Bug 1392056 (CVE-2016-8637) - CVE-2016-8637 dracut: Local information disclosure of initramfs when early cpio is used
Summary: CVE-2016-8637 dracut: Local information disclosure of initramfs when early cp...
Status: CLOSED NOTABUG
Alias: CVE-2016-8637
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20161107,repor...
Keywords: Security
Depends On: 1392435 1393912
Blocks: 1392057
TreeView+ depends on / blocked
 
Reported: 2016-11-04 16:49 UTC by Adam Mariš
Modified: 2019-06-08 21:33 UTC (History)
4 users (show)

(edit)
Clone Of:
: 1393912 (view as bug list)
(edit)
Last Closed: 2019-06-08 03:01:50 UTC


Attachments (Terms of Use)
Proposed patch (1022 bytes, patch)
2016-11-04 16:52 UTC, Adam Mariš
no flags Details | Diff

Description Adam Mariš 2016-11-04 16:49:46 UTC
A local information disclosure issue was found in dracut when generating initramfs images with world-readable permissions when "early cpio" is used, such as when including microcode updates. Local attacker can use this to obtain sensitive information from these files, such as encryption keys or credentials.

Vulnerable code:

if [[ $create_early_cpio = yes ]]; then
    echo 1 > "$early_cpio_dir/d/early_cpio"
    # The microcode blob is _before_ the initramfs blob, not after
    (cd "$early_cpio_dir/d";     find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet > $outfile)
fi
if ! ( umask 077; cd "$initdir"; find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet | \
    $compress >> "$outfile"; ); then
    dfatal "dracut: creation of $outfile failed"
    exit 1
fi

The permissions of the output file depend on umask at creation time, and appending to an existing file does not change them. create_early_cpio is set to on when microcode updates are being used.

Comment 1 Adam Mariš 2016-11-04 16:49:52 UTC
Acknowledgments:

Name: Andreas Stieger (SUSE Security Team)

Comment 2 Adam Mariš 2016-11-04 16:52 UTC
Created attachment 1217453 [details]
Proposed patch

Comment 4 Andrej Nemec 2016-11-07 13:53:43 UTC
Created dracut tracking bugs for this issue:

Affects: fedora-all [bug 1392435]

Comment 5 Andrej Nemec 2016-11-07 13:53:55 UTC
Public via:

http://seclists.org/oss-sec/2016/q4/352


Note You need to log in before you can comment on or make changes to this bug.