Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 7 Nov 2016 06:35:31 -0500
From: Andreas Stieger <>
Subject: CVE-2016-8637: dracut creates world readble initramfs when early cpio
 is used


An openSUSE community user reported a permissions oddity with his
initramfs. Upon further analysis this issued turns out to be a local
information disclosure issue in dracut.

SUSE bug:

Dracut generates initramfs images with world-readable permissions when
using "early cpio", such as when including microcode updates. Local
users may use this to obtain information from these files, typically
encryption keys and network storage credentials.

E.g. in dracut 037

if [[ $create_early_cpio = yes ]]; then
    echo 1 > "$early_cpio_dir/d/early_cpio"
    # The microcode blob is _before_ the initramfs blob, not after
    (cd "$early_cpio_dir/d";     find . -print0 | cpio --null
$cpio_owner_root -H newc -o --quiet > $outfile)
if ! ( umask 077; cd "$initdir"; find . -print0 | cpio --null
$cpio_owner_root -H newc -o --quiet | \
    $compress >> "$outfile"; ); then
    dfatal "dracut: creation of $outfile failed"
    exit 1

The permissions of the output file depend on umask at creation time, and
appending to an existing file does not change them. create_early_cpio is
set to on when microcode updates are being used.

The very similar vulnerability CVE-2012-4453 was reported and fixed in 024:

However the addition of microcode update support in 030 re-introduced
the issue:

The vulnerability remains in current git master, which does something
along the lines of:

if [early_cpio]
   cpio [...] > ${DRACUT_TMPDIR}/initramfs.img
umask 0077
cpio [...] >> ${DRACUT_TMPDIR}/initramfs.img
cp --reflink=auto "${DRACUT_TMPDIR}/initramfs.img" "$outfile"

Our fix in upstream master:

CVE-2016-8637 was assigned to this issue.

The local workaround is to adjust the permissions of the initramfs files
manually, and all back-ported patches will set umask to a suitable value
such as 077 prior to first writing the file.

For the SUSE Security Team,
Andreas Stieger

Andreas Stieger <>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton,
HRB 21284 (AG N├╝rnberg)

Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.