rpms / dracut

Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   c7
  2.   SOURCES
  3.   0556-Harden-dracut-against-BASH_ENV-environment-variable.patch
Blob Blame History Raw 
From fc87cf0e7e9790fb7c02ee54a73dd474ffa6fa38 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
Date: Thu, 7 Jun 2018 15:42:12 +0200
Subject: [PATCH] Harden dracut against BASH_ENV environment variable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When dracut silently produces a broken initramfs, then the system will
likely not boot and this can be very problematic. Typical use case is
after the kernel has been updated.

It appears that dracut is not protected against the BASH_ENV variable,
causing various scripts called by dracut to possibly fail or provide
wrong output (e.g. "ldd" is one of these).
Having a broken output for "ldd" makes the generated initramfs be not
usable, typically because vital binaries will be missing (e.g.
"awk", "udevadm", ...).

Note: because the shebang line cannot contain more than one argument,
the '--norc' option had to be removed. IMHO, it was useless anyway.

Signed-off-by: Renaud Métrich <rmetrich@redhat.com>

Cherry-picked from: c1c78f8a91921fe87f5672cdbdf9791f569fc8ac
Resolves: #1588483
---
 dracut.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dracut.sh b/dracut.sh
index 52835872..27489528 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -23,6 +23,8 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
+unset BASH_ENV
+
 # store for logging
 dracut_args=( "$@" )

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation