Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 835079 (CVE-2021-20269) - sys-apps/kexec-tools: kdump dmesg log insecure permissions
Summary: sys-apps/kexec-tools: kdump dmesg log insecure permissions
Alias: CVE-2021-20269
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [upstream]
Depends on:
Reported: 2022-03-13 14:13 UTC by John Helmert III
Modified: 2022-08-18 17:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-13 14:13:13 UTC

A flaw was found in the permissions of a log file created by kexec-tools. This flaw allows a local unprivileged user to read this file and leak kernel internal information from a previous panic. The highest threat from this vulnerability is to confidentiality. This flaw affects kexec-tools shipped by Fedora versions prior to 2.0.21-8 and RHEL versions prior to 2.0.20-47.

No reference to any upstream issue, and RedHat's closed their bug.
Comment 1 genBTC 2022-08-17 18:34:16 UTC
This bug is specific to Fedora/RedHat.

My investigations:

kexec-tools versions currently in gentoo: 2.0.22 Stable, 2.0.24 Testing


@sbeattie notes:
> on ubuntu/debian, makedumpfile from src:makedumpfile is used
> to create the dmesg file, and correctly limits the permissions on it.
> On Fedora/RedHat, the is used and is where
> the vulnerability lies. This script is not included in ubuntu/debian packaging

Salvatore notes
> As I explained in my previous update to this bug, this security issue does
> not apply to debian package. This security issue was introduced by the
> scripts added in Fedora/Redhat packages. I will close this bug now.


RH seems to have fixed these bugs internally.
Describes the fix happened in RHEL8
Down in the "Fixes" section, are 5 links to Bugzilla numbers.
The main security item in question: is RH BZ # 1934261 :
BZ - 1934261 - CVE-2021-20269 kexec-tools: incorrect permissions on kdump dmesg file 
(the other 4 fixes are not relevant to what the security issue CVE refers to,
 the permissions of the log file).

Their fix literally just chmod's a logfile in some initrd RedHat wrote.

I am not familiar with this package myself, but, I don't think we are vulnerable to this CVE, and never were, because we just don't provide nearly as much code as Fedora/RH, and it seems to be almost solely their issue.

Gentoo doesn't have this at all either.

Recommend: close bug , either fixed/invalid/irrelevant.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-18 17:29:52 UTC
Thanks for your investigation!

Really wish Redhat would make their CVEs less useless to everyone else.