security update in Fedora 29 for calamares

Status: stable 10 days ago

An update of Calamares to release 3.2.11, which fixes CVE-2019-13178, a race condition when LUKS full disk encryption is enabled, between the time when the LUKS encryption keyfile is created and when secure permissions are set. (The Calamares 3.2.11 release also fixes the related CVE-2019-13179, but that security issue does not affect Fedora.)

In addition, since the previously packaged version was Calamares 3.2.8, this update includes all changes from Calamares 3.2.9:

  • branding now supports os-release variables in the strings section, which allows re-using (at runtime) information set in /etc/os-release. This requires KDE Frameworks 5.58. upstream issue #1150 (This feature is now used in the version of default branding packaged here. However, the packages still default to the auto branding, which recovers more information from /etc/os-release at RPM installation time.)
  • branding allows the use of FreeDesktop.org icon names for the productLogo and productIcon keys. If a file is named there, then the file is used, and otherwise the icon is looked up in the current theme. upstream issue #1160
  • welcome allows a custom image path or icon name to be set for the language-selection drop-down (instead of the international standard one).
  • bug fixes.

and from Calamares 3.2.10:

  • A crash when no finished page (or rather, no page at all) is configured after the last exec section of the sequence has been solved. The finished page can be left out (but then you don’t get the restart-now functionality). upstream issue #1168
  • The slideshow which is run during installation now has API versions. API version 1 (the default) runs as before, where the slideshow is loaded when the installation starts. API version 2 loads the slideshow on Calamares startup, thus improving responsiveness. Documentation in src/branding/README.md. upstream issue #1152
  • The example slideshow now uses API version 2. (The packaged one currently still uses API version 1 though.)
  • partition Now has its own setting for requiredStorage, duplicating the same setting in the welcome module. This is useful for configurations where no welcome module is used, but a minimum size must be checked anyway. upstream issue #1169

Comments 11

This update has been submitted for testing by kkofler.

This update test gating status has been changed to 'waiting'.

This update test gating status has been changed to 'ignored'.

This update has been pushed to testing.

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

Unfortunately, it looks like UEFI installations don't work with Calamares 3.2.11. I need to investigate that issue before pushing this update.

This update's test gating status has been changed to 'greenwave_failed'.

This update's test gating status has been changed to 'ignored'.

It turns out that the UEFI issue is not caused by the update. UEFI works in the VM with a fresh disk image and not with a reused one. It is unclear whether it works on real hardware. But the update does not make this any better or worse, so let us just push the security update now and look into UEFI later.

This update has been submitted for stable by kkofler.

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
Test Gating
Submitted by
Update Type
Update Severity
stable threshold: 1
unstable threshold: -10
Autopush (karma)
Autopush (time)
submitted 2 months ago
in testing 2 months ago
in stable 10 days ago

Related Bugs 2

00 #1726565 CVE-2019-13178 calamares: race condition in modules/luksbootkeyfile/main.py
00 #1726566 CVE-2019-13178 calamares: race condition in modules/luksbootkeyfile/main.py [fedora-all]

Automated Test Results