[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] dracut creates world readable initramfs images
From:       Daniel Kahn Gillmor <dkg () fifthhorseman ! net>
Date:       2012-09-27 19:07:56
Message-ID: 5064A40C.8080003 () fifthhorseman ! net
[Download RAW message or body]


On 09/27/2012 01:51 PM, Kurt Seifried wrote:
> On 09/27/2012 11:21 AM, Daniel Kahn Gillmor wrote:
>> On 09/27/2012 05:07 AM, Huzaifa Sidhpurwala wrote:
>>> When the root filesystem contained sensitive information
>>> (password based authentication for iSCSI systems or encrypted
>>> root filesystem crypttab password information), an attacker could
>>> use this flaw to obtain this information.
>>>
>>> This issue has been assigned CVE-2012-4453
> 
>> the subject line says "creates non-world readable initramfs
>> images". should that be "creates world-readable initramfs images"
>> instead?
> 
> Yes indeed!

FWIW, this seems similar to a buggy interaction between the dropbear and
initramfs-tools packages in debian that was handled a couple years ago:
 http://bugs.debian.org/578117

	--dkg


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]