Calamares 3.2.11 released

The Calamares team is .. not particularly happy to have to announce the availability of Calamares 3.2.11, a security update in the features-and-functionality series of Calamares 3.2.x. This is purely a security release for CVE-2019-13179 and CVE-2019-13178. A full description is avalable at Calamares Initramfs Weakness.

Calamares is a distribution-independent system installer, with an advanced partitioning feature for both manual and automated partitioning operations. Calamares is designed to be customizable by distribution maintainers without need for cumbersome patching, thanks to third party branding and external modules support.

This release contains contributions from (alphabetically by first name):

  • No other contributors this time around.

This is a security release with no functional changes (except for improved security) relative to 3.2.10. The Calamares team would like to acknowledge the help of the following people in reporting and understanding the issues (alphabetically by first name):

  • Kevin Kofler
  • Seth Arnold
  • Simon Quigley
  • Thomas Ward

Both CVE’s have been resolved.

Core

No core changes.

Modules

  • initramfs could create an initramfs with insecure permissions. Since the keyfile is included in the initramfs, an attacker could read the file from the initramfs. CVE-2019-13178 #1190

  • luksbootkeyfile created a key file where a window of opportunity existed where the key file could have too-lax file permissions. CVE-2019-13179 #1191

Feedback

If you experience an issue with Calamares, please tell us all about it on the Calamares issue tracker. Work towards the next release continues.

Written on July 7, 2019