So the main point is that the issue can be mitigated by setting a bootloader password, which makes sense, and our installer allows that, but I don't believe that it adds the "rd.shell=0" to the kernel command line when you do that, so perhaps it should.
Although the actual shell script should also be "fixed", an example patch is available via http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html
That patch only applies to Debian. Supposedly dracut has something with a similar bug, but it's not the same code.
any comment about https://bugzilla.redhat.com/show_bug.cgi?id=1395135#c3 ?
In my opinion, this issue is about user education.
Forcing the use of rd.shell=0 when encrypting the root file system has implications in recovering from things like a power failure leaving the
root file system requiring manual repair. Without testing, I'm not sure
if the failure to mount after decrypting would then prevent booting or not.
As such, adding the option to add rd.shell=0 when choosing to encrypt the
root file system should be considered for a future enhancement.
Adding a grub password is a good recommendation, though it should be entirely
the admin's choice.
Adding a bios/uefi password is beyond the scope of software. It's a good suggestion, where the potential attacker has physical access, though it
doesn't prevent them from physically destroying the hard drive. Same with
the usually related security suggestion to block booting from removable media.
Even though cves have been assigned, I don't consider this to be a security
issue, or worthy of being considered as a potential release blocker.
An according to the council meeting, user education can start with errata. Can someone that understands this write an erratum entry for this?
Added a Security issues section in errata
Boot of system with cyphered partitions - CVE-2016-4484
Failed tries to enter the password of a cyphered partition with LUKS end with a shell. http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html
People who want to secure their system have to:
add a BIOS password
add a grub password
add “rd.shell=0” to the kernel command line
Removing MGA5TOO, since this won't be addressed there.
MGA6TOO, MGA5TOO =>
Should be mitigated by the installerTarget Milestone: