Bug#932069: marked as done (buster-pu: calamares-settings-debian 10.0.20-1+deb10u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 07 Sep 2019 14:34:49 +0100
with message-id <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes including in 10.1 point release
has caused the Debian Bug report #932069,
regarding buster-pu: calamares-settings-debian 10.0.20-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
932069: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932069
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: buster-pu: calamares-settings-debian 10.0.20-1+deb10u1
• From: Jonathan Carter <jcc@debian.org>
• Date: Sun, 14 Jul 2019 13:27:33 -0300
• Message-id: <156312165388.8709.5694868079282776240.reportbug@adjutant>

Package: release.debian.org
Severity: normal

Below is a debfiff for CVE-2019-13179, as discussed with the
release team over e-mail:

This adds a snipet so that the initramfs will be created with safer
permissions when using an encrypted / on a full-disk encrypted system.

"""
diff -Nru calamares-settings-debian-10.0.20/debian/changelog calamares-settings-debian-10.0.20/debian/changelog
--- calamares-settings-debian-10.0.20/debian/changelog	2019-04-18 10:18:37.000000000 +0200
+++ calamares-settings-debian-10.0.20/debian/changelog	2019-07-03 15:05:47.000000000 +0200
@@ -1,3 +1,11 @@
+calamares-settings-debian (10.0.20-1+deb10u1) buster-security; urgency=medium
+
+  * New upstream release
+    -  Fixes permissions for initramfs image when full-desk encryption
+       is enabled. (CVE-2019-13179) (Closes: #931373)
+
+ -- Jonathan Carter <jcc@debian.org>  Wed, 03 Jul 2019 13:05:47 +0000
+
 calamares-settings-debian (10.0.20-1) unstable; urgency=medium

     * New upstream release
     diff -Nru calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions
     --- calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions	1970-01-01 02:00:00.000000000 +0200
     +++ calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions	2019-07-03 15:05:47.000000000 +0200
     @@ -0,0 +1,26 @@
     +Description: fix umask for initramfs permissions
     + By default, initramfs is world-readable. This configures a snippet
     + to ensure that the initramfs that will be generated is only accessable
     + by root.
     +Author: Jonathan Carter <jcc@debian.org>
     +Bug-Debian: https://bugs.debian.org/931373
     +Bug: https://github.com/calamares/calamares/issues/1191
     +Last-Update: 2019-07-08
     +
     +--- calamares-settings-debian-10.0.20.orig/scripts/bootloader-config
     ++++ calamares-settings-debian-10.0.20/scripts/bootloader-config
     +@@ -2,6 +2,14 @@
     +
     + CHROOT=$(mount | grep proc | grep calamares | awk '{print $3}' | sed -e "s#/proc##g")
     +
     ++# Set secure permissions for the initramfs if we're configuring
     ++# full-disk-encryption. The initramfs is re-generated later in the
     ++# installation process so we only set the permissions snippet without
     ++# regenerating the initramfs right now:
     ++if [ "$(mount | grep $CHROOT" " | cut -c -16)" = "/dev/mapper/luks" ]; then
     ++    echo "UMASK=0077" > $CHROOT/etc/initramfs-tools/conf.d/initramfs-permissions
     ++fi
     ++
     + echo "Running bootloader-config..."
     +
     + if [ -d /sys/firmware/efi/efivars ]; then
     diff -Nru calamares-settings-debian-10.0.20/debian/patches/series calamares-settings-debian-10.0.20/debian/patches/series
     --- calamares-settings-debian-10.0.20/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
     +++ calamares-settings-debian-10.0.20/debian/patches/series	2019-07-03 15:05:47.000000000 +0200
     @@ -0,0 +1 @@
     +fix-initramfs-permissions
"""

--- End Message ---

--- Begin Message ---

• To: 930795-done@bugs.debian.org, 931126-done@bugs.debian.org, 931198-done@bugs.debian.org, 931199-done@bugs.debian.org, 931358-done@bugs.debian.org, 931596-done@bugs.debian.org, 931608-done@bugs.debian.org, 931615-done@bugs.debian.org, 931616-done@bugs.debian.org, 931724-done@bugs.debian.org, 931817-done@bugs.debian.org, 931967-done@bugs.debian.org, 932009-done@bugs.debian.org, 932030-done@bugs.debian.org, 932069-done@bugs.debian.org, 932111-done@bugs.debian.org, 932193-done@bugs.debian.org, 932318-done@bugs.debian.org, 932335-done@bugs.debian.org, 932441-done@bugs.debian.org, 932448-done@bugs.debian.org, 932518-done@bugs.debian.org, 932522-done@bugs.debian.org, 932588-done@bugs.debian.org, 932606-done@bugs.debian.org, 932684-done@bugs.debian.org, 932790-done@bugs.debian.org, 932945-done@bugs.debian.org, 933036-done@bugs.debian.org, 933125-done@bugs.debian.org, 933147-done@bugs.debian.org, 933175-done@bugs.debian.org, 933369-done@bugs.debian.org, 933379-done@bugs.debian.org, 933392-done@bugs.debian.org, 933535-done@bugs.debian.org, 933754-done@bugs.debian.org, 933764-done@bugs.debian.org, 933769-done@bugs.debian.org, 933787-done@bugs.debian.org, 933899-done@bugs.debian.org, 933911-done@bugs.debian.org, 933976-done@bugs.debian.org, 934094-done@bugs.debian.org, 934163-done@bugs.debian.org, 934183-done@bugs.debian.org, 934308-done@bugs.debian.org, 934311-done@bugs.debian.org, 934329-done@bugs.debian.org, 934343-done@bugs.debian.org, 934345-done@bugs.debian.org, 934507-done@bugs.debian.org, 934537-done@bugs.debian.org, 934650-done@bugs.debian.org, 934689-done@bugs.debian.org, 934704-done@bugs.debian.org, 934826-done@bugs.debian.org, 934827-done@bugs.debian.org, 934928-done@bugs.debian.org, 934934-done@bugs.debian.org, 934956-done@bugs.debian.org, 935137-done@bugs.debian.org, 935165-done@bugs.debian.org, 935200-done@bugs.debian.org, 935253-done@bugs.debian.org, 935261-done@bugs.debian.org, 935265-done@bugs.debian.org, 935308-done@bugs.debian.org, 935370-done@bugs.debian.org, 935386-done@bugs.debian.org, 935411-done@bugs.debian.org, 935465-done@bugs.debian.org, 935474-done@bugs.debian.org, 935479-done@bugs.debian.org, 935480-done@bugs.debian.org, 935576-done@bugs.debian.org, 935583-done@bugs.debian.org, 935704-done@bugs.debian.org, 935707-done@bugs.debian.org, 935719-done@bugs.debian.org, 935746-done@bugs.debian.org, 935770-done@bugs.debian.org, 935776-done@bugs.debian.org, 935809-done@bugs.debian.org, 935815-done@bugs.debian.org, 935827-done@bugs.debian.org, 935888-done@bugs.debian.org, 935957-done@bugs.debian.org, 935988-done@bugs.debian.org, 936022-done@bugs.debian.org, 936056-done@bugs.debian.org, 938954-done@bugs.debian.org, 938975-done@bugs.debian.org, 939019-done@bugs.debian.org
• Cc: 935588@bugs.debian.org
• Subject: Closing bugs for fixes including in 10.1 point release
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 07 Sep 2019 14:34:49 +0100
• Message-id: <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk>

Version: 10.1

Hi,

The fixes referenced by each of these bugs were included in today's
buster point release.

Regards,

Adam

--- End Message ---