Attached is a debdiff for buster-security.
diff -Nru calamares-settings-debian-10.0.20/debian/changelog calamares-settings-debian-10.0.20/debian/changelog --- calamares-settings-debian-10.0.20/debian/changelog 2019-04-18 10:18:37.000000000 +0200 +++ calamares-settings-debian-10.0.20/debian/changelog 2019-07-03 15:05:47.000000000 +0200 @@ -1,3 +1,11 @@ +calamares-settings-debian (10.0.20-1+deb10u1) buster-security; urgency=medium + + * New upstream release + - Fixes permissions for initramfs image when full-desk encryption + is enabled. (CVE-2019-13179) (Closes: #931373) + + -- Jonathan Carter <j...@debian.org> Wed, 03 Jul 2019 13:05:47 +0000 + calamares-settings-debian (10.0.20-1) unstable; urgency=medium * New upstream release diff -Nru calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions --- calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions 1970-01-01 02:00:00.000000000 +0200 +++ calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions 2019-07-03 15:05:47.000000000 +0200 @@ -0,0 +1,26 @@ +Description: fix umask for initramfs permissions + By default, initramfs is world-readable. This configures a snippet + to ensure that the initramfs that will be generated is only accessable + by root. +Author: Jonathan Carter <j...@debian.org> +Bug-Debian: https://bugs.debian.org/931373 +Bug: https://github.com/calamares/calamares/issues/1191 +Last-Update: 2019-07-08 + +--- calamares-settings-debian-10.0.20.orig/scripts/bootloader-config ++++ calamares-settings-debian-10.0.20/scripts/bootloader-config +@@ -2,6 +2,14 @@ + + CHROOT=$(mount | grep proc | grep calamares | awk '{print $3}' | sed -e "s#/proc##g") + ++# Set secure permissions for the initramfs if we're configuring ++# full-disk-encryption. The initramfs is re-generated later in the ++# installation process so we only set the permissions snippet without ++# regenerating the initramfs right now: ++if [ "$(mount | grep $CHROOT" " | cut -c -16)" = "/dev/mapper/luks" ]; then ++ echo "UMASK=0077" > $CHROOT/etc/initramfs-tools/conf.d/initramfs-permissions ++fi ++ + echo "Running bootloader-config..." + + if [ -d /sys/firmware/efi/efivars ]; then diff -Nru calamares-settings-debian-10.0.20/debian/patches/series calamares-settings-debian-10.0.20/debian/patches/series --- calamares-settings-debian-10.0.20/debian/patches/series 1970-01-01 02:00:00.000000000 +0200 +++ calamares-settings-debian-10.0.20/debian/patches/series 2019-07-03 15:05:47.000000000 +0200 @@ -0,0 +1 @@ +fix-initramfs-permissions
