|Summary:||sys-apps/kexec-tools: kdump dmesg log insecure permissions|
|Product:||Gentoo Security||Reporter:||John Helmert III <ajak>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description John Helmert III 2022-03-13 14:13:13 UTC
CVE-2021-20269: A flaw was found in the permissions of a log file created by kexec-tools. This flaw allows a local unprivileged user to read this file and leak kernel internal information from a previous panic. The highest threat from this vulnerability is to confidentiality. This flaw affects kexec-tools shipped by Fedora versions prior to 2.0.21-8 and RHEL versions prior to 2.0.20-47. No reference to any upstream issue, and RedHat's closed their bug.
Comment 1 genBTC 2022-08-17 18:34:16 UTC
This bug is specific to Fedora/RedHat. My investigations: kexec-tools versions currently in gentoo: 2.0.22 Stable, 2.0.24 Testing Ubuntu: https://ubuntu.com/security/CVE-2021-20269 @sbeattie notes: > on ubuntu/debian, makedumpfile from src:makedumpfile is used > to create the dmesg file, and correctly limits the permissions on it. > On Fedora/RedHat, the kdump-lib-initramfs.sh is used and is where > the vulnerability lies. This script is not included in ubuntu/debian packaging Debian: https://security-tracker.debian.org/tracker/CVE-2021-20269 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985105 Salvatore notes > As I explained in my previous update to this bug, this security issue does > not apply to debian package. This security issue was introduced by the > scripts added in Fedora/Redhat packages. I will close this bug now. RedHat: https://access.redhat.com/security/cve/cve-2021-20269 RH seems to have fixed these bugs internally. Describes the fix happened in RHEL8 https://access.redhat.com/errata/RHSA-2021:4404 Down in the "Fixes" section, are 5 links to Bugzilla numbers. The main security item in question: is RH BZ # 1934261 : BZ - 1934261 - CVE-2021-20269 kexec-tools: incorrect permissions on kdump dmesg file (the other 4 fixes are not relevant to what the security issue CVE refers to, the permissions of the log file). https://src.fedoraproject.org/rpms/kexec-tools/c/91c802ff526a0aa0618f6d5c282a9b9b8e41bff8 Their fix literally just chmod's a logfile in some initrd RedHat wrote. I am not familiar with this package myself, but, I don't think we are vulnerable to this CVE, and never were, because we just don't provide nearly as much code as Fedora/RH, and it seems to be almost solely their issue. Gentoo doesn't have this kdump-lib-initramfs.sh at all either. Recommend: close bug , either fixed/invalid/irrelevant.
Comment 2 John Helmert III 2022-08-18 17:29:52 UTC
Thanks for your investigation! Really wish Redhat would make their CVEs less useless to everyone else.