CVE-2019-13179
Description
Calamares versions 3.1 through 3.2.10 copies a LUKS encryption keyfile from /crypto_keyfile.bin (mode 0600 owned by root) to /boot within a globally readable initramfs image with insecure permissions, which allows this originally protected file to be read by any user, thereby disclosing decryption keys for LUKS containers created with Full Disk Encryption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Calamares installer copies LUKS keyfile into globally readable initramfs, allowing any user to retrieve decryption keys.
Vulnerability
Calamares versions 3.1 through 3.2.10 (inclusive) generate a LUKS encryption keyfile at /crypto_keyfile.bin with permissions 0600 owned by root. During installation, this keyfile is copied into the initramfs image stored in /boot, but the initramfs is created with globally readable permissions (e.g., 644). As a result, the keyfile becomes readable by any user on the system, despite its original restrictive permissions [1][2][4].
Exploitation
An attacker with local unprivileged shell access can extract the keyfile by decompressing the initramfs image. For example, using unmkinitramfs /boot/initrd.img-* /tmp/initrd and then copying /tmp/initrd/main/crypto_keyfile.bin to a readable location [2][4]. No authentication beyond a local user account is required; the attack works every time the system is booted with the vulnerable initramfs.
Impact
Successful exploitation discloses the LUKS decryption key for the encrypted root filesystem. An attacker can then decrypt the entire disk, gaining full access to all data, including sensitive files and credentials. This compromises the confidentiality of the entire system, bypassing full-disk encryption [1][2][4].
Mitigation
The vulnerability is fixed in Calamares version 3.2.11, released on July 7, 2019 [3]. Users should update to Calamares 3.2.11 or later. For systems already installed with a vulnerable version, the initramfs must be regenerated with corrected permissions (e.g., by reinstalling the initramfs-tools package or rebuilding the initrd with proper umask). No workaround is available for the installer itself; the fix ensures the initramfs is created with secure permissions [1][3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Calamares/Calamaresdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q57BOTBA2J5U4GVKUP7N2PD5H7B3BVUU/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2ZDQRGBGRVRW5LPJWKUNS3M66LZ3KYC/mitrevendor-advisoryx_refsource_FEDORA
- bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835095mitrex_refsource_MISC
- bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835096mitrex_refsource_MISC
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC
- calamares.io/calamares-3.2.11-is-out/mitrex_refsource_CONFIRM
- calamares.io/calamares-cve-2019/mitrex_refsource_CONFIRM
- github.com/calamares/calamares/issues/1191mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.