Bug#932069: buster-pu: calamares-settings-debian 10.0.20-1+deb10u1

Sun, 14 Jul 2019 09:30:30 -0700 

Package: release.debian.org
Severity: normal

Below is a debfiff for CVE-2019-13179, as discussed with the
release team over e-mail:

This adds a snipet so that the initramfs will be created with safer
permissions when using an encrypted / on a full-disk encrypted system.

"""
diff -Nru calamares-settings-debian-10.0.20/debian/changelog 
calamares-settings-debian-10.0.20/debian/changelog
--- calamares-settings-debian-10.0.20/debian/changelog  2019-04-18 
10:18:37.000000000 +0200
+++ calamares-settings-debian-10.0.20/debian/changelog  2019-07-03 
15:05:47.000000000 +0200
@@ -1,3 +1,11 @@
+calamares-settings-debian (10.0.20-1+deb10u1) buster-security; urgency=medium
+
+  * New upstream release
+    -  Fixes permissions for initramfs image when full-desk encryption
+       is enabled. (CVE-2019-13179) (Closes: #931373)
+
+ -- Jonathan Carter <j...@debian.org>  Wed, 03 Jul 2019 13:05:47 +0000
+
 calamares-settings-debian (10.0.20-1) unstable; urgency=medium

     * New upstream release
     diff -Nru 
calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions 
calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions
     --- 
calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions     
1970-01-01 02:00:00.000000000 +0200
     +++ 
calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions     
2019-07-03 15:05:47.000000000 +0200
     @@ -0,0 +1,26 @@
     +Description: fix umask for initramfs permissions
     + By default, initramfs is world-readable. This configures a snippet
     + to ensure that the initramfs that will be generated is only accessable
     + by root.
     +Author: Jonathan Carter <j...@debian.org>
     +Bug-Debian: https://bugs.debian.org/931373
     +Bug: https://github.com/calamares/calamares/issues/1191
     +Last-Update: 2019-07-08
     +
     +--- calamares-settings-debian-10.0.20.orig/scripts/bootloader-config
     ++++ calamares-settings-debian-10.0.20/scripts/bootloader-config
     +@@ -2,6 +2,14 @@
     +
     + CHROOT=$(mount | grep proc | grep calamares | awk '{print $3}' | sed -e 
"s#/proc##g")
     +
     ++# Set secure permissions for the initramfs if we're configuring
     ++# full-disk-encryption. The initramfs is re-generated later in the
     ++# installation process so we only set the permissions snippet without
     ++# regenerating the initramfs right now:
     ++if [ "$(mount | grep $CHROOT" " | cut -c -16)" = "/dev/mapper/luks" ]; 
then
     ++    echo "UMASK=0077" > 
$CHROOT/etc/initramfs-tools/conf.d/initramfs-permissions
     ++fi
     ++
     + echo "Running bootloader-config..."
     +
     + if [ -d /sys/firmware/efi/efivars ]; then
     diff -Nru calamares-settings-debian-10.0.20/debian/patches/series 
calamares-settings-debian-10.0.20/debian/patches/series
     --- calamares-settings-debian-10.0.20/debian/patches/series        
1970-01-01 02:00:00.000000000 +0200
     +++ calamares-settings-debian-10.0.20/debian/patches/series        
2019-07-03 15:05:47.000000000 +0200
     @@ -0,0 +1 @@
     +fix-initramfs-permissions
"""

Reply via email to