Fedora has issued an advisory on September 28: http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089825.html Mageia 2 is also affected.
Whiteboard: (none) => MGA2TOO
Fixed in Cauldron by Colin (dracut-012-11.mga3).
Version: Cauldron => 2Whiteboard: MGA2TOO => (none)
An updated dracut has been submitted to mga2 updates_testing. Simply installing this package should be enough to update any files in /boot matching the glob initrd-3*.img to not be world/group readable. Generating a new initrd should also generate it with appropriate permissions (user rw, group -, other -). Testing procedure: 1. ls -l /boot (note permissions on initrds) 2. install update 3. ls -l /boot (note corrected permissions on initrds) 4. dracut -f (will overwrite initrd: last few lines of log output will show correct permissions on generated initrd) Source RPM: dracut-017-16.1.mga2.src.rpm Advisory Text ============= The version of dracut shipped with Mageia 2 would generate initrds which were readable by all users. On some setups, the initrd could be configured to include sensitive files such as /etc/crypttab which may include plain text encryption passwords (although the default would be to ask for passwords on from the user on boot). This updated version of dracut generates initrds which are only readable by the root user. Additionally, several fixes to the convertfs module have also been included in this update. These fixes will be needed to upgrade to Mageia 3 and are thus being made available now to Mageia 2 users.
Over to QA for testing :)
Assignee: mageia => qa-bugs
Thanks Colin. The first paragraph of the advisory is CVE-2012-4453. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4453 http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089825.html
tested successfully for mga2 i586 and x86_64 (using procedure from Comment 2): global read permissions are removed. Advisory ======== The version of dracut shipped with Mageia 2 would generate initrds which were readable by all users. On some setups, the initrd could be configured to include sensitive files such as /etc/crypttab which may include plain text encryption passwords (although the default would be to ask for passwords on from the user on boot). This updated version of dracut generates initrds which are only readable by the root user. Additionally, several fixes to the convertfs module have also been included in this update. These fixes will be needed to upgrade to Mageia 3 and are thus being made available now to Mageia 2 users. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4453 http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089825.html src RPM: dracut-017-16.1.mga2.src.rpm Could sysadmin please push from core/updates_testing to core/updates? Thanks.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: (none) => MGA2-64-OK, MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0303
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED