Your message dated Sat, 10 Jan 2026 11:59:46 +0000
with message-id <[email protected]>
and subject line Released with 12.13
has caused the Debian Bug report #1121776,
regarding bookworm-pu: package rear/2.7+dfsg-1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121776: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121776
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:rear
User: [email protected]
Usertags: pu
Fix CVE-2024-23301 for bookworm.
Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable
initrd when using GRUB_RESCUE=y.
This allows local attackers to gain access to system
secrets otherwise only readable by root.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
debdif:
diff --git a/debian/changelog b/debian/changelog
index 8c46d0bd..d8da6f86 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+rear (2.7+dfsg-1+deb12u1) bookworm; urgency=high
+
+ * Fix CVE-2024-23301:
+ - Prevent created initrd from being world-readable when GRUB_RESCUE=y.
+
+ -- Karsten Schöke <[email protected]> Tue, 02 Dec 2025 13:36:08
+0100
+
rear (2.7+dfsg-1) unstable; urgency=medium
* Update to new upstream version 2.7.
diff --git a/debian/patches/0003-CVE-2024-23301.patch
b/debian/patches/0003-CVE-2024-23301.patch
new file mode 100644
index 00000000..1c7f2e51
--- /dev/null
+++ b/debian/patches/0003-CVE-2024-23301.patch
@@ -0,0 +1,20 @@
+Description: Fix CVE-2024-23301 (initrd world-readable when GRUB_RESCUE=y)
+Origin: upstream
+Bug: https://security-tracker.debian.org/tracker/CVE-2024-23301
+Forwarded: no
+Author: Karsten Schöke <[email protected]>
+Last-Update: 2025-12-02
+
+--- rear-2.7+dfsg.orig/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
++++ rear-2.7+dfsg/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
+ fi
+ ;;
+ esac
++
++# Only root should be allowed to access the initrd
++# because the ReaR recovery system can contain secrets
++# cf. https://github.com/rear/rear/issues/3122
++test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600
"$TMP_DIR/$REAR_INITRD_FILENAME"
++
+ popd >/dev/null
diff --git a/debian/patches/series b/debian/patches/series
index bbd2a6a5..81c38e80 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
0001-Fix-lintian-error.patch
0002-Disable-Web-fonts-used-by-the-default-stylesheet.patch
+0003-CVE-2024-23301.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org\nVersion: 12.13\n\nThis update has been released as
part of Debian 12.13.
--- End Message ---
