Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5064A40C.8080003@fifthhorseman.net>
Date: Thu, 27 Sep 2012 15:07:56 -0400
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: Kurt Seifried <kseifried@...hat.com>
CC: oss-security@...ts.openwall.com, 
 Huzaifa Sidhpurwala <huzaifas@...hat.com>
Subject: Re: dracut creates world readable initramfs images

On 09/27/2012 01:51 PM, Kurt Seifried wrote:
> On 09/27/2012 11:21 AM, Daniel Kahn Gillmor wrote:
>> On 09/27/2012 05:07 AM, Huzaifa Sidhpurwala wrote:
>>> When the root filesystem contained sensitive information
>>> (password based authentication for iSCSI systems or encrypted
>>> root filesystem crypttab password information), an attacker could
>>> use this flaw to obtain this information.
>>>
>>> This issue has been assigned CVE-2012-4453
> 
>> the subject line says "creates non-world readable initramfs
>> images". should that be "creates world-readable initramfs images"
>> instead?
> 
> Yes indeed!

FWIW, this seems similar to a buggy interaction between the dropbear and
initramfs-tools packages in debian that was handled a couple years ago:
 http://bugs.debian.org/578117

	--dkg


Download attachment "signature.asc" of type "application/pgp-signature" (1031 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.