dracut: CVE-2012-4453: creates non-world readable initramfs images

Debian Bug report logs - #688956
dracut: CVE-2012-4453: creates non-world readable initramfs images

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: dracut: CVE-2012-4453: creates non-world readable initramfs images

Date: Thu, 27 Sep 2012 14:32:46 +0300

Package: dracut
Version: 020-1
Severity: important
Tags: security

An information disclosure flaw was found in the way dracut, an
initramfs root filesystem images generator, created initramfs images.

When the root filesystem contained sensitive information (password
based authentication for iSCSI systems or encrypted root filesystem
crypttab password information), an attacker could use this flaw to
obtain this information.

I haven't verified Debian packages are affected. If you want me to do it send me an email :)

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=859448
Patch: http://git.kernel.org/?p=boot/dracut/dracut.git;a=commit;h=e1b48995c26c4f06d1a71
Information from: http://www.openwall.com/lists/oss-security/2012/09/27/3

- Henri Salo

Message #10 received at 688956@bugs.debian.org (full text, mbox, reply):

From: Thomas Lange <lange@informatik.uni-koeln.de>

To: Henri Salo <henri@nerv.fi>, 688956@bugs.debian.org

Subject: Re: Bug#688956: dracut: CVE-2012-4453: creates non-world readable initramfs images

Date: Thu, 27 Sep 2012 13:41:22 +0200

>>>>> On Thu, 27 Sep 2012 14:32:46 +0300, Henri Salo <henri@nerv.fi> said:


    > I haven't verified Debian packages are affected. If you want me to do it send me an email :)
That would be great, because currently I'm very busy.
-- 
regards Thomas

Message #15 received at 688956@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Thomas Lange <lange@informatik.uni-koeln.de>

Cc: Henri Salo <henri@nerv.fi>, 688956@bugs.debian.org

Subject: Re: Bug#688956: dracut: CVE-2012-4453: creates non-world readable initramfs images

Date: Tue, 9 Oct 2012 23:30:54 +0200

On Thu, Sep 27, 2012 at 01:41:22PM +0200, Thomas Lange wrote:
> >>>>> On Thu, 27 Sep 2012 14:32:46 +0300, Henri Salo <henri@nerv.fi> said:
> 
> 
>     > I haven't verified Debian packages are affected. If you want me to do it send me an email :)
> That would be great, because currently I'm very busy.

Debian is affected. Please fix this in unstable with an upload with urgency=medium
and request an unblock by filing a bug against release.debian.org

Cheers,
        Moritz

Message #20 received at 688956@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: 688956@bugs.debian.org

Subject: dracut: diff for NMU version 020-1.1

Date: Sun, 4 Nov 2012 18:53:12 +0100

[Message part 1 (text/plain, inline)]

tags 688956 + patch
tags 688956 + pending
thanks

Dear Thomas,

I've prepared an NMU for dracut (versioned as 020-1.1) and
uploaded it to DELAYED/02. Please feel free to tell me if I
should delay it longer.

Cheers

Luk

[dracut-020-1.1-nmu.diff (text/x-diff, attachment)]

Message #29 received at 688956-close@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: 688956-close@bugs.debian.org

Subject: Bug#688956: fixed in dracut 020-1.1

Date: Tue, 06 Nov 2012 18:17:36 +0000

Source: dracut
Source-Version: 020-1.1

We believe that the bug you reported is fixed in the latest version of
dracut, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 688956@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luk Claes <luk@debian.org> (supplier of updated dracut package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 04 Nov 2012 18:47:50 +0100
Source: dracut
Binary: dracut dracut-network
Architecture: source all
Version: 020-1.1
Distribution: unstable
Urgency: medium
Maintainer: Thomas Lange <lange@debian.org>
Changed-By: Luk Claes <luk@debian.org>
Description: 
 dracut     - A new initramfs infrastructure
 dracut-network - A new initramfs infrastucture
Closes: 688956
Changes: 
 dracut (020-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload by the Security Team.
   * Fixing CVE-2012-4453: Create the initramfs non-world readable
     (Closes: #688956).
Checksums-Sha1: 
 de1dd86273993cd4eafb6a841b1faa67a1d780f1 1920 dracut_020-1.1.dsc
 a458a4d1ed781643af3c57dae140fed79941d689 7720 dracut_020-1.1.debian.tar.gz
 fe8eb1343b642c843befe747cef55367609fb17a 141624 dracut_020-1.1_all.deb
 32f05162820d99e7db1fd501db3a8fc984ee3616 35152 dracut-network_020-1.1_all.deb
Checksums-Sha256: 
 ce854aefdd71a1436e791ad70e3447b221ed242cd56223185457255d4fde7a40 1920 dracut_020-1.1.dsc
 32afc9820716024dfe09feb10358b96649ce96a78fbb2da38c076d33afec86e0 7720 dracut_020-1.1.debian.tar.gz
 eb167193ea5fcb8e4f270c0d1f32bd2f82bb5583afc5938e39623fd7e34bc999 141624 dracut_020-1.1_all.deb
 3362907f5fc18207da132484688ab9a33f5e63d6fe951d8fda14012583d0cbed 35152 dracut-network_020-1.1_all.deb
Files: 
 dadb6d50778d47d8fffa3022f4edaf30 1920 utils optional dracut_020-1.1.dsc
 c9235d534df7ad8157f86cbce5d66c56 7720 utils optional dracut_020-1.1.debian.tar.gz
 f97db5bab9e737bbb10a16057bb485df 141624 utils optional dracut_020-1.1_all.deb
 9ad8f23d5c6084f7ef8b59fa6251a7ed 35152 utils optional dracut-network_020-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQlqx8AAoJECEnNxubsjBiq2kQAJV+f2BvjDqFl38JfIOUKf64
lbUKUcVLfenSVj+RmEXR96CjJaS/J11bUzjM/VU6geTqGnDq97oOui8HwKdBpkS6
vbYdgRn5U7jyr7M/yWFSy6E/L4lgzprGQjWfSAd64fqZTKxUpX8NuyqwxNLRK9WH
Iw30SMd7KetS4OdeISNU+mI8d5YMrg4oY4aem7Gnpt5lK8Tvzj8SwUw3ZNyEjsgC
ZurWV2bclypzMKI1rllmheWjJTO8Xnz7/gjg0Fsm27JgRKBawQnQ8UbS2wFRr9aZ
+lMiSIypW+UrFtVHSZCxjXAtXdwb8sVDj0x5I1v1CkUvm8wGNxwbsemNd8gQlzlp
SPhqDR+lmpMuD8rQ5hGxvKkg06cUBR3dOZV5MPE8BItXGvnvT2Fk/t5fSefULd3h
/Wpg+9kMmpEQFSVDD75CLPVJbNF8Ii+x15Ej6HCBtKUjYkxt11h40BYD2A/ccfay
a4IMV/LVbnGvTdncgKNMqhr6Qq0HP5OVmLyACxwgcyirQxrThm1+seWFOfRlT9lv
g7c5Eo/mUS5tTpAYvxjNAUA+9L1DVHJHZWTrv+qczUoif+LReRXloH8HE9Kh916N
U4AvhDzKgxO7xqT5iTJRUmjCpRxGGxJN9jnHotRIMkFxb8LVbCZ1scMOK9HRC8p9
tjxDChKuPlNvPICBAwp9
=pUsP
-----END PGP SIGNATURE-----

Message #38 received at 688956@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 688956@bugs.debian.org

Subject: Re: dracut: CVE-2012-4453: creates non-world readable initramfs images

Date: Fri, 18 Jan 2013 12:15:09 -0000

Package: dracut

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.7) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/688956/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Send a report that this bug log contains spam.