Bug 1726565 (CVE-2019-13178)

Summary: CVE-2019-13178 calamares: race condition in modules/luksbootkeyfile/main.py
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: damianatorrpm, kevin, mattia.verga, me, teward
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-12 13:08:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1726566    
Bug Blocks:    

Description Dhananjay Arunesh 2019-07-03 07:56:21 UTC
modules/luksbootkeyfile/main.py in Calamares through 3.2.4 has a race condition between the time when the LUKS encryption keyfile is created and when secure permissions are set.


Comment 1 Dhananjay Arunesh 2019-07-03 07:56:37 UTC
Created calamares tracking bugs for this issue:

Affects: fedora-all [bug 1726566]

Comment 2 Kevin Kofler 2019-07-03 10:08:45 UTC
I will prepare an update when upstream releases a release with the fix, which should happen this week.

Comment 3 Kevin Kofler 2019-07-03 11:53:30 UTC
Please note that the upstream version numbers in both CVEs are incorrect, all versions of Calamares up to and including 3.2.10 are affected.

Comment 4 Thomas Ward 2019-07-09 16:18:39 UTC
Please note that MITRE has updated the CVEs to reflect proper affected versions, and Calamares upstream has released a fix in version 3.2.11

Comment 5 Kevin Kofler 2019-07-09 17:05:34 UTC
Right. I have already queued Calamares 3.2.11 updates for Fedora 29 and 30 (and built it for Rawhide, too, of course), see bug #1726566.

Comment 6 Product Security DevOps Team 2019-07-12 13:08:16 UTC