000000000 +0200
@@ -0,0 +1 @@
+fix-initramfs-permissions
"""
Reply to: