Your message dated Sat, 07 Sep 2019 14:34:49 +0100
with message-id
<f49e2985d8466065c49c03185c24465a32228fb5.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes including in 10.1 point release
has caused the Debian Bug report #932069,
regarding buster-pu: calamares-settings-debian 10.0.20-1+deb10u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
932069: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932069
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Below is a debfiff for CVE-2019-13179, as discussed with the
release team over e-mail:
This adds a snipet so that the initramfs will be created with safer
permissions when using an encrypted / on a full-disk encrypted system.
"""
diff -Nru calamares-settings-debian-10.0.20/debian/changelog
calamares-settings-debian-10.0.20/debian/changelog
--- calamares-settings-debian-10.0.20/debian/changelog 2019-04-18
10:18:37.000000000 +0200
+++ calamares-settings-debian-10.0.20/debian/changelog 2019-07-03
15:05:47.000000000 +0200
@@ -1,3 +1,11 @@
+calamares-settings-debian (10.0.20-1+deb10u1) buster-security; urgency=medium
+
+ * New upstream release
+ - Fixes permissions for initramfs image when full-desk encryption
+ is enabled. (CVE-2019-13179) (Closes: #931373)
+
+ -- Jonathan Carter <[email protected]> Wed, 03 Jul 2019 13:05:47 +0000
+
calamares-settings-debian (10.0.20-1) unstable; urgency=medium
* New upstream release
diff -Nru
calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions
calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions
---
calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions
1970-01-01 02:00:00.000000000 +0200
+++
calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions
2019-07-03 15:05:47.000000000 +0200
@@ -0,0 +1,26 @@
+Description: fix umask for initramfs permissions
+ By default, initramfs is world-readable. This configures a snippet
+ to ensure that the initramfs that will be generated is only accessable
+ by root.
+Author: Jonathan Carter <[email protected]>
+Bug-Debian: https://bugs.debian.org/931373
+Bug: https://github.com/calamares/calamares/issues/1191
+Last-Update: 2019-07-08
+
+--- calamares-settings-debian-10.0.20.orig/scripts/bootloader-config
++++ calamares-settings-debian-10.0.20/scripts/bootloader-config
+@@ -2,6 +2,14 @@
+
+ CHROOT=$(mount | grep proc | grep calamares | awk '{print $3}' | sed -e
"s#/proc##g")
+
++# Set secure permissions for the initramfs if we're configuring
++# full-disk-encryption. The initramfs is re-generated later in the
++# installation process so we only set the permissions snippet without
++# regenerating the initramfs right now:
++if [ "$(mount | grep $CHROOT" " | cut -c -16)" = "/dev/mapper/luks" ];
then
++ echo "UMASK=0077" >
$CHROOT/etc/initramfs-tools/conf.d/initramfs-permissions
++fi
++
+ echo "Running bootloader-config..."
+
+ if [ -d /sys/firmware/efi/efivars ]; then
diff -Nru calamares-settings-debian-10.0.20/debian/patches/series
calamares-settings-debian-10.0.20/debian/patches/series
--- calamares-settings-debian-10.0.20/debian/patches/series
1970-01-01 02:00:00.000000000 +0200
+++ calamares-settings-debian-10.0.20/debian/patches/series
2019-07-03 15:05:47.000000000 +0200
@@ -0,0 +1 @@
+fix-initramfs-permissions
"""
--- End Message ---
--- Begin Message ---
Version: 10.1
Hi,
The fixes referenced by each of these bugs were included in today's
buster point release.
Regards,
Adam
--- End Message ---
