Bug 1726565 (CVE-2019-13178) - CVE-2019-13178 calamares: race condition in modules/luksbootkeyfile/main.py
Summary: CVE-2019-13178 calamares: race condition in modules/luksbootkeyfile/main.py
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2019-13178
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190703,repor...
Depends On: 1726566
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-03 07:56 UTC by Dhananjay Arunesh
Modified: 2019-07-12 13:08 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-12 13:08:16 UTC


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-07-03 07:56:21 UTC
modules/luksbootkeyfile/main.py in Calamares through 3.2.4 has a race condition between the time when the LUKS encryption keyfile is created and when secure permissions are set.

Reference:
https://github.com/calamares/calamares/issues/1190
https://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
https://www.pavelkogan.com/2015/01/25/linux-mint-encryption/

Comment 1 Dhananjay Arunesh 2019-07-03 07:56:37 UTC
Created calamares tracking bugs for this issue:

Affects: fedora-all [bug 1726566]

Comment 2 Kevin Kofler 2019-07-03 10:08:45 UTC
I will prepare an update when upstream releases a release with the fix, which should happen this week.

Comment 3 Kevin Kofler 2019-07-03 11:53:30 UTC
Please note that the upstream version numbers in both CVEs are incorrect, all versions of Calamares up to and including 3.2.10 are affected.

Comment 4 Thomas Ward 2019-07-09 16:18:39 UTC
Please note that MITRE has updated the CVEs to reflect proper affected versions, and Calamares upstream has released a fix in version 3.2.11

Comment 5 Kevin Kofler 2019-07-09 17:05:34 UTC
Right. I have already queued Calamares 3.2.11 updates for Fedora 29 and 30 (and built it for Rawhide, too, of course), see bug #1726566.

Comment 6 Product Security DevOps Team 2019-07-12 13:08:16 UTC
ARRAY(0x55ab81bfe1d8)


Note You need to log in before you can comment on or make changes to this bug.