Bug 1471406

Summary:	Possible vulnerability in systems installed with calamares
Product:	[Fedora] Fedora	Reporter:	Mattia Verga <mattia.verga>
Component:	calamares	Assignee:	Kevin Kofler <kevin>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	27	CC:	kevin, mattia.verga, me
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	calamares-3.1.8-1.fc26	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-11-24 22:02:40 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Mattia Verga 2017-07-15 16:51:50 UTC

Systems installed by Calamares up to and including Calamares 3.1 have a weaker password salt than they should.

See https://calamares.io/calamares-cve/

An immediate upgrade to 3.1.1 is required at least on Rawhide and F26. Should we bump the release on F25 also?

Comment 1 Kevin Kofler 2017-07-16 08:12:50 UTC

This is in no way a critical issue, so I gave higher priority to QtWebEngine updates fixing dozens of security issues. (E.g., I spent the whole day yesterday to get one built for F24.)

I am looking into it. Upgrading F26 and Rawhide should be straightforward. Upgrading F25 and F24 is only possible if we push a grouped kpmcore/KPM/Calamares update, as kpmcore is too old there. Otherwise, I can only either backport the fix or declare it a WONTFIX.

IMHO, pushing a grouped kpmcore/KPM/Calamares update to F25 should be envisioned (are you going to prepare it, once I have Calamares 3.1.1 ready in Rawhide and F26?), but F24 is best left alone at this stage. F24 should get only security backports, if at all.

Comment 2 Mattia Verga 2017-07-18 15:49:00 UTC

I agree, I don't think we should touch F24.
About F25, I can update kpmcore to 3.1.1 and do a chainbuild of the whole group of packages when you're ready with Rawhide and F26. If, of course, it's ok for you to upgrade calamares on F25.

Comment 3 Jan Kurik 2017-08-15 08:21:36 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Comment 4 Fedora Update System 2017-10-09 01:28:44 UTC

calamares-3.1.5-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b52f851dea

Comment 5 Fedora Update System 2017-10-09 19:51:13 UTC

calamares-3.1.5-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b52f851dea

Comment 6 Fedora Update System 2017-10-14 21:37:40 UTC

calamares-3.1.6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b52f851dea

Comment 7 Fedora Update System 2017-10-15 21:49:57 UTC

calamares-3.1.6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b52f851dea

Comment 8 Fedora Update System 2017-10-25 02:32:06 UTC

calamares-3.1.7-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b52f851dea

Comment 9 Fedora Update System 2017-10-26 01:31:08 UTC

calamares-3.1.7-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b52f851dea

Comment 10 Fedora Update System 2017-11-14 17:37:18 UTC

calamares-3.1.8-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b52f851dea

Comment 11 Fedora Update System 2017-11-16 17:18:36 UTC

calamares-3.1.8-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b52f851dea

Comment 12 Fedora Update System 2017-11-24 22:02:40 UTC

calamares-3.1.8-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.