Version in base suite: 2.7+dfsg-1

Base version: rear_2.7+dfsg-1
Target version: rear_2.7+dfsg-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/rear/rear_2.7+dfsg-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/r/rear/rear_2.7+dfsg-1+deb12u1.dsc

 changelog                         |    7 +++++++
 patches/0003-CVE-2024-23301.patch |   21 +++++++++++++++++++++
 patches/series                    |    1 +
 3 files changed, 29 insertions(+)

diff -Nru rear-2.7+dfsg/debian/changelog rear-2.7+dfsg/debian/changelog
--- rear-2.7+dfsg/debian/changelog	2023-01-11 14:33:42.000000000 +0000
+++ rear-2.7+dfsg/debian/changelog	2025-12-02 12:36:08.000000000 +0000
@@ -1,3 +1,10 @@
+rear (2.7+dfsg-1+deb12u1) bookworm; urgency=high
+
+  * Fix CVE-2024-23301:
+    - Prevent created initrd from being world-readable when GRUB_RESCUE=y.
+
+ -- Karsten Schöke <karsten.schoeke@geobasis-bb.de>  Tue, 02 Dec 2025 13:36:08 +0100
+
 rear (2.7+dfsg-1) unstable; urgency=medium
 
   * Update to new upstream version 2.7.
diff -Nru rear-2.7+dfsg/debian/patches/0003-CVE-2024-23301.patch rear-2.7+dfsg/debian/patches/0003-CVE-2024-23301.patch
--- rear-2.7+dfsg/debian/patches/0003-CVE-2024-23301.patch	1970-01-01 00:00:00.000000000 +0000
+++ rear-2.7+dfsg/debian/patches/0003-CVE-2024-23301.patch	2025-12-02 12:36:08.000000000 +0000
@@ -0,0 +1,21 @@
+Description: Fix CVE-2024-23301 (initrd world-readable when GRUB_RESCUE=y)
+Origin: upstream
+Bug: https://security-tracker.debian.org/tracker/CVE-2024-23301
+Forwarded: no
+Author: Karsten Schöke <karsten.schoeke@geobasis-bb.de>
+Last-Update: 2025-12-02
+
+--- rear-2.7+dfsg.orig/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
++++ rear-2.7+dfsg/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+@@ -125,4 +125,11 @@ case "$REAR_INITRD_COMPRESSION" in
+         fi
+         ;;
+ esac
++
++# Only root should be allowed to access the initrd
++# because the ReaR recovery system can contain secrets
++# cf. https://github.com/rear/rear/issues/3122
++test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
++
+ popd >/dev/null
++
diff -Nru rear-2.7+dfsg/debian/patches/series rear-2.7+dfsg/debian/patches/series
--- rear-2.7+dfsg/debian/patches/series	2023-01-11 14:33:42.000000000 +0000
+++ rear-2.7+dfsg/debian/patches/series	2025-12-02 12:36:08.000000000 +0000
@@ -1,2 +1,3 @@
 0001-Fix-lintian-error.patch
 0002-Disable-Web-fonts-used-by-the-default-stylesheet.patch
+0003-CVE-2024-23301.patch