A security issue in dracut has been announced today (November 7): http://openwall.com/lists/oss-security/2016/11/07/3 There is a link to the upstream fix at the bottom of the message above. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Fedora has issued an advisory for this on November 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2VA7LTNATN2EKBHSSHB35W5AXITXVLG6/
URL: (none) => http://lwn.net/Vulnerabilities/706114/
Here it is claimed that dracut is also vulnerable to an issue related to LUKS: http://openwall.com/lists/oss-security/2016/11/15/1
Fixed on cauldron, update pushed on mga5 SRPM: dracut-038-21.1.mga5
CC: (none) => mageiaVersion: Cauldron => 5Assignee: mageia => qa-bugsWhiteboard: MGA5TOO => (none)
Note that Nicolas hasn't addressed the issue in Comment 2, but we can't do anything about that until more information is available.
Advisory: ======================== Updated dracut package fixes security vulnerability: A local information disclosure issue was found in dracut when generating initramfs images with world-readable permissions when "early cpio" is used, such as when including microcode updates. Local attacker can use this to obtain sensitive information from these files, such as encryption keys or credentials (CVE-2016-8637). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8637 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2VA7LTNATN2EKBHSSHB35W5AXITXVLG6/ ======================== Updated packages in core/updates_testing: ======================== dracut-038-21.1.mga5 from dracut-038-21.1.mga5.src.rpm
Severity: normal => major
(In reply to David Walser from comment #4) > Note that Nicolas hasn't addressed the issue in Comment 2, but we can't do > anything about that until more information is available. A bit more info here: https://harald.hoyer.xyz/2016/11/15/dracut-and-cve-2016-4484-cryptsetup-initrd-root-shell/ Mitigations for that CVE-2016-4484 issue are given there.
Bug 19800 filed for the CVE-2016-4484 issue.
MGA5-32 on AcerD620 Xfce No installation issues After reading about dracut and intramfs and initrds, I concluded that the only thing that I could do (understand) to test was to make sure that the system could be rebooted, which it did. If that is enought, then can someone with a better understanding please OK this update.
CC: (none) => herman.viaene
Herman, I don't remember if updating dracut automatically regenerates the initrds or not. Check the timestamps of /boot/initrd-4.4.32-desktop-1.mga5.img or whatever you have there and see if it was updated. If it wasn't, run "dracut -f" and reboot again.
Nope, we dont trigger initrd rebuilds on dracut updates
CC: (none) => tmb
Timestamp of /boot/initrd-4.4.30-desktop-1.mga5.img is now set to Nov. 17 14:22 Note: from one of the previous updates I read to run dracut -f before rebooting, which I did. So I can now not make out whether this timestamp comes from the update or from the dracut run (I guess the latter???).
Testing on mga5-64 Package installed: dracut-038-21.1.mga5.x86_64.rpm Packge installed cleanly $ ls -ll /boot | grep initrd-4.4.30 -rw-r--r-- 1 root root 9267577 Nov 7 14:45 initrd-4.4.30-desktop-2.mga5.img initrd is world-readable # dracut -f $ ls -ll /boot | grep initrd-4.4.30 -rw------- 1 root root 9253582 Nov 17 15:10 initrd-4.4.30-desktop-2.mga5.img Confirming that the initrd.img is now readable only by root. System re-booted normally OK for mga5-64
CC: (none) => jimWhiteboard: (none) => MGA5-64-OK
Testing on mga5-32 Update installed cleanly $ rpm -q dracut dracut-038-21.1.mga5 ls -ll /boot | grep initrd-4.4.30 -rw-r--r-- 1 root root 9982986 Nov 7 13:18 initrd-4.4.30-desktop-2.mga5.img initrd is world readable # dracut -f $ ls -ll /boot | grep initrd-4.4.30 -rw------- 1 root root 9972164 Nov 17 18:06 initrd-4.4.30-desktop-2.mga5.img newly created initrd is readable only by root System re-booted normally OK for mga5-32
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
This update is now validated The Advisory in comment#5 needs to be uploaded to SVN The packages can then be pushed to updates
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0387.html
Status: NEW => RESOLVEDResolution: (none) => FIXED