Date: Thu, 27 Sep 2012 15:07:56 -0400 From: Daniel Kahn Gillmor <dkg@...thhorseman.net> To: Kurt Seifried <kseifried@...hat.com> CC: oss-security@...ts.openwall.com, Huzaifa Sidhpurwala <huzaifas@...hat.com> Subject: Re: dracut creates world readable initramfs images On 09/27/2012 01:51 PM, Kurt Seifried wrote: > On 09/27/2012 11:21 AM, Daniel Kahn Gillmor wrote: >> On 09/27/2012 05:07 AM, Huzaifa Sidhpurwala wrote: >>> When the root filesystem contained sensitive information >>> (password based authentication for iSCSI systems or encrypted >>> root filesystem crypttab password information), an attacker could >>> use this flaw to obtain this information. >>> >>> This issue has been assigned CVE-2012-4453 > >> the subject line says "creates non-world readable initramfs >> images". should that be "creates world-readable initramfs images" >> instead? > > Yes indeed! FWIW, this seems similar to a buggy interaction between the dropbear and initramfs-tools packages in debian that was handled a couple years ago: http://bugs.debian.org/578117 --dkg [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ