Accepting request 439011 from home:AndreasStieger:branches:Base:System

- Do not create initramfs with world-readable permissions if early microcode update is used bsc#1008340 CVE-2016-8637 0503-dracut.sh-create-the-initramfs-non-world-readable-al.patch OBS-URL: https://build.opensuse.org/request/show/439011 OBS-URL: https://build.opensuse.org/package/show/Base:System/dracut?expand=0&rev=271
2016-11-07 14:16:02 +00:00 · 2016-11-07 14:16:02 +00:00 · 211474b3be
commit 211474b3be
parent 5b79e7b57c
3 changed files with 39 additions and 0 deletions
--- a/0503-dracut.sh-create-the-initramfs-non-world-readable-al.patch
+++ b/0503-dracut.sh-create-the-initramfs-non-world-readable-al.patch
@ -0,0 +1,30 @@
+From 0db98910a11c12a454eac4c8e86dc7a7bbc764a4 Mon Sep 17 00:00:00 2001
+From: Andreas Stieger <astieger@suse.com>
+Date: Mon, 7 Nov 2016 10:37:22 +0100
+Subject: [PATCH] dracut.sh: create the initramfs non-world readable also if
+ early cpio is used
+
+Fixes: 5f2c30d9bcd614d546d5c55c6897e33f88b9ab90
+Previously fixed CVE-2012-4453: e1b48995c26c4f06d1a718539cb1bd5b0179af91
+
+Signed-off-by: Andreas Stieger <astieger@suse.com>
+---
+ dracut.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dracut.sh b/dracut.sh
+index 40ca08f..2d79bbc 100755
+--- a/dracut.sh
+++ b/dracut.sh
+@@ -1700,7 +1700,7 @@ if [[ $create_early_cpio = yes ]]; then
+ 
+     # The microcode blob is _before_ the initramfs blob, not after
+     if ! (
+-            cd "$early_cpio_dir/d"
+            umask 077; cd "$early_cpio_dir/d"
+             find . -print0 | sort -z \
+                 | cpio ${CPIO_REPRODUCIBLE:+--reproducible} --null $cpio_owner_root -H newc -o --quiet > "${DRACUT_TMPDIR}/initramfs.img"
+         ); then
+-- 
+2.10.2
+
--- a/dracut.changes
+++ b/dracut.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Nov  7 12:06:51 UTC 2016 - astieger@suse.com
+
+- Do not create initramfs with world-readable permissions if
+  early microcode update is used bsc#1008340 CVE-2016-8637
+  0503-dracut.sh-create-the-initramfs-non-world-readable-al.patch
+
 -------------------------------------------------------------------
 Mon Oct 17 10:35:53 CEST 2016 - hare@suse.de

--- a/dracut.spec
+++ b/dracut.spec
@ -173,6 +173,7 @@ Patch404:       0404-dracut-emergency-optionally-print-fs-help.patch
 Patch500:       0500-Reset-IFS-variable.patch
 Patch501:       0501-dasd_fix_ssid_bigger_zero.patch
 Patch502:       0502-persistent_device_policy_param_enhance.patch
+Patch503:       0503-dracut.sh-create-the-initramfs-non-world-readable-al.patch

 BuildRequires:  asciidoc
 BuildRequires:  bash
@ -371,6 +372,7 @@ chmod a+x modules.d/91zipl/install_zipl_cmdline.sh
 %patch500 -p1
 %patch501 -p1
 %patch502 -p1
+%patch503 -p1

 %build
 %configure\