From kyle.rankin at puri.sm Fri Dec 7 15:22:46 2018 From: kyle.rankin at puri.sm (Kyle Rankin) Date: Fri, 7 Dec 2018 15:22:46 -0800 Subject: [Security] Welcome to the Purism Security Mailing List Message-ID: <20181207232246.nr3n6sobxtdizkz5@work> The Purism security mailing list will serve to notify customers of hardware and software security issues within Purism products and services. This is aimed to be a low-traffic notification-focused mailing list. For discussions on these and other security topics go to https://forums.puri.sm. -- Kyle Rankin Chief Security Officer Purism, SPC -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From kyle.rankin at puri.sm Tue Dec 11 11:20:57 2018 From: kyle.rankin at puri.sm (Kyle Rankin) Date: Tue, 11 Dec 2018 11:20:57 -0800 Subject: [Security] [PSA-1-1] PureOS OEM installer Message-ID: <20181211192056.e6e4qyw2anacniht@work> Purism Security Advisory PSA-1-1 2018-12-11 PureOS OEM Installer It was discovered that the PureOS OEM installer's post-install script had a bug whereby the user's LUKS encryption passphrase was logged in /var/log/auth.log. Because this was a bug in the PureOS OEM installer in particular, it only affects Purism laptop customers who are still using the OEM OS and have not reinstalled. It does *not* affect anyone who has reinstalled PureOS themselves and has been fixed in the OEM installer released on 2018-12-10 so will not affect any new customers. Testing for the bug: You can test whether your passphrase was logged by typing the following in a terminal: sudo grep cryptsetup-helper /var/log/auth.log Because this log does rotate, it's possible your passphrase was logged in a prior file that was rotated and gzipped. In that case you can test with: sudo zgrep cryptsetup-helper /var/log/auth.log.*.gz Impact: Because the password was disclosed in a log file at the moment of install and was owned by the root user and adm group, it would be visible only to someone who had root privileges on the machine for the first four weeks the laptop was used, after which the log file would have been rotated out. Remediation: The first step is to remove any traces of the passphrase from log files. If your passphase does show up in any log files, you can remove it with: sudo rm -f /var/log/auth.log or truncate it with: sudo bash -c '> /var/log/auth.log' Alternatively if you discover the passphrase in a gzipped log file, just remove that particular file instead. If you are concerned that your LUKS password is compromised and want to change it, you can change it from the GUI by launching the "Disks" application on the desktop, selecting your hard drive from the left-hand column and then selecting your main partition that is labeled with "LUKS" (it should be the largest partition on your hard drive). Note that the other, smaller LUKS partition is your swap partition and it does not have to be changed, as it uses a random password that is rotated at each boot. Once you have selected your partition, click the gear icon and select "Change Passphrase" to change the passphrase. Figure 1 (attached) shows a sample screenshot of what this looks like. -- Kyle Rankin Chief Security Officer Purism, SPC -------------- next part -------------- A non-text attachment was scrubbed... Name: Figure1.png Type: image/png Size: 87495 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: