Overview
Request History
jsmeix created request
Security fix CVE-2024-23301 bsc#1218728 for rear (forwarded request 1140363 from jsmeix)
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
anag+factory added as a reviewer
Being evaluated by staging project "openSUSE:Factory:Staging:adi:29"
anag+factory accepted review
Picked "openSUSE:Factory:Staging:adi:29"
darix accepted review
Accepted review for by_group opensuse-review-team request 1140364 from user anag+factory
anag+factory accepted review
Staging Project openSUSE:Factory:Staging:adi:29 got accepted.
anag+factory approved review
Staging Project openSUSE:Factory:Staging:adi:29 got accepted.
anag+factory accepted request
Staging Project openSUSE:Factory:Staging:adi:29 got accepted.
mrueckert wrote (1140364) wouldnt be a much better fix to set a proper umask before generating the initrd? otherwise you still have a race condition where an unpriviledged user can read it.
Which exact race condition? ReaR creates its initrd in a safe working directory and then the initrd is copied via 'cp -a' into the public accessible /boot directory (by the way I wonder why /boot needs to be public accessible?) so the current fix is sufficient for this specific issue. A general safe umask while ReaR runs would be a better and more generic solution and it is my preferred way to avoid such kind of issues in general but this needs careful investigation to not break things. Cf. https://github.com/rear/rear/pull/3123