RedHat has issued an advisory on April 9: https://lwn.net/Articles/969278/ According to https://security-tracker.debian.org/tracker/CVE-2024-23301, the fix is: https://github.com/rear/rear/commit/89b61793d80bc2cb2abe47a7d0549466fb087d16 Mageia 9 is also affected.
CVE: (none) => CVE-2024-23301Whiteboard: (none) => MGA9TOOSource RPM: (none) => rear-2.7-1.mga10.src.rpmStatus comment: (none) => Patch available from upstream
Thanks for identifying the (simple) patch. Assigning directly to DavidG, you committed the last two versions.
Assignee: bugsquad => geiger.david68210
Suggested advisory: ======================== The updated package fixes a security vulnerability: Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable initrd when using GRUB_RESCUE=y. This allows local attackers to gain access to system secrets otherwise only readable by root. (CVE-2024-23301) References: https://lwn.net/Articles/969278/ ======================== Updated package in core/updates_testing: ======================== rear-2.6-2.1.mga9 from SRPM: rear-2.6-2.1.mga9.src.rpm
Assignee: geiger.david68210 => qa-bugsStatus: NEW => ASSIGNEDWhiteboard: MGA9TOO => (none)Source RPM: rear-2.7-1.mga10.src.rpm => rear-2.6-2.mga9.src.rpmVersion: Cauldron => 9Status comment: Patch available from upstream => (none)
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on HP-Pavillion. No installation issues. Recover and restore seems a complex story, trying to keep it simple. Picked a few commands from its help: # rear -V Relax-and-Recover 2.6 / Git # rear -S dump Press ENTER to include '/etc/rear/os.conf' ... Press ENTER to include '/usr/share/rear/conf/Linux-i386.conf' ... Press ENTER to include '/usr/share/rear/conf/GNU/Linux.conf' ... Press ENTER to include '/etc/rear/local.conf' ... Press ENTER to include '/usr/share/rear/init/default/005_verify_os_conf.sh' ... Press ENTER to include '/usr/share/rear/init/default/010_EFISTUB_check.sh' ... Press ENTER to include '/usr/share/rear/init/default/010_set_drlm_env.sh' ... Press ENTER to include '/usr/share/rear/init/default/030_update_recovery_system.sh' ... Press ENTER to include '/usr/share/rear/init/default/050_check_rear_recover_mode.sh' ... Press ENTER to include '/usr/share/rear/init/default/950_check_missing_programs.sh' ... # Begin dumping out configuration and system information: # This is a 'Linux-x86_64' system, compatible with 'Linux-i386'. # Configuration tree: # Linux-i386.conf : OK # GNU/Linux.conf : OK # Fedora.conf : missing/empty # Fedora/i386.conf : missing/empty # Fedora/VERSION_ID=9.conf : missing/empty # Fedora/VERSION_ID=9/i386.conf : missing/empty # Fedora.conf : missing/empty # Fedora/i386.conf : missing/empty # Fedora/VERSION_ID=9.conf : missing/empty # Fedora/VERSION_ID=9/i386.conf : missing/empty # site.conf : missing/empty # local.conf : OK # System definition: ARCH="Linux-i386" OS="GNU/Linux" OS_MASTER_VENDOR="Fedora" OS_MASTER_VERSION="VERSION_ID=9" OS_MASTER_VENDOR_ARCH="Fedora/i386" OS_MASTER_VENDOR_VERSION="Fedora/VERSION_ID=9" OS_MASTER_VENDOR_VERSION_ARCH="Fedora/VERSION_ID=9/i386" OS_VENDOR="Fedora" OS_VERSION="VERSION_ID=9" OS_VENDOR_ARCH="Fedora/i386" OS_VENDOR_VERSION="Fedora/VERSION_ID=9" OS_VENDOR_VERSION_ARCH="Fedora/VERSION_ID=9/i386" # Backup with REQUESTRESTORE: REQUESTRESTORE_COMMAND="" REQUESTRESTORE_TEXT=$'Please start the restore process on your backup host.\nMake sure that you restore the data into /mnt/local (by default \'/mnt/local\')\ninstead of \'/\' because the hard disks of the recovered system are mounted there.\n' BACKUP_DUPLICITY_NAME="rear-backup" BACKUP_INTEGRITY_CHECK="" BACKUP_MOUNTCMD="" BACKUP_ONLY_EXCLUDE="no" BACKUP_ONLY_INCLUDE="no" BACKUP_OPTIONS="" BACKUP_RESTORE_MOVE_AWAY_DIRECTORY="/var/lib/rear/moved_away_after_backup_restore/" BACKUP_RESTORE_MOVE_AWAY_FILES=("/boot/grub/grubenv" "/boot/grub2/grubenv") BACKUP_RSYNC_OPTIONS=("--sparse" "--archive" "--hard-links" "--numeric-ids" "--stats") BACKUP_SELINUX_DISABLE="1" BACKUP_TYPE="" BACKUP_UMOUNTCMD="" BACKUP_URL="" # Output to ISO: ISO_DEFAULT="boothd" ISO_DIR="/var/lib/rear/output" ISO_ISOLINUX_BIN="" ISO_MAX_SIZE="" ISO_MKISOFS_BIN="/bin/mkisofs" ISO_MKISOFS_OPTS="" ISO_PREFIX="rear-mach4" ISO_RECOVER_MODE="" ISO_VOLID="RELAXRECOVER" OUTPUT_EFISTUB_SYSTEMD_BOOTLOADER="/usr/lib/systemd/boot/efi/systemd-bootx64.efi" OUTPUT_LFTP_OPTIONS="" OUTPUT_MOUNTCMD="" OUTPUT_OPTIONS="" OUTPUT_PREFIX="mach4" OUTPUT_PREFIX_PXE="" OUTPUT_UMOUNTCMD="" OUTPUT_URL="" # Validation status: # /usr/share/rear/lib/validated/Fedora/VERSION_ID=9/i386.txt : missing/empty # Your system is not yet validated. Please carefully check all functions # and create a validation record with 'rear validate'. This will help others # to know about the validation status of Relax-and-Recover on this system. # End of dump configuration and system information. Seems odd that it recognizes this system as Fedora version 9, but it seems to work. OK for me.
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
At least it got the "9" right. Since this is a security update, I'm sending it on. If it needs a bugfix for the identification error, another bug can be filed. Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0131.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED