[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] dracut creates world readable initramfs images
From: Daniel Kahn Gillmor <dkg () fifthhorseman ! net>
Date: 2012-09-27 19:07:56
Message-ID: 5064A40C.8080003 () fifthhorseman ! net
[Download RAW message or body]
On 09/27/2012 01:51 PM, Kurt Seifried wrote:
> On 09/27/2012 11:21 AM, Daniel Kahn Gillmor wrote:
>> On 09/27/2012 05:07 AM, Huzaifa Sidhpurwala wrote:
>>> When the root filesystem contained sensitive information
>>> (password based authentication for iSCSI systems or encrypted
>>> root filesystem crypttab password information), an attacker could
>>> use this flaw to obtain this information.
>>>
>>> This issue has been assigned CVE-2012-4453
>
>> the subject line says "creates non-world readable initramfs
>> images". should that be "creates world-readable initramfs images"
>> instead?
>
> Yes indeed!
FWIW, this seems similar to a buggy interaction between the dropbear and
initramfs-tools packages in debian that was handled a couple years ago:
http://bugs.debian.org/578117
--dkg
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic