rpms/grub2
5
0
Fork 0
Code Issues Pull Requests Releases Activity

CVE-2021-3981 (Incorrect read permission in grub.cfg)

Browse Source 
Resolves: rhbz#2030724
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
This commit is contained in:
Robbie Harwood 2022-02-02 16:26:38 +00:00
parent 161ae8daaf
commit 6bb9a7593b
3 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
0224-grub-mkconfig-restore-umask-for-grub.cfg.patch Normal file
View File

@ -0,0 +1,41 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Michael Chang via Grub-devel <grub-devel@gnu.org>
Date: Fri, 3 Dec 2021 16:13:28 +0800
Subject: [PATCH] grub-mkconfig: restore umask for grub.cfg
Since commit:
ab2e53c8a grub-mkconfig: Honor a symlink when generating configuration
by grub-mkconfig
has inadvertently discarded umask for creating grub.cfg in the process
of grub-mkconfig. The resulting wrong permission (0644) would allow
unprivileged users to read grub's configuration file content. This
presents a low confidentiality risk as grub.cfg may contain non-secured
plain-text passwords.
This patch restores the missing umask and set the file mode of creation
to 0600 preventing unprivileged access.
Fixes: CVE-2021-3981
Signed-off-by: Michael Chang <mchang@suse.com>
(cherry picked from commit 2acad06610da1488bfa387f56a847119ab758766)
---
util/grub-mkconfig.in | 2 ++
1 file changed, 2 insertions(+)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index f55339a3f64..520a672cd2c 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -311,7 +311,9 @@ and /etc/grub.d/* files or please file a bug report with
exit 1
else
# none of the children aborted with error, install the new grub.cfg
+ oldumask=$(umask); umask 077
cat ${grub_cfg}.new > ${grub_cfg}
+ umask $oldumask
rm -f ${grub_cfg}.new
fi
fi

1
grub.patches
View File

@ -221,3 +221,4 @@ Patch0220: 0220-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch
Patch0221: 0221-fs-xfs-Fix-unreadable-filesystem-with-v4-superblock.patch Patch0221: 0221-fs-xfs-Fix-unreadable-filesystem-with-v4-superblock.patch
Patch0222: 0222-Print-module-name-on-license-check-failure.patch Patch0222: 0222-Print-module-name-on-license-check-failure.patch
Patch0223: 0223-powerpc-ieee1275-load-grub-at-4MB-not-2MB.patch Patch0223: 0223-powerpc-ieee1275-load-grub-at-4MB-not-2MB.patch
Patch0224: 0224-grub-mkconfig-restore-umask-for-grub.cfg.patch

6
grub2.spec
View File

@ -14,7 +14,7 @@
Name: grub2 Name: grub2
Epoch: 1 Epoch: 1
Version: 2.06 Version: 2.06
Release: 16%{?dist} Release: 17%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+ License: GPLv3+
URL: http://www.gnu.org/software/grub/ URL: http://www.gnu.org/software/grub/
@ -547,6 +547,10 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif %endif
%changelog %changelog
* Wed Feb 02 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-17
- CVE-2021-3981 (Incorrect read permission in grub.cfg)
- Resolves: rhbz#2030724
* Tue Jan 04 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-16 * Tue Jan 04 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-16
- Stop having this problem and just copy over the beta tree - Stop having this problem and just copy over the beta tree
- Resolves: rhbz#2006784 - Resolves: rhbz#2006784