vmlinuz is world-readable

Bug #1843327 reported by Thadeu Lima de Souza Cascardo on 2019-09-09
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux-signed (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Medium
Thadeu Lima de Souza Cascardo
Disco
Medium
Thadeu Lima de Souza Cascardo
linux-signed-hwe (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Undecided
Kleber Sacilotto de Souza
Disco
Undecided
Unassigned

Bug Description

[Impact]
ppc64el vmlinuz is world-readable, possibly impacting security on that platform.

[Test case]
Verify vmlinuz is not world-readable after the fix.

[Regression potential]
File permissions may be wrong, possibly allowing attack.

--------------------------------------------------------------------------

  ======================================================================
  FAIL: test_096_boot_symbols_unreadable (__main__.KernelSecurityTest)
  kernel addresses in /boot are not world readable
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 1438, in test_096_boot_symbols_unreadable
      self.assertEqual(os.stat(name).st_mode & mask, expected, '%s is world readable' % (name))
  AssertionError: /boot/vmlinux-4.15.0-62-generic is world readable

  ----------------------------------------------------------------------
  Ran 125 tests in 31.183s

  FAILED (failures=1)

This currently affects ppc64el.

Changed in linux-signed (Ubuntu Disco):
importance: Undecided → Medium
Changed in linux-signed (Ubuntu Bionic):
importance: Undecided → Medium
Changed in linux-signed (Ubuntu Disco):
status: New → In Progress
Changed in linux-signed (Ubuntu Bionic):
status: New → In Progress
Changed in linux-signed (Ubuntu Disco):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux-signed (Ubuntu Bionic):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux-signed (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in linux-signed (Ubuntu Disco):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux-signed (Ubuntu):
status: New → Confirmed
Changed in linux-signed (Ubuntu):
status: Confirmed → Fix Released

All autopkgtests for the newly accepted linux-signed (4.15.0-66.75) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-signed

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed - 5.0.0-31.33

---------------
linux-signed (5.0.0-31.33) disco; urgency=medium

  * Master version: 5.0.0-31.33

  * vmlinuz is world-readable (LP: #1843327)
    - fix vmlinuz-* permissions for opal signed kernels

linux-signed (5.0.0-30.32) disco; urgency=medium

  * Master version: 5.0.0-30.32

 -- Khalid Elmously <email address hidden> Mon, 30 Sep 2019 14:38:03 -0400

Changed in linux-signed (Ubuntu Disco):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed - 4.15.0-66.75

---------------
linux-signed (4.15.0-66.75) bionic; urgency=medium

  * Master version: 4.15.0-66.75

  * vmlinuz is world-readable (LP: #1843327)
    - fix vmlinuz-* permissions for opal signed kernels

 -- Khalid Elmously <email address hidden> Mon, 30 Sep 2019 23:05:58 -0400

Changed in linux-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
Po-Hsu Lin (cypressyew) wrote :

This failure still can be found on B-hwe 5.0 PowerPC:
https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1851488

Changed in linux-signed-hwe (Ubuntu):
status: New → Fix Released
Changed in linux-signed-hwe (Ubuntu Disco):
status: New → Invalid
Changed in linux-signed-hwe (Ubuntu Bionic):
status: New → Confirmed
assignee: nobody → Kleber Sacilotto de Souza (kleber-souza)
Changed in linux-signed-hwe (Ubuntu Xenial):
status: New → In Progress
Changed in linux-signed-hwe (Ubuntu Bionic):
status: Confirmed → In Progress
Changed in linux-signed (Ubuntu Xenial):
status: New → Invalid
Changed in linux-signed-hwe (Ubuntu Xenial):
status: In Progress → Fix Committed
Changed in linux-signed-hwe (Ubuntu Bionic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed-hwe - 4.15.0-74.83~16.04.1

---------------
linux-signed-hwe (4.15.0-74.83~16.04.1) xenial; urgency=medium

  * Master version: 4.15.0-74.83~16.04.1

linux-signed-hwe (4.15.0-73.82~16.04.1) xenial; urgency=medium

  * Master version: 4.15.0-73.82~16.04.1

  * vmlinuz is world-readable (LP: #1843327)
    - fix vmlinuz-* permissions for opal signed kernels

 -- Khalid Elmously <email address hidden> Tue, 17 Dec 2019 23:49:07 -0500

Changed in linux-signed-hwe (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed-hwe - 5.3.0-26.28~18.04.1

---------------
linux-signed-hwe (5.3.0-26.28~18.04.1) bionic; urgency=medium

  * Master version: 5.3.0-26.28~18.04.1

linux-signed-hwe (5.3.0-25.27~18.04.2) bionic; urgency=medium

  * Master version: 5.3.0-25.27~18.04.2
  * Bump upload number.

linux-signed-hwe (5.3.0-25.27~18.04.1) bionic; urgency=medium

  * Master version: 5.3.0-25.27~18.04.1

  * vmlinuz is world-readable (LP: #1843327)
    - fix vmlinuz-* permissions for opal signed kernels

  * Miscellaneous Ubuntu changes
    - [Packaging] Rolling hwe-edge into hwe

 -- Kleber Sacilotto de Souza <email address hidden> Wed, 18 Dec 2019 16:20:33 +0100

Changed in linux-signed-hwe (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers