[Bug 1835095] Re: Lubuntu initrd images leaking cryptographic secret when disk encryption is used
This bug was fixed in the package calamares - 3.2.11-0ubuntu1 --- calamares (3.2.11-0ubuntu1) eoan; urgency=medium * New upstream release. * Proper handling of files and permissions with FDE: (LP: #1835095) - CVE-2019-13178 Set proper umask for luks crypto_keyfile. - CVE-2019-13179 Set proper umask for initramfs. * Bump Standards-version to 4.4.0, no changes needed. -- Dan Simmons Fri, 12 Jul 2019 19:52:38 -0400 ** Changed in: calamares (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835095 Title: Lubuntu initrd images leaking cryptographic secret when disk encryption is used To manage notifications about this bug go to: https://bugs.launchpad.net/calamares/+bug/1835095/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835095] Re: Lubuntu initrd images leaking cryptographic secret when disk encryption is used
** Changed in: calamares Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835095 Title: Lubuntu initrd images leaking cryptographic secret when disk encryption is used To manage notifications about this bug go to: https://bugs.launchpad.net/calamares/+bug/1835095/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835095] Re: Lubuntu initrd images leaking cryptographic secret when disk encryption is used
The following CVE IDs have been issued for Calamares in this instance by MITRE, IDs were requested via the CVE form: CVE-2019-13178 was assigned for the race condition that Seth Arnold identified in https://github.com/calamares/calamares/issues/1190 regarding unsafe UMask and file permissions during creation of the keyfile. CVE-2019-13179 was assigned for the improper handling of the LUKS encryption keyfile from /crypto_keyfile.bin to /boot in a globally readable initramfs issue for which upstream issue https://github.com/calamares/calamares/issues/1191 was created. ** Bug watch added: Calamares Issues #1190 https://github.com/calamares/calamares/issues/1190 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13178 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13179 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835095 Title: Lubuntu initrd images leaking cryptographic secret when disk encryption is used To manage notifications about this bug go to: https://bugs.launchpad.net/calamares/+bug/1835095/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835095] Re: Lubuntu initrd images leaking cryptographic secret when disk encryption is used
** Changed in: calamares Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835095 Title: Lubuntu initrd images leaking cryptographic secret when disk encryption is used To manage notifications about this bug go to: https://bugs.launchpad.net/calamares/+bug/1835095/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835095] Re: Lubuntu initrd images leaking cryptographic secret when disk encryption is used
On 18.04, package cryptsetup provides /etc/cryptsetup-initramfs/conf- hook which states: # WARNING: If the initramfs image is to include private key material, # you'll want to create it with a restrictive umask in order to keep # non-privileged users at bay. For instance, set UMASK=0077 in # /etc/initramfs-tools/initramfs.conf Note that there is also /etc/initramfs-tools/conf.d/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835095 Title: Lubuntu initrd images leaking cryptographic secret when disk encryption is used To manage notifications about this bug go to: https://bugs.launchpad.net/calamares/+bug/1835095/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835095] Re: Lubuntu initrd images leaking cryptographic secret when disk encryption is used
** Bug watch added: Calamares Issues #1191 https://github.com/calamares/calamares/issues/1191 ** Also affects: calamares via https://github.com/calamares/calamares/issues/1191 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835095 Title: Lubuntu initrd images leaking cryptographic secret when disk encryption is used To manage notifications about this bug go to: https://bugs.launchpad.net/calamares/+bug/1835095/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835095] Re: Lubuntu initrd images leaking cryptographic secret when disk encryption is used
** Package changed: initramfs-tools (Ubuntu) => calamares (Ubuntu) ** No longer affects: lubuntu-meta (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835095 Title: Lubuntu initrd images leaking cryptographic secret when disk encryption is used To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/calamares/+bug/1835095/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835095] Re: Lubuntu initrd images leaking cryptographic secret when disk encryption is used
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: lubuntu-meta (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835095 Title: Lubuntu initrd images leaking cryptographic secret when disk encryption is used To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835095/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835095] Re: Lubuntu initrd images leaking cryptographic secret when disk encryption is used
** Also affects: lubuntu-meta (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835095 Title: Lubuntu initrd images leaking cryptographic secret when disk encryption is used To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835095/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835095] Re: Lubuntu initrd images leaking cryptographic secret when disk encryption is used
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: initramfs-tools (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835095 Title: Lubuntu initrd images leaking cryptographic secret when disk encryption is used To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835095/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835095] Re: Lubuntu initrd images leaking cryptographic secret when disk encryption is used
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835095 Title: Lubuntu initrd images leaking cryptographic secret when disk encryption is used To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835095/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs