| Summary: | dracut new security issue CVE-2016-4484 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Mageia tools maintainers <mageiatools> |
| Status: | NEW --- | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, dinexat235, doktor5000, fri, geiger.david68210, mageia, mageia, mageia, marthawelch1, ouaurelien, tmb, yvesbrungard |
| Version: | Cauldron | Keywords: | IN_ERRATA6, IN_ERRATA7, IN_ERRATA8, IN_ERRATA9 |
| Target Milestone: | Mageia 10 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9TOO | ||
| Source RPM: | dracut-051-4.mga8.src.rpm | CVE: | |
| Status comment: | Should be mitigated by the installer | ||
|
Description
David Walser
2016-11-16 17:07:22 CET
Although the actual shell script should also be "fixed", an example patch is available via http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html CC:
(none) =>
doktor5000, mageia That patch only applies to Debian. Supposedly dracut has something with a similar bug, but it's not the same code. thierry, martin, any comment about https://bugzilla.redhat.com/show_bug.cgi?id=1395135#c3 ? Assignee:
thierry.vignaud =>
mageiatools In my opinion, this issue is about user education. Forcing the use of rd.shell=0 when encrypting the root file system has implications in recovering from things like a power failure leaving the root file system requiring manual repair. Without testing, I'm not sure if the failure to mount after decrypting would then prevent booting or not. As such, adding the option to add rd.shell=0 when choosing to encrypt the root file system should be considered for a future enhancement. Adding a grub password is a good recommendation, though it should be entirely the admin's choice. Adding a bios/uefi password is beyond the scope of software. It's a good suggestion, where the potential attacker has physical access, though it doesn't prevent them from physically destroying the hard drive. Same with the usually related security suggestion to block booting from removable media. Even though cves have been assigned, I don't consider this to be a security issue, or worthy of being considered as a potential release blocker. CC:
(none) =>
davidwhodgins An according to the council meeting, user education can start with errata. Can someone that understands this write an erratum entry for this? Keywords:
(none) =>
FOR_ERRATA6
David Walser
2017-07-07 04:23:53 CEST
Whiteboard:
(none) =>
MGA6TOO, MGA5TOO Added a Security issues section in errata https://wiki.mageia.org/en/Mageia_6_Errata#Security_issues Boot of system with cyphered partitions - CVE-2016-4484 Failed tries to enter the password of a cyphered partition with LUKS end with a shell. http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html People who want to secure their system have to: add a BIOS password add a grub password add “rd.shell=0” to the kernel command line CC:
(none) =>
yves.brungard_mageia
papoteur
2017-07-08 10:24:19 CEST
Keywords:
FOR_ERRATA6 =>
IN_ERRATA6 Removing MGA5TOO, since this won't be addressed there. Whiteboard:
MGA6TOO, MGA5TOO =>
MGA6TOO
David Walser
2018-02-02 18:37:21 CET
Status comment:
(none) =>
Should be mitigated by the installer
David Walser
2019-06-23 19:24:23 CEST
Whiteboard:
MGA6TOO =>
MGA7TOO, MGA6TOO
Nicolas Lécureuil
2020-05-22 14:04:01 CEST
Whiteboard:
MGA7TOO, MGA6TOO =>
MGA7TOO
Nicolas Lécureuil
2020-05-24 00:08:14 CEST
CC:
(none) =>
mageia
David Walser
2020-05-24 00:15:44 CEST
Target Milestone:
Mageia 7 =>
Mageia 8 As for semi-private teachers, companies with more resources have always spent more on their user education starting with the high support level. https://cheapessaywriter.co.uk CC:
(none) =>
marthawelch1 Why not adding rd.shell=0 to Kernel command line when user wants a GRUB password like Fedora does with Anaconda? Updating SRPM version number. Until this, errata for this from M6 should be also part of Erratas M7 and M8. CC:
(none) =>
ouaurelien
Nicolas Lécureuil
2021-01-09 14:14:30 CET
CC:
(none) =>
tmb Martin, Thomas, what do you think about this one ?
Nicolas Lécureuil
2021-01-12 21:47:30 CET
Whiteboard:
MGA7TOO =>
MGA7TOO, MGA8TOO
Chauncey Reichert
2021-03-25 15:11:47 CET
CC:
(none) =>
dinexat235 Didnt see this until now. Per comment 10 for errata CC:
(none) =>
fri https://wiki.mageia.org/en/Mageia_7_Errata#Security https://wiki.mageia.org/en/Mageia_8_Errata#Security This bug makes it easy to destroy things, but the encrypted content is still encrypted. So encryption is still good enough for must use cases IMO. Keywords:
FOR_ERRATA7, FOR_ERRATA8 =>
IN_ERRATA7, IN_ERRATA8 Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/ Whiteboard:
MGA7TOO, MGA8TOO =>
MGA8TOO Removing Mageia 8 from whiteboard due to EOL! CC:
(none) =>
geiger.david68210 It is since long also in mga9 errata https://wiki.mageia.org/en/Mageia_9_Errata#Security Target Milestone:
Mageia 9 =>
Mageia 10 |