Package: initramfs-tools
Version: 0.113
Severity: important
Tags: security
I've noticed that when running update-initramfs, a core dump was
generated in the current directory, which is in itself a first bug.
After looking at this problem with strace, I saw that this came from:
/usr/bin/ldd /lib/firmware/cis/PCMLM28.cis
apparently via mkinitramfs. The strace output shows:
23190 execve(/libx32/ld-linux-x32.so.2, [/libx32/ld-linux-x32.so.2], [/*
115 vars */]) = 0
23190 syscall_1073741836(0, 0, 0x400c, 0xbfebfbff, 0x37f, 0x64, 0x1000,
0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000,
0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000,
0x1000, 0x1000, 0x1000, 0x1000, 0x1000) = -1 (errno 38)
23190 syscall_1073742340(0x2, 0xfffbaa70, 0x1, 0xbfebfbff, 0xf77b0a3e,
0xf776d8cc, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d,
0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d,
0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d,
0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d,
0xf776ef7d, 0xf776ef7d, 0xf776ef7d) = -1 (errno 38)
23190 syscall_1073742055(0x7f, 0x403c, 0x7f, 0xbfebfbff, 0x40e7,
0xf776d8cc, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7,
0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7) = -1 (errno 38)
23190 syscall_1073741884(0x7f, 0x403c, 0x7f, 0xbfebfbff, 0x40e7,
0xf776d8cc, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7,
0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7) = -1 (errno 38)
23190 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
I wonder whether it may be a security bug. /libx32 is not necessarily
a standard directory, and could for instance be NFS mounted, have
write-access to more people, or whatever; only some particular
packages use this directory, but if they are not installed, I assume
that the admin is free to do whatever he wants with it, and tools
like mkinitramfs are not supposed to run anything from it.
And this is not a bug in ldd, as the ldd man page says:
Security
In the usual case, ldd invokes the standard dynamic linker (see
ld.so(8)) with the LD_TRACE_LOADED_OBJECTS environment variable set to
1, which causes the linker to display the library dependencies. Be
aware, however, that in some circumstances, some versions of ldd may
attempt to obtain the dependency information by directly executing the
program. Thus, you should never employ ldd on an untrusted executable,
since this may result in the execution of arbitrary code. A safer
alternative when dealing with untrusted executables is:
$ objdump -p /path/to/program | grep NEEDED
For this reason, I think that the use of ldd should be dropped
entirely from initramfs-tools. It might ease privilege escalation
if there's another security bug on the system.
-- Package-specific info:
-- initramfs sizes
-rw-r--r-- 1 root root 13M 2013-08-24 23:54:26 /boot/initrd.img-3.10-1-amd64
-rw-r--r-- 1 root root 13M 2013-08-24 23:35:31 /boot/initrd.img-3.10-2-amd64
-rw-r--r-- 1 root root 13M 2013-08-24 23:36:02 /boot/initrd.img-3.8-1-amd64
-rw-r--r-- 1 root root 13M 2013-08-24 23:35:55 /boot/initrd.img-3.8-2-amd64
-rw-r--r-- 1 root root 13M 2013-08-24 23:35:46 /boot/initrd.img-3.9-1-amd64
-- /proc/cmdline
root=/dev/mapper/xvii-root ro quiet reboot=pci
-- resume
RESUME=/dev/mapper/xvii-swap_1
-- /proc/filesystems
ext3
fuseblk
ext2
-- lsmod
Module Size Used by
cuse 12971 3
cpufreq_powersave 12454 0
cpufreq_stats 12866 0
cpufreq_userspace 12576 0
cpufreq_conservative14184 0
xt_multiport 12548 2
iptable_filter 12536 1
ip_tables 22036 1 iptable_filter
x_tables 19041 3 ip_tables,xt_multiport,iptable_filter
parport_pc 22409 0
ppdev 12763 0
lp 13025 0
parport31901 3 lp,ppdev,parport_pc
bnep 17535 2
rfcomm 33471 0
bluetooth 170002 10 bnep,rfcomm
crc16 12343 1 bluetooth
binfmt_misc12925 1
uinput 17439 1
nfsd 192007 2
auth_rpcgss39085 1 nfsd
oid_registry 12419 1 auth_rpcgss
nfs_acl12511 1 nfsd
nfs 110304 0
lockd 59673 2 nfs,nfsd
dns_resolver 12641 1 nfs
fscache37551 1 nfs
sunrpc164583 6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl
ext2 59601 1
firewire_sbp2 17956 0
loop 22869 0
fuse 67503 2 cuse
uvcvideo 66788 0
arc4 12543 2
iwldvm111931 0
coretemp 12898 0