Bug 1140256 (CVE-2019-13178)

Summary: VUL-0: CVE-2019-13178: calamares: race condition in modules/luksbootkeyfile/main.py
Product: [openSUSE] openSUSE Distribution Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: Andreas.Stieger, opensuse.lietuviu.kalba
Version: Leap 15.0   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/236135/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Mindaugas Baranauskas 2019-10-03 09:12:30 UTC
I am testing Calamares 3.2.14. However seems that Calamares 3.2.2 introduced new bug that prevents us to update Calamares:
https://github.com/calamares/calamares/issues/1253
Comment 2 Mindaugas Baranauskas 2019-11-16 05:40:21 UTC
Should be fixed now in openSUSE Factory with Calamares 3.2.15.
I will submit maintenance request to Leap
Comment 3 Swamp Workflow Management 2019-11-16 06:20:05 UTC
This is an autogenerated message for OBS integration:
This bug (1140256) was mentioned in
https://build.opensuse.org/request/show/749018 15.0 / calamares
Comment 4 Andreas Stieger 2019-11-16 18:07:11 UTC
More complete submission... please accept review
https://build.opensuse.org/request/show/749077
Comment 5 Andreas Stieger 2019-11-17 08:02:40 UTC
Back to security team for processing
Comment 6 Swamp Workflow Management 2019-12-03 23:17:19 UTC
openSUSE-SU-2019:2628-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1140256,1152377
CVE References: CVE-2019-13178
Sources used:
openSUSE Leap 15.1 (src):    calamares-3.2.15-lp151.4.3.3
openSUSE Leap 15.0 (src):    calamares-3.2.15-lp150.7.2
Comment 7 Mindaugas Baranauskas 2019-12-04 07:00:06 UTC
After this update, should be fixed. Closing
Comment 8 Swamp Workflow Management 2019-12-09 17:11:12 UTC
openSUSE-SU-2019:2655-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1140256,1152377
CVE References: CVE-2019-13178
Sources used:
openSUSE Backports SLE-15-SP1 (src):    calamares-3.2.15-bp151.4.3.1
Comment 9 Swamp Workflow Management 2019-12-09 17:16:14 UTC
openSUSE-SU-2019:2654-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1140256,1152377
CVE References: CVE-2019-13178
Sources used:
openSUSE Backports SLE-15 (src):    calamares-3.2.15-bp150.2.6.1