Package: initramfs-tools Version: 0.113 Severity: important Tags: security I've noticed that when running update-initramfs, a core dump was generated in the current directory, which is in itself a first bug.
After looking at this problem with strace, I saw that this came from: /usr/bin/ldd /lib/firmware/cis/PCMLM28.cis apparently via mkinitramfs. The strace output shows: 23190 execve("/libx32/ld-linux-x32.so.2", ["/libx32/ld-linux-x32.so.2"], [/* 115 vars */]) = 0 23190 syscall_1073741836(0, 0, 0x4000000c, 0xbfebfbff, 0x37f, 0x64, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000) = -1 (errno 38) 23190 syscall_1073742340(0x2, 0xfffbaa70, 0x1, 0xbfebfbff, 0xf77b0a3e, 0xf776d8cc, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d) = -1 (errno 38) 23190 syscall_1073742055(0x7f, 0x4000003c, 0x7f, 0xbfebfbff, 0x400000e7, 0xf776d8cc, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7) = -1 (errno 38) 23190 syscall_1073741884(0x7f, 0x4000003c, 0x7f, 0xbfebfbff, 0x400000e7, 0xf776d8cc, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7) = -1 (errno 38) 23190 --- SIGSEGV (Segmentation fault) @ 0 (0) --- I wonder whether it may be a security bug. /libx32 is not necessarily a standard directory, and could for instance be NFS mounted, have write-access to more people, or whatever; only some particular packages use this directory, but if they are not installed, I assume that the admin is free to do whatever he wants with it, and tools like mkinitramfs are not supposed to run anything from it. And this is not a bug in ldd, as the ldd man page says: Security In the usual case, ldd invokes the standard dynamic linker (see ld.so(8)) with the LD_TRACE_LOADED_OBJECTS environment variable set to 1, which causes the linker to display the library dependencies. Be aware, however, that in some circumstances, some versions of ldd may attempt to obtain the dependency information by directly executing the program. Thus, you should never employ ldd on an untrusted executable, since this may result in the execution of arbitrary code. A safer alternative when dealing with untrusted executables is: $ objdump -p /path/to/program | grep NEEDED For this reason, I think that the use of ldd should be dropped entirely from initramfs-tools. It might ease privilege escalation if there's another security bug on the system. -- Package-specific info: -- initramfs sizes -rw-r--r-- 1 root root 13M 2013-08-24 23:54:26 /boot/initrd.img-3.10-1-amd64 -rw-r--r-- 1 root root 13M 2013-08-24 23:35:31 /boot/initrd.img-3.10-2-amd64 -rw-r--r-- 1 root root 13M 2013-08-24 23:36:02 /boot/initrd.img-3.8-1-amd64 -rw-r--r-- 1 root root 13M 2013-08-24 23:35:55 /boot/initrd.img-3.8-2-amd64 -rw-r--r-- 1 root root 13M 2013-08-24 23:35:46 /boot/initrd.img-3.9-1-amd64 -- /proc/cmdline root=/dev/mapper/xvii-root ro quiet reboot=pci -- resume RESUME=/dev/mapper/xvii-swap_1 -- /proc/filesystems ext3 fuseblk ext2 -- lsmod Module Size Used by cuse 12971 3 cpufreq_powersave 12454 0 cpufreq_stats 12866 0 cpufreq_userspace 12576 0 cpufreq_conservative 14184 0 xt_multiport 12548 2 iptable_filter 12536 1 ip_tables 22036 1 iptable_filter x_tables 19041 3 ip_tables,xt_multiport,iptable_filter parport_pc 22409 0 ppdev 12763 0 lp 13025 0 parport 31901 3 lp,ppdev,parport_pc bnep 17535 2 rfcomm 33471 0 bluetooth 170002 10 bnep,rfcomm crc16 12343 1 bluetooth binfmt_misc 12925 1 uinput 17439 1 nfsd 192007 2 auth_rpcgss 39085 1 nfsd oid_registry 12419 1 auth_rpcgss nfs_acl 12511 1 nfsd nfs 110304 0 lockd 59673 2 nfs,nfsd dns_resolver 12641 1 nfs fscache 37551 1 nfs sunrpc 164583 6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl ext2 59601 1 firewire_sbp2 17956 0 loop 22869 0 fuse 67503 2 cuse uvcvideo 66788 0 arc4 12543 2 iwldvm 111931 0 coretemp 12898 0 snd_hda_codec_idt 40529 1 snd_hda_intel 35718 4 snd_hda_codec 122850 2 snd_hda_codec_idt,snd_hda_intel snd_hwdep 13189 1 snd_hda_codec snd_pcm 68525 2 snd_hda_codec,snd_hda_intel acpi_cpufreq 13280 1 snd_page_alloc 13018 2 snd_pcm,snd_hda_intel snd_seq 45186 0 nouveau 731557 2 mac80211 358182 1 iwldvm snd_seq_device 13176 1 snd_seq dell_wmi 12477 0 videobuf2_vmalloc 12848 1 uvcvideo videobuf2_memops 12519 1 videobuf2_vmalloc videobuf2_core 31098 1 uvcvideo mxm_wmi 12515 1 nouveau snd_timer 22773 2 snd_pcm,snd_seq pcmcia 32813 0 kvm 301458 0 ttm 54470 1 nouveau drm_kms_helper 31837 1 nouveau drm 211856 4 ttm,drm_kms_helper,nouveau videodev 92407 2 uvcvideo,videobuf2_core dell_laptop 16779 0 yenta_socket 22908 0 pcmcia_rsrc 17533 1 yenta_socket snd 53068 16 snd_hwdep,snd_timer,snd_hda_codec_idt,snd_pcm,snd_seq,snd_hda_codec,snd_hda_intel,snd_seq_device iTCO_wdt 12831 0 iTCO_vendor_support 12704 1 iTCO_wdt mperf 12453 1 acpi_cpufreq processor 28526 3 acpi_cpufreq sparse_keymap 12760 1 dell_wmi pcmcia_core 18471 3 pcmcia,pcmcia_rsrc,yenta_socket wmi 13243 3 dell_wmi,mxm_wmi,nouveau psmouse 74832 0 media 18240 2 uvcvideo,videodev lpc_ich 16757 0 iwlwifi 73295 1 iwldvm mfd_core 12601 1 lpc_ich ac 12668 0 video 17792 1 nouveau battery 13101 0 button 12944 1 nouveau soundcore 13026 1 snd i2c_algo_bit 12841 1 nouveau serio_raw 12940 0 pcspkr 12632 0 dcdbas 13307 1 dell_laptop i2c_i801 17045 0 evdev 17611 25 microcode 30413 0 i2c_core 24353 6 drm,i2c_i801,drm_kms_helper,i2c_algo_bit,nouveau,videodev cfg80211 319971 3 iwlwifi,mac80211,iwldvm rfkill 19242 3 cfg80211,bluetooth ext3 152391 1 mbcache 13082 2 ext2,ext3 jbd 53455 1 ext3 sha256_generic 16804 2 cbc 12696 1 hid_generic 12393 0 dm_crypt 18457 1 dm_mod 64008 9 dm_crypt hid_apple 12633 0 usbhid 40964 0 hid 81894 3 hid_generic,usbhid,hid_apple sg 26095 0 sr_mod 21988 0 sd_mod 40541 3 cdrom 35212 1 sr_mod crc_t10dif 12348 1 sd_mod sdhci_pci 17935 0 thermal 17468 0 ahci 25148 2 firewire_ohci 31931 0 libahci 23136 1 ahci thermal_sys 23137 3 video,thermal,processor firewire_core 49211 2 firewire_ohci,firewire_sbp2 crc_itu_t 12347 1 firewire_core sdhci 27279 1 sdhci_pci mmc_core 77762 2 sdhci,sdhci_pci ehci_pci 12472 0 uhci_hcd 26976 0 ehci_hcd 40590 1 ehci_pci libata 141969 2 ahci,libahci scsi_mod 158249 5 sg,libata,sd_mod,sr_mod,firewire_sbp2 e1000e 139582 0 ptp 13364 1 e1000e pps_core 13232 1 ptp usbcore 134993 6 uhci_hcd,uvcvideo,ehci_hcd,ehci_pci,usbhid usb_common 12440 1 usbcore -- /etc/initramfs-tools/modules -- /etc/kernel-img.conf # Kernel image management overrides # See kernel-img.conf(5) for details do_symlinks = yes relative_links = yes do_bootloader = no do_bootfloppy = no do_initrd = yes link_in_boot = no -- /etc/initramfs-tools/initramfs.conf MODULES=most BUSYBOX=y KEYMAP=n COMPRESS=gzip DEVICE= NFSROOT=auto -- /etc/initramfs-tools/update-initramfs.conf update_initramfs=yes backup_initramfs=no -- /etc/crypttab # sda2_crypt /dev/sda2 none luks sda2_crypt UUID=fa8631f3-1e14-46ea-8b22-6187bbe883bd none luks -- mkinitramfs hooks /etc/initramfs-tools/hooks/: /usr/share/initramfs-tools/hooks: busybox cryptgnupg cryptkeyctl cryptopenct cryptopensc cryptpassdev cryptroot dmsetup fuse keymap klibc kmod lvm2 ntfs_3g thermal udev -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.10-2-amd64 (SMP w/2 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages initramfs-tools depends on: ii cpio 2.11+dfsg-1 ii klibc-utils 2.0.2-1 ii kmod 9-3 ii module-init-tools 9-3 ii udev 175-7.2 Versions of packages initramfs-tools recommends: ii busybox 1:1.20.0-8.1 Versions of packages initramfs-tools suggests: ii bash-completion 1:2.0-1 -- no debconf information -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130824223753.ga27...@xvii.vinc17.org