Bug 1140256 – VUL-0: CVE-2019-13178: calamares: race condition in modules/luksbootkeyfile/main.py

Bug 1140256 - (CVE-2019-13178) VUL-0: CVE-2019-13178: calamares: race condition in modules/luksbootkeyfile/main.py

(CVE-2019-13178)
Summary:	VUL-0: CVE-2019-13178: calamares: race condition in modules/luksbootkeyfile/m...

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security
Version:	Leap 15.0
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/236135/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-07-03 12:52 UTC by Wolfgang Frisch
Modified:	2019-12-09 17:16 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Frisch 2019-07-03 12:52:36 UTC

CVE-2019-13178

modules/luksbootkeyfile/main.py in Calamares through 3.2.4 has a race condition between the time when the LUKS encryption keyfile is created and when secure permissions are set.

Reference:
https://github.com/calamares/calamares/issues/1190
https://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
https://www.pavelkogan.com/2015/01/25/linux-mint-encryption/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1726565
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13178
http://www.cvedetails.com/cve/CVE-2019-13178/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13178
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835096
https://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
https://www.pavelkogan.com/2015/01/25/linux-mint-encryption/
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835095
https://github.com/calamares/calamares/issues/1190

Comment 1 Mindaugas Baranauskas 2019-10-03 09:12:30 UTC

I am testing Calamares 3.2.14. However seems that Calamares 3.2.2 introduced new bug that prevents us to update Calamares:
https://github.com/calamares/calamares/issues/1253

Comment 2 Mindaugas Baranauskas 2019-11-16 05:40:21 UTC

Should be fixed now in openSUSE Factory with Calamares 3.2.15.
I will submit maintenance request to Leap

Comment 3 Swamp Workflow Management 2019-11-16 06:20:05 UTC

This is an autogenerated message for OBS integration:
This bug (1140256) was mentioned in
https://build.opensuse.org/request/show/749018 15.0 / calamares

Comment 4 Andreas Stieger 2019-11-16 18:07:11 UTC

More complete submission... please accept review
https://build.opensuse.org/request/show/749077

Comment 5 Andreas Stieger 2019-11-17 08:02:40 UTC

Back to security team for processing

Comment 6 Swamp Workflow Management 2019-12-03 23:17:19 UTC

openSUSE-SU-2019:2628-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1140256,1152377
CVE References: CVE-2019-13178
Sources used:
openSUSE Leap 15.1 (src):    calamares-3.2.15-lp151.4.3.3
openSUSE Leap 15.0 (src):    calamares-3.2.15-lp150.7.2

Comment 7 Mindaugas Baranauskas 2019-12-04 07:00:06 UTC

After this update, should be fixed. Closing

Comment 8 Swamp Workflow Management 2019-12-09 17:11:12 UTC

openSUSE-SU-2019:2655-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1140256,1152377
CVE References: CVE-2019-13178
Sources used:
openSUSE Backports SLE-15-SP1 (src):    calamares-3.2.15-bp151.4.3.1

Comment 9 Swamp Workflow Management 2019-12-09 17:16:14 UTC

openSUSE-SU-2019:2654-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1140256,1152377
CVE References: CVE-2019-13178
Sources used:
openSUSE Backports SLE-15 (src):    calamares-3.2.15-bp150.2.6.1