vmlinuz is world-readable

Bug #1843327 reported by Thadeu Lima de Souza Cascardo on 2019-09-09
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux-signed (Ubuntu)
Undecided
Unassigned
Bionic
Medium
Thadeu Lima de Souza Cascardo
Disco
Medium
Thadeu Lima de Souza Cascardo

Bug Description

[Impact]
ppc64el vmlinuz is world-readable, possibly impacting security on that platform.

[Test case]
Verify vmlinuz is not world-readable after the fix.

[Regression potential]
File permissions may be wrong, possibly allowing attack.

--------------------------------------------------------------------------

  ======================================================================
  FAIL: test_096_boot_symbols_unreadable (__main__.KernelSecurityTest)
  kernel addresses in /boot are not world readable
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 1438, in test_096_boot_symbols_unreadable
      self.assertEqual(os.stat(name).st_mode & mask, expected, '%s is world readable' % (name))
  AssertionError: /boot/vmlinux-4.15.0-62-generic is world readable

  ----------------------------------------------------------------------
  Ran 125 tests in 31.183s

  FAILED (failures=1)

This currently affects ppc64el.

Changed in linux-signed (Ubuntu Disco):
importance: Undecided → Medium
Changed in linux-signed (Ubuntu Bionic):
importance: Undecided → Medium
Changed in linux-signed (Ubuntu Disco):
status: New → In Progress
Changed in linux-signed (Ubuntu Bionic):
status: New → In Progress
Changed in linux-signed (Ubuntu Disco):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux-signed (Ubuntu Bionic):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux-signed (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in linux-signed (Ubuntu Disco):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux-signed (Ubuntu):
status: New → Confirmed
Changed in linux-signed (Ubuntu):
status: Confirmed → Fix Released

All autopkgtests for the newly accepted linux-signed (4.15.0-66.75) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-signed

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed - 5.0.0-31.33

---------------
linux-signed (5.0.0-31.33) disco; urgency=medium

  * Master version: 5.0.0-31.33

  * vmlinuz is world-readable (LP: #1843327)
    - fix vmlinuz-* permissions for opal signed kernels

linux-signed (5.0.0-30.32) disco; urgency=medium

  * Master version: 5.0.0-30.32

 -- Khalid Elmously <email address hidden> Mon, 30 Sep 2019 14:38:03 -0400

Changed in linux-signed (Ubuntu Disco):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed - 4.15.0-66.75

---------------
linux-signed (4.15.0-66.75) bionic; urgency=medium

  * Master version: 4.15.0-66.75

  * vmlinuz is world-readable (LP: #1843327)
    - fix vmlinuz-* permissions for opal signed kernels

 -- Khalid Elmously <email address hidden> Mon, 30 Sep 2019 23:05:58 -0400

Changed in linux-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
Po-Hsu Lin (cypressyew) wrote :

This failure still can be found on B-hwe 5.0 PowerPC:
https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1851488

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers