Bug 859448 (CVE-2012-4453)
Summary: | CVE-2012-4453 dracut: Creates initramfs images with world-readable permissions (information disclosure) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | aladke, atodorov, dpal, dracut-maint-list, harald, mganisin, pjones, pvrabec, security-response-team | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: |
It was discovered that dracut created initramfs images as world readable. A local user could possibly use this flaw to obtain sensitive information from these files, such as iSCSI authentication passwords, encrypted root file system crypttab passwords, or other information.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-11-22 03:17:01 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 860977, 861034 | ||||||
Bug Blocks: | 859456, 974906 | ||||||
Attachments: |
|
Description
Jan Lieskovsky
2012-09-21 15:08:32 UTC
This issue affects the version of the dracut package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the dracut package, as shipped with Fedora release of 16 and 17. Created attachment 616700 [details]
Change umask before creating $outfile
Here's a patch against upstream git's "master".
This issue has been assigned CVE-2012-4453 This issue is fixed upstream via the following patch: https://github.com/haraldh/dracut/commit/e1b48995c26c4f06d1a718539cb1bd5b0179af91 Created dracut tracking bugs for this issue Affects: fedora-all [bug 860977] (In reply to comment #18) > This issue is fixed upstream via the following patch: > > https://github.com/haraldh/dracut/commit/ > e1b48995c26c4f06d1a718539cb1bd5b0179af91 The following is the upstream patch: http://git.kernel.org/?p=boot/dracut/dracut.git;a=commit;h=e1b48995c26c4f06d1a71 http://git.kernel.org/?p=boot/dracut/dracut.git;a=commitdiff;h=e1b48995c26c4f06d1a718539cb1bd5b0179af91 http://dracut.git.sourceforge.net/git/gitweb.cgi?p=dracut/dracut;a=commitdiff;h=e1b48995c26c4f06d1a718539cb1bd5b0179af91 https://github.com/haraldh/dracut/commit/e1b48995c26c4f06d1a718539cb1bd5b0179af91 This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1674 https://rhn.redhat.com/errata/RHSA-2013-1674.html Statement: (none) |