Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 27 Sep 2012 15:07:56 -0400
From: Daniel Kahn Gillmor <>
To: Kurt Seifried <>
 Huzaifa Sidhpurwala <>
Subject: Re: dracut creates world readable initramfs images

On 09/27/2012 01:51 PM, Kurt Seifried wrote:
> On 09/27/2012 11:21 AM, Daniel Kahn Gillmor wrote:
>> On 09/27/2012 05:07 AM, Huzaifa Sidhpurwala wrote:
>>> When the root filesystem contained sensitive information
>>> (password based authentication for iSCSI systems or encrypted
>>> root filesystem crypttab password information), an attacker could
>>> use this flaw to obtain this information.
>>> This issue has been assigned CVE-2012-4453
>> the subject line says "creates non-world readable initramfs
>> images". should that be "creates world-readable initramfs images"
>> instead?
> Yes indeed!

FWIW, this seems similar to a buggy interaction between the dropbear and
initramfs-tools packages in debian that was handled a couple years ago:


Download attachment "signature.asc" of type "application/pgp-signature" (1031 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ