Bug 7806 - dracut new security issue CVE-2012-4453
: dracut new security issue CVE-2012-4453
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/519840/
: MGA2-64-OK, MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-10-15 21:39 CEST by David Walser
Modified: 2012-10-20 17:43 CEST (History)
2 users (show)

See Also:
Source RPM: dracut-017-16.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-10-15 21:39:49 CEST
Fedora has issued an advisory on September 28:
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089825.html

Mageia 2 is also affected.
Comment 1 David Walser 2012-10-15 23:51:31 CEST
Fixed in Cauldron by Colin (dracut-012-11.mga3).
Comment 2 Colin Guthrie 2012-10-16 00:03:54 CEST
An updated dracut has been submitted to mga2 updates_testing.

Simply installing this package should be enough to update any files in /boot matching the glob initrd-3*.img to not be world/group readable.

Generating a new initrd should also generate it with appropriate permissions (user rw, group -, other -).

Testing procedure:

1. ls -l /boot (note permissions on initrds)
2. install update
3. ls -l /boot (note corrected permissions on initrds)
4. dracut -f (will overwrite initrd: last few lines of log output will show correct permissions on generated initrd)

Source RPM: dracut-017-16.1.mga2.src.rpm


Advisory Text
=============

The version of dracut shipped with Mageia 2 would generate initrds which were readable by all users. On some setups, the initrd could be configured to include sensitive files such as /etc/crypttab which may include plain text encryption passwords (although the default would be to ask for passwords on from the user on boot).

This updated version of dracut generates initrds which are only readable by the root user.

Additionally, several fixes to the convertfs module have also been included in this update. These fixes will be needed to upgrade to Mageia 3 and are thus being made available now to Mageia 2 users.
Comment 3 Colin Guthrie 2012-10-16 00:05:34 CEST
Over to QA for testing :)
Comment 4 David Walser 2012-10-16 00:07:35 CEST
Thanks Colin.

The first paragraph of the advisory is CVE-2012-4453.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4453
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089825.html
Comment 5 Marc Lattemann 2012-10-17 20:49:32 CEST
tested successfully for mga2 i586 and x86_64 (using procedure from Comment 2): global read permissions are removed.


Advisory
========

The version of dracut shipped with Mageia 2 would generate initrds which were
readable by all users. On some setups, the initrd could be configured to
include sensitive files such as /etc/crypttab which may include plain text
encryption passwords (although the default would be to ask for passwords on
from the user on boot).

This updated version of dracut generates initrds which are only readable by the
root user.

Additionally, several fixes to the convertfs module have also been included in
this update. These fixes will be needed to upgrade to Mageia 3 and are thus
being made available now to Mageia 2 users.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4453
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089825.html

src RPM: dracut-017-16.1.mga2.src.rpm

Could sysadmin please push from core/updates_testing to core/updates? Thanks.
Comment 6 Thomas Backlund 2012-10-20 17:43:25 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0303

Note You need to log in before you can comment on or make changes to this bug.