CVE-2016-8637
https://notcve.org/view.php?id=CVE-2016-8637
A local information disclosure issue was found in dracut before 045 when generating initramfs images with world-readable permissions when 'early cpio' is used, such as when including microcode updates. Local attacker can use this to obtain sensitive information from these files, such as encryption keys or credentials. Se ha encontrado un problema de divulgación de información local en dracut en versiones anteriores a la 045 al generar imágenes initramfs con permisos de lectura globales al emplear "early cpio", como al incluir actualizaciones de microcódigo. Un atacante local puede emplear esto para obtener información sensible de estos archivos, como las claves de cifrado o las credenciales. • http://seclists.org/oss-sec/2016/q4/352 http://www.securityfocus.com/bid/94128 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8637 https://github.com/dracutdevs/dracut/commit/0db98910a11c12a454eac4c8e86dc7a7bbc764a4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2015-0794
https://notcve.org/view.php?id=CVE-2015-0794
modules.d/90crypt/module-setup.sh in the dracut package before 037-17.30.1 in openSUSE 13.2 allows local users to have unspecified impact via a symlink attack on /tmp/dracut_block_uuid.map. modules.d/90crypt/module-setup.sh en el paquete dracut en versiones anteriores a 037-17.30.1 en openSUSE 13.2 permite a usuarios locales tener un impacto no especificado a través de un ataque de enlace simbólico en /tmp/dracut_block_uuid.map. • http://lists.opensuse.org/opensuse-bugs/2015-06/msg02580.html http://lists.opensuse.org/opensuse-bugs/2015-06/msg02585.html http://lists.opensuse.org/opensuse-updates/2015-11/msg00098.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2012-4453 – dracut: Creates initramfs images with world-readable permissions (information disclosure)
https://notcve.org/view.php?id=CVE-2012-4453
dracut.sh in dracut, as used in Red Hat Enterprise Linux 6, Fedora 16 and 17, and possibly other products, creates initramfs images with world-readable permissions, which might allow local users to obtain sensitive information. dracut.sh en dracut, como se usa en Red Hat Enterprise Linux 6, Fedora 16 y 17 y posiblemente otros productos, crea imágenes initramfs con permisos de lectura en todo el mundo, lo que podría permitir a usuarios locales obtener información sensible. It was discovered that dracut created initramfs images as world readable. A local user could possibly use this flaw to obtain sensitive information from these files, such as iSCSI authentication passwords, encrypted root file system crypttab passwords, or other information. • http://git.kernel.org/?p=boot/dracut/dracut.git%3Ba=commit%3Bh=e1b48995c26c4f06d1a71 http://rhn.redhat.com/errata/RHSA-2013-1674.html http://www.openwall.com/lists/oss-security/2012/09/27/3 http://www.openwall.com/lists/oss-security/2012/09/27/4 http://www.openwall.com/lists/oss-security/2012/09/27/6 http://www.securityfocus.com/bid/55713 https://bugzilla.redhat.com/show_bug.cgi?id=859448 https://exchange.xforce.ibmcloud.com/vulnerabilities/79258 https://access& • CWE-276: Incorrect Default Permissions •
CVE-2010-4176
https://notcve.org/view.php?id=CVE-2010-4176
plymouth-pretrigger.sh in dracut and udev, when running on Fedora 13 and 14, sets weak permissions for the /dev/systty device file, which allows remote authenticated users to read terminal data from tty0 for local users. El archivo plymouth-pretrigger.sh en dracut y udev, cuando es ejecutado en Fedora versión 13 y 14, establece permisos débiles para el archivo de dispositivo /dev/systty, que permite a los usuarios autenticados remotos leer datos terminal de tty0 para usuarios locales. • http://lists.fedoraproject.org/pipermail/package-announce/2010-December/051755.html http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051418.html http://secunia.com/advisories/42342 http://secunia.com/advisories/42451 http://www.securityfocus.com/bid/45046 http://www.vupen.com/english/advisories/2010/3062 http://www.vupen.com/english/advisories/2010/3110 https://bugzilla.redhat.com/show_bug.cgi?id=654489 https://bugzilla.redhat.com/show_bug.cgi?id=654935 • CWE-276: Incorrect Default Permissions •