Debian Bug report logs - #985105
kexec-tools: CVE-2021-20269

Package: src:kexec-tools; Maintainer for src:kexec-tools is Khalid Aziz <khalid@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 12 Mar 2021 20:45:01 UTC

Severity: important

Tags: security, upstream

Found in version kexec-tools/1:2.0.20-2.1

Done: Khalid Aziz <khalid@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Khalid Aziz <khalid@debian.org>:
Bug#985105; Package src:kexec-tools. (Fri, 12 Mar 2021 20:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Khalid Aziz <khalid@debian.org>. (Fri, 12 Mar 2021 20:45:27 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: kexec-tools
Version: 1:2.0.20-2.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for kexec-tools.

CVE-2021-20269[0]:
| incorrect permissions on kdump dmesg file

Could you check the details here? [2] is slight short on information
if "known upstream" etc.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-20269
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20269
[1] https://www.openwall.com/lists/oss-security/2021/03/11/2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#985105; Package src:kexec-tools. (Thu, 15 Jul 2021 22:36:02 GMT) (full text, mbox, link).

Acknowledgement sent to Khalid Aziz <khalid@debian.org>:
Extra info received and forwarded to list. (Thu, 15 Jul 2021 22:36:02 GMT) (full text, mbox, link).

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

On 3/12/21 1:40 PM, Salvatore Bonaccorso wrote:
> Source: kexec-tools
> Version: 1:2.0.20-2.1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for kexec-tools.
> 
> CVE-2021-20269[0]:
> | incorrect permissions on kdump dmesg file
> 
> Could you check the details here? [2] is slight short on information
> if "known upstream" etc.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2021-20269
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20269
> [1] https://www.openwall.com/lists/oss-security/2021/03/11/2
> 
> Please adjust the affected versions in the BTS as needed.
> 

On Debian systems, dmesg file is created by makedumpfile in makedumpfile
package which is called by /usr/sbin/kdump-config from kdump-tols
package. makedumpfile sets the permission on dmesg file and from looking
at the git history for makedumpfile.c, it has used permission
"S_IRUSR|S_IWUSR" since 2006 at least. Redhat/Fedora on the other hand
use a script kdump-lib-initramfs.sh to create the dmesg file with
"journalctl -ab >> $KDUMP_LOG_FILE" and this vulnerability was fixed in
that script by adding "chmod 600 $KDUMP_LOG_FILE"

dmesg file on Debian has the format dmesg.<timestamp>, for example:

$ ls -l /var/crash/202107151351/
total 119404
-rw------- 1 root root     67840 Jul 15 13:53 dmesg.202107151351
-rw-r--r-- 1 root root 122195470 Jul 15 13:52 dump.202107151351

As seen in example above, this file is created with read-write
permission for root only.

Above crash files were generated on a Debian system using following
versions of tools:

ii  kdump-tools      1:1.6.8.3    amd64
ii  makedumpfile     1:1.6.8-4    amd64
ii  kexec-tools      1:2.0.22-1   amd64

Does this address the CVE?

Thanks,
Khalid

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#985105; Package src:kexec-tools. (Thu, 15 Jul 2021 22:36:04 GMT) (full text, mbox, link).

Acknowledgement sent to Khalid Aziz <khalid@debian.org>:
Extra info received and forwarded to list. (Thu, 15 Jul 2021 22:36:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#985105; Package src:kexec-tools. (Thu, 14 Apr 2022 19:42:03 GMT) (full text, mbox, link).

Acknowledgement sent to Khalid Aziz <khalid@debian.org>:
Extra info received and forwarded to list. (Thu, 14 Apr 2022 19:42:03 GMT) (full text, mbox, link).

Message #20 received at submit@bugs.debian.org (full text, mbox, reply):

On 3/12/21 13:40, Salvatore Bonaccorso wrote:
> Source: kexec-tools
> Version: 1:2.0.20-2.1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>
> Hi,
>
> The following vulnerability was published for kexec-tools.
>
> CVE-2021-20269[0]:
> | incorrect permissions on kdump dmesg file
>
> Could you check the details here? [2] is slight short on information
> if "known upstream" etc.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2021-20269
>      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20269
> [1] https://www.openwall.com/lists/oss-security/2021/03/11/2
>
> Please adjust the affected versions in the BTS as needed.
>
As I explained in my previous update to this bug, this security issue 
does not apply to debian package. This security issue was introduced by 
the scripts added in Fedora/Redhat packages. I will close this bug now.

--
Khalid

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#985105; Package src:kexec-tools. (Thu, 14 Apr 2022 19:42:04 GMT) (full text, mbox, link).

Acknowledgement sent to Khalid Aziz <khalid@debian.org>:
Extra info received and forwarded to list. (Thu, 14 Apr 2022 19:42:04 GMT) (full text, mbox, link).

Reply sent to Khalid Aziz <khalid@debian.org>:
You have taken responsibility. (Thu, 14 Apr 2022 19:45:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 14 Apr 2022 19:45:06 GMT) (full text, mbox, link).

Message #30 received at 985105-done@bugs.debian.org (full text, mbox, reply):

This bug is specific to Fedora/Redhat and does not apply to Debian package.

--
Khalid

Information forwarded to debian-bugs-dist@lists.debian.org, Khalid Aziz <khalid@debian.org>:
Bug#985105; Package src:kexec-tools. (Fri, 15 Apr 2022 11:57:02 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Khalid Aziz <khalid@debian.org>. (Fri, 15 Apr 2022 11:57:02 GMT) (full text, mbox, link).

Message #35 received at 985105@bugs.debian.org (full text, mbox, reply):

Hi Khalid,

On Thu, Apr 14, 2022 at 01:32:38PM -0600, Khalid Aziz wrote:
> On 3/12/21 13:40, Salvatore Bonaccorso wrote:
> > Source: kexec-tools
> > Version: 1:2.0.20-2.1
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> > 
> > Hi,
> > 
> > The following vulnerability was published for kexec-tools.
> > 
> > CVE-2021-20269[0]:
> > | incorrect permissions on kdump dmesg file
> > 
> > Could you check the details here? [2] is slight short on information
> > if "known upstream" etc.
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2021-20269
> >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20269
> > [1] https://www.openwall.com/lists/oss-security/2021/03/11/2
> > 
> > Please adjust the affected versions in the BTS as needed.
> > 
> As I explained in my previous update to this bug, this security issue does
> not apply to debian package. This security issue was introduced by the
> scripts added in Fedora/Redhat packages. I will close this bug now.

Indeed, and thanks. The fix indeed which is applied to Fedora is
https://src.fedoraproject.org/rpms/kexec-tools/c/91c802ff526a0aa0618f6d5c282a9b9b8e41bff8
which is then Fedora/Red Hat specific.

Regards,
Salvatore

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 14 May 2022 07:24:49 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Jul 23 12:16:52 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #985105 kexec-tools: CVE-2021-20269

Debian Bug report logs - #985105
kexec-tools: CVE-2021-20269