Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 835079 (CVE-2021-20269) - sys-apps/kexec-tools: kdump dmesg log insecure permissions
Summary: sys-apps/kexec-tools: kdump dmesg log insecure permissions
Status: RESOLVED INVALID
Alias: CVE-2021-20269
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-03-13 14:13 UTC by John Helmert III
Modified: 2022-08-18 17:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-13 14:13:13 UTC 
CVE-2021-20269:

A flaw was found in the permissions of a log file created by kexec-tools. This flaw allows a local unprivileged user to read this file and leak kernel internal information from a previous panic. The highest threat from this vulnerability is to confidentiality. This flaw affects kexec-tools shipped by Fedora versions prior to 2.0.21-8 and RHEL versions prior to 2.0.20-47.

No reference to any upstream issue, and RedHat's closed their bug.
Comment 1 genBTC 2022-08-17 18:34:16 UTC 
This bug is specific to Fedora/RedHat.

My investigations:

kexec-tools versions currently in gentoo: 2.0.22 Stable, 2.0.24 Testing

Ubuntu:
https://ubuntu.com/security/CVE-2021-20269

@sbeattie notes:
> on ubuntu/debian, makedumpfile from src:makedumpfile is used
> to create the dmesg file, and correctly limits the permissions on it.
> On Fedora/RedHat, the kdump-lib-initramfs.sh is used and is where
> the vulnerability lies. This script is not included in ubuntu/debian packaging

Debian:
https://security-tracker.debian.org/tracker/CVE-2021-20269
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985105
Salvatore notes
> As I explained in my previous update to this bug, this security issue does
> not apply to debian package. This security issue was introduced by the
> scripts added in Fedora/Redhat packages. I will close this bug now.

RedHat:
https://access.redhat.com/security/cve/cve-2021-20269

RH seems to have fixed these bugs internally.
Describes the fix happened in RHEL8 
https://access.redhat.com/errata/RHSA-2021:4404
Down in the "Fixes" section, are 5 links to Bugzilla numbers.
The main security item in question: is RH BZ # 1934261 :
BZ - 1934261 - CVE-2021-20269 kexec-tools: incorrect permissions on kdump dmesg file 
(the other 4 fixes are not relevant to what the security issue CVE refers to,
 the permissions of the log file).

https://src.fedoraproject.org/rpms/kexec-tools/c/91c802ff526a0aa0618f6d5c282a9b9b8e41bff8

Their fix literally just chmod's a logfile in some initrd RedHat wrote.

I am not familiar with this package myself, but, I don't think we are vulnerable to this CVE, and never were, because we just don't provide nearly as much code as Fedora/RH, and it seems to be almost solely their issue.

Gentoo doesn't have this kdump-lib-initramfs.sh at all either.

Recommend: close bug , either fixed/invalid/irrelevant.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-18 17:29:52 UTC 
Thanks for your investigation!

Really wish Redhat would make their CVEs less useless to everyone else.