oss-sec mailing list archives
Re: dracut creates world readable initramfs images
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Thu, 27 Sep 2012 15:07:56 -0400
On 09/27/2012 01:51 PM, Kurt Seifried wrote:
On 09/27/2012 11:21 AM, Daniel Kahn Gillmor wrote:On 09/27/2012 05:07 AM, Huzaifa Sidhpurwala wrote:When the root filesystem contained sensitive information (password based authentication for iSCSI systems or encrypted root filesystem crypttab password information), an attacker could use this flaw to obtain this information. This issue has been assigned CVE-2012-4453the subject line says "creates non-world readable initramfs images". should that be "creates world-readable initramfs images" instead?Yes indeed!
FWIW, this seems similar to a buggy interaction between the dropbear and initramfs-tools packages in debian that was handled a couple years ago: http://bugs.debian.org/578117 --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- dracut creates non-world readable initramfs images Huzaifa Sidhpurwala (Sep 27)
- Re: dracut creates non-world readable initramfs images Daniel Kahn Gillmor (Sep 27)
- Re: dracut creates world readable initramfs images Kurt Seifried (Sep 27)
- Re: dracut creates world readable initramfs images Daniel Kahn Gillmor (Sep 27)
- Re: dracut creates world readable initramfs images Kurt Seifried (Sep 27)
- Re: dracut creates non-world readable initramfs images Daniel Kahn Gillmor (Sep 27)