oss-sec mailing list archives
CVE-2021-20269: kexec-tools: incorrect permissions on vmcore-dmesg.txt file
From: Wade Mealing <wmealing () redhat com>
Date: Thu, 11 Mar 2021 17:19:44 +1000
Gday, A flaw was found in the kexec-tools where it made the incorrect permissions on the vmcore-dmesg.txt extracted from the vmcore of a previous kernel panic. It is possible that this could be used to leak kernel internal information from a previous execution if it was output to the ring buffer or part of the panic backtrace. An unprivileged user with a local account can use this to extract kernel internal information resulting in an information leak. TLDR: The vmcore-dmesg.txt is created world readable and should not be. Red Hat Bugzilla: http://bugzilla.redhat.com/CVE-2021-20269 Thank you. -- Wade Mealing Product Security - Kernel, RHCE Red Hat <https://www.redhat.com> wmealing () redhat com <https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted> secalert () redhat com for urgent response
Current thread:
- CVE-2021-20269: kexec-tools: incorrect permissions on vmcore-dmesg.txt file Wade Mealing (Mar 10)