CVE-2019-13179

Calamares versions 3.1 through 3.2.10 copies a LUKS encryption keyfile from /crypto_keyfile.bin (mode 0600 owned by root) to /boot within a globally readable initramfs image with insecure permissions, which allows this originally protected file to be read by any user, thereby disclosing decryption keys for LUKS containers created with Full Disk Encryption.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
VendorProductVersion
calamarescalamares
𝑥
≤ 3.2.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
calamares
bullseye
3.2.36-1
fixed
buster
ignored
bookworm
3.2.61-1
fixed
sid
3.3.9-1
fixed
trixie
3.3.9-1
fixed
calamares-settings-debian
bullseye
11.0.5-2
fixed
buster
ignored
bookworm
12.0.9-1+deb12u1
fixed
sid
13.0.11-1
fixed
trixie
13.0.11-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
calamares
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
ignored
jammy
needed
impish
ignored
hirsute
ignored
groovy
ignored
focal
needed
eoan
ignored
disco
ignored
cosmic
ignored
bionic
needed
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835095
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835096
https://bugzilla.redhat.com/show_bug.cgi?id=1726542
https://calamares.io/calamares-3.2.11-is-out/
https://calamares.io/calamares-cve-2019/
https://github.com/calamares/calamares/issues/1191
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q57BOTBA2J5U4GVKUP7N2PD5H7B3BVUU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2ZDQRGBGRVRW5LPJWKUNS3M66LZ3KYC/
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835095
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835096
https://bugzilla.redhat.com/show_bug.cgi?id=1726542
https://calamares.io/calamares-3.2.11-is-out/
https://calamares.io/calamares-cve-2019/
https://github.com/calamares/calamares/issues/1191
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q57BOTBA2J5U4GVKUP7N2PD5H7B3BVUU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2ZDQRGBGRVRW5LPJWKUNS3M66LZ3KYC/