From 7c8cf9e28a0e7791e20edbb18e81da1ea239413e Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Nov 07 2016 09:48:58 +0000
Subject: dracut-044-78


- fixed permissions of initramfs file, if microcode is prepended
  CVE-2016-8637

---

diff --git a/0077-dracut.sh-create-the-initramfs-non-world-readable-al.patch b/0077-dracut.sh-create-the-initramfs-non-world-readable-al.patch
new file mode 100644
index 0000000..0b6a629
--- /dev/null
+++ b/0077-dracut.sh-create-the-initramfs-non-world-readable-al.patch
@@ -0,0 +1,27 @@
+From 89d3ee1a5a1cc46961a64ac2c0be0645e9ce1c74 Mon Sep 17 00:00:00 2001
+From: Andreas Stieger <astieger@suse.com>
+Date: Mon, 7 Nov 2016 10:37:22 +0100
+Subject: [PATCH] dracut.sh: create the initramfs non-world readable also if
+ early cpio is used
+
+Fixes: 5f2c30d9bcd614d546d5c55c6897e33f88b9ab90
+Previously fixed CVE-2012-4453: e1b48995c26c4f06d1a718539cb1bd5b0179af91
+
+Signed-off-by: Andreas Stieger <astieger@suse.com>
+---
+ dracut.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dracut.sh b/dracut.sh
+index 8232fa4..63da604 100755
+--- a/dracut.sh
++++ b/dracut.sh
+@@ -1695,7 +1695,7 @@ if [[ $create_early_cpio = yes ]]; then
+ 
+     # The microcode blob is _before_ the initramfs blob, not after
+     if ! (
+-            cd "$early_cpio_dir/d"
++            umask 077; cd "$early_cpio_dir/d"
+             find . -print0 | sort -z \
+                 | cpio ${CPIO_REPRODUCIBLE:+--reproducible} --null $cpio_owner_root -H newc -o --quiet > "${DRACUT_TMPDIR}/initramfs.img"
+         ); then
diff --git a/dracut.spec b/dracut.spec
index 3c4bb55..99dbc61 100644
--- a/dracut.spec
+++ b/dracut.spec
@@ -16,7 +16,7 @@
 
 Name: dracut
 Version: 044
-Release: 77%{?dist}
+Release: 78%{?dist}
 
 Summary: Initramfs generator using udev
 %if 0%{?fedora} || 0%{?rhel}
@@ -111,6 +111,7 @@ Patch73: 0073-move-ln_r-to-dracut-init.sh.patch
 Patch74: 0074-systemd-initrd-add-initrd-root-device.target.patch
 Patch75: 0075-network-dhclient.conf-add-missing-commata.patch
 Patch76: 0076-systemd-dracut-cmdline.sh-unset-UNSET-root.patch
+Patch77: 0077-dracut.sh-create-the-initramfs-non-world-readable-al.patch
 
 Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
 
@@ -574,6 +575,10 @@ rm -rf -- $RPM_BUILD_ROOT
 %endif
 
 %changelog
+* Mon Nov 07 2016 Harald Hoyer <harald@redhat.com> - 044-78
+- fixed permissions of initramfs file, if microcode is prepended
+  CVE-2016-8637
+
 * Thu Aug 25 2016 Harald Hoyer <harald@redhat.com> - 044-77
 - backport of fix for empty root=