Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 27 Sep 2012 15:07:56 -0400
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: Kurt Seifried <kseifried@...hat.com>
CC: oss-security@...ts.openwall.com, 
 Huzaifa Sidhpurwala <huzaifas@...hat.com>
Subject: Re: dracut creates world readable initramfs images

On 09/27/2012 01:51 PM, Kurt Seifried wrote:
> On 09/27/2012 11:21 AM, Daniel Kahn Gillmor wrote:
>> On 09/27/2012 05:07 AM, Huzaifa Sidhpurwala wrote:
>>> When the root filesystem contained sensitive information
>>> (password based authentication for iSCSI systems or encrypted
>>> root filesystem crypttab password information), an attacker could
>>> use this flaw to obtain this information.
>>>
>>> This issue has been assigned CVE-2012-4453
> 
>> the subject line says "creates non-world readable initramfs
>> images". should that be "creates world-readable initramfs images"
>> instead?
> 
> Yes indeed!

FWIW, this seems similar to a buggy interaction between the dropbear and
initramfs-tools packages in debian that was handled a couple years ago:
 http://bugs.debian.org/578117

	--dkg


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ