Bug#1121776: bookworm-pu: package rear/2.7+dfsg-1+deb12u1

Karsten Schöke Tue, 02 Dec 2025 05:27:49 -0800

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:rear
User: [email protected]
Usertags: pu



Fix CVE-2024-23301 for bookworm.
Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable 
initrd when using GRUB_RESCUE=y. 
This allows local attackers to gain access to system 
secrets otherwise only readable by root.


[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

debdif:

diff --git a/debian/changelog b/debian/changelog
index 8c46d0bd..d8da6f86 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+rear (2.7+dfsg-1+deb12u1) bookworm; urgency=high
+
+  * Fix CVE-2024-23301:
+    - Prevent created initrd from being world-readable when GRUB_RESCUE=y.
+
+ -- Karsten Schöke <[email protected]>  Tue, 02 Dec 2025 13:36:08 
+0100
+
 rear (2.7+dfsg-1) unstable; urgency=medium

   * Update to new upstream version 2.7.
diff --git a/debian/patches/0003-CVE-2024-23301.patch 
b/debian/patches/0003-CVE-2024-23301.patch
new file mode 100644
index 00000000..1c7f2e51
--- /dev/null
+++ b/debian/patches/0003-CVE-2024-23301.patch
@@ -0,0 +1,20 @@
+Description: Fix CVE-2024-23301 (initrd world-readable when GRUB_RESCUE=y)
+Origin: upstream
+Bug: https://security-tracker.debian.org/tracker/CVE-2024-23301
+Forwarded: no
+Author: Karsten Schöke <[email protected]>
+Last-Update: 2025-12-02
+
+--- rear-2.7+dfsg.orig/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
++++ rear-2.7+dfsg/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
+         fi
+         ;;
+ esac
++
++# Only root should be allowed to access the initrd
++# because the ReaR recovery system can contain secrets
++# cf. https://github.com/rear/rear/issues/3122
++test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 
"$TMP_DIR/$REAR_INITRD_FILENAME"
++
+ popd >/dev/null
diff --git a/debian/patches/series b/debian/patches/series
index bbd2a6a5..81c38e80 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 0001-Fix-lintian-error.patch
 0002-Disable-Web-fonts-used-by-the-default-stylesheet.patch
+0003-CVE-2024-23301.patch

Bug#1121776: bookworm-pu: package rear/2.7+dfsg-1+deb12u1

Reply via email to