Bugzilla – Bug 935338
VUL-0: CVE-2015-0794: dracut: uses hardcoded /tmp/dracut_block_uuid.map filename - symlink attack
Last modified: 2021-03-02 16:44:35 UTC
dracut uses /tmp/dracut_block_uuid.map as hardcoded filename. This allows symlink attacks. An attacker (local non-root user) can create /tmp/dracut_block_uuid.map as symlink pointing to any file, and that file will be destroyed/overwritten when mkinitrd runs the next time.
in /usr/lib/dracut/modules.d/90crypt/module-setup.sh
is in SUSE specific patch: commit 7f4dea242398cc369ff3fecd599faa00d81a522c Author: Julian Wolf <juwolf@suse.de> Date: Tue Aug 19 16:23:59 2014 +0200 90crypt: Fixed crypttab_contains() to also work with device path in /etc/crypttab blkid is not available when this function is called, so block_uuid.map is put into the initrd, mapping block devices from /etc/crypttab to UUIDs. This fixes a bug where udev rules were created by mistake as crypttab_contains() returned false for devices specified by path in /etc/crypttab which resulted in error messages during boot. Signed-off-by: Julian Wolf <juwolf@suse.de>
Assigned CVE-2015-0794 from SUSE CVE Pool.
Don't (only) blame Julian - instead, sit down (important safety measure!) and grep -r /tmp /usr/lib/dracut/modules.d/ This brings up lots of hardcoded filenames in /tmp. Besides allowing more symlink attacks, I even found examples that might allow attackers to get code executed as root (". /tmp/bridge.info") :-/ To get only the code execution listed, grep -r '\. /tmp' /usr/lib/dracut/modules.d/
bugbot adjusting priority
is this fixed in the current dracut submission for SLE12? please submit if not.
/tmp/bridge.info is in the initrd. You cannot open the initrd and create links in the /tmp directory of the initrd as normal user. So this needs no fixing, but is correct. /tmp/dracut_block_uuid.map needs adjusting, though.
There's also a similiar issue, introduced by 0169-Enabled-Warning-for-failed-kernel-modules-per-defaul.patch with /tmp/dracut_failed_drivers: From dbcb0516d9c3270138849f444f40237d1b14797e Mon Sep 17 00:00:00 2001 From: Julian Wolf <juwolf@suse.de> Date: Fri, 24 Oct 2014 17:07:07 +0200 Subject: Enable warning for failed kernel moduiles Enabled Warning for failed kernel modules per default and added summary of those to the end of dracut output References: bnc#886839 I fixed those issued by converting the fixed names to mktemp generated ones, fix is currently being prepared for SLE, 13.2 and Factory.
This is an autogenerated message for OBS integration: This bug (935338) was mentioned in https://build.opensuse.org/request/show/343394 13.2 / dracut
This is an autogenerated message for OBS integration: This bug (935338) was mentioned in https://build.opensuse.org/request/show/343477 13.2 / dracut
openSUSE-SU-2015:2022-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 935338,935993,952491 CVE References: CVE-2015-0794 Sources used: openSUSE 13.2 (src): dracut-037-17.30.1
This is an autogenerated message for OBS integration: This bug (935338) was mentioned in https://build.opensuse.org/request/show/345214 Leap:42.1 / dracut
SUSE-SU-2015:2065-1: An update that solves one vulnerability and has three fixes is now available. Category: security (moderate) Bug References: 935338,935993,947518,952491 CVE References: CVE-2015-0794 Sources used: SUSE Linux Enterprise Server 12 (src): dracut-037-51.17.3 SUSE Linux Enterprise Desktop 12 (src): dracut-037-51.17.3
Fixes available for some days already, see above.
openSUSE-SU-2015:2165-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 935338,935563,952491,953035,953361 CVE References: Sources used: openSUSE Leap 42.1 (src): dracut-037-68.1