import grub2-2.06-23.el9
This commit is contained in:
parent
c36e7cc679
commit
dcbd1694a5
41
SOURCES/0224-grub-mkconfig-restore-umask-for-grub.cfg.patch
Normal file
41
SOURCES/0224-grub-mkconfig-restore-umask-for-grub.cfg.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Chang via Grub-devel <grub-devel@gnu.org>
|
||||
Date: Fri, 3 Dec 2021 16:13:28 +0800
|
||||
Subject: [PATCH] grub-mkconfig: restore umask for grub.cfg
|
||||
|
||||
Since commit:
|
||||
|
||||
ab2e53c8a grub-mkconfig: Honor a symlink when generating configuration
|
||||
by grub-mkconfig
|
||||
|
||||
has inadvertently discarded umask for creating grub.cfg in the process
|
||||
of grub-mkconfig. The resulting wrong permission (0644) would allow
|
||||
unprivileged users to read grub's configuration file content. This
|
||||
presents a low confidentiality risk as grub.cfg may contain non-secured
|
||||
plain-text passwords.
|
||||
|
||||
This patch restores the missing umask and set the file mode of creation
|
||||
to 0600 preventing unprivileged access.
|
||||
|
||||
Fixes: CVE-2021-3981
|
||||
|
||||
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
(cherry picked from commit 2acad06610da1488bfa387f56a847119ab758766)
|
||||
---
|
||||
util/grub-mkconfig.in | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
|
||||
index f55339a3f64..520a672cd2c 100644
|
||||
--- a/util/grub-mkconfig.in
|
||||
+++ b/util/grub-mkconfig.in
|
||||
@@ -311,7 +311,9 @@ and /etc/grub.d/* files or please file a bug report with
|
||||
exit 1
|
||||
else
|
||||
# none of the children aborted with error, install the new grub.cfg
|
||||
+ oldumask=$(umask); umask 077
|
||||
cat ${grub_cfg}.new > ${grub_cfg}
|
||||
+ umask $oldumask
|
||||
rm -f ${grub_cfg}.new
|
||||
fi
|
||||
fi
|
@ -40,14 +40,17 @@ if [[ $DISABLE_BLS = "true" ]]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -f /etc/default/grub ] && . /etc/default/grub
|
||||
if [ x$GRUB_ENABLE_BLSCFG = xfalse ]; then
|
||||
RUN_MKCONFIG=true
|
||||
fi
|
||||
|
||||
# A traditional grub configuration file needs to be generated only in the case when
|
||||
# the bootloaders are not capable of populating a menu entry from the BLS fragments.
|
||||
if [[ $RUN_MKCONFIG != "true" ]]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
[[ -f /etc/default/grub ]] && . /etc/default/grub
|
||||
|
||||
COMMAND="$1"
|
||||
|
||||
case "$COMMAND" in
|
||||
|
68
SOURCES/grub.macros
Normal file → Executable file
68
SOURCES/grub.macros
Normal file → Executable file
@ -68,7 +68,6 @@
|
||||
%global efi_target_ldflags %{expand:%%(echo %{target_ldflags})}
|
||||
|
||||
%global with_efi_arch 0
|
||||
%global with_alt_efi_arch 0
|
||||
%global with_legacy_arch 0
|
||||
%global with_emu_arch 1
|
||||
%global emuarch %{_arch}
|
||||
@ -154,19 +153,6 @@
|
||||
%global legacy_target_cpu_name i386
|
||||
%global legacy_package_arch pc
|
||||
%global platform pc
|
||||
|
||||
%global alt_efi_arch ia32
|
||||
%global alt_target_cpu_name i386
|
||||
%global alt_grub_target_name i386-efi
|
||||
%global alt_platform efi
|
||||
%global alt_package_arch efi-ia32
|
||||
|
||||
%global alt_efi_host_cflags %{expand:%%(echo %{efi_host_cflags})}
|
||||
%global alt_efi_target_cflags \\\
|
||||
%{expand:%%(echo %{target_cflags} | \\\
|
||||
%{cflags_sed} \\\
|
||||
-e 's/-m64//g' \\\
|
||||
)}
|
||||
%endif
|
||||
|
||||
%ifarch aarch64
|
||||
@ -200,7 +186,6 @@
|
||||
%endif
|
||||
|
||||
%global _target_platform %{target_cpu_name}-%{_vendor}-%{_target_os}%{?_gnu}
|
||||
%global _alt_target_platform %{alt_target_cpu_name}-%{_vendor}-%{_target_os}%{?_gnu}
|
||||
|
||||
%ifarch %{efi_arch}
|
||||
%global with_efi_arch 1
|
||||
@ -216,13 +201,6 @@
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%if 0%{?alt_efi_arch:1}
|
||||
%global with_alt_efi_arch 1
|
||||
%global grubaltefiname grub%{alt_efi_arch}.efi
|
||||
%global grubalteficdname gcd%{alt_efi_arch}.efi
|
||||
%global grubaltefiarch %{alt_target_cpu_name}-efi
|
||||
%endif
|
||||
|
||||
%ifnarch %{efi_only}
|
||||
%global with_legacy_arch 1
|
||||
%global grublegacyarch %{legacy_target_cpu_name}-%{platform}
|
||||
@ -416,11 +394,8 @@ rm -f %{1}.conf \
|
||||
${GRUB_MODULES} \
|
||||
%{expand:%%define ___pesign_client_cert %{?___pesign_client_cert}%{!?___pesign_client_cert:%{__pesign_client_cert}}} \
|
||||
%{?__pesign_client_cert:%{expand:%%define __pesign_client_cert %{___pesign_client_cert}}} \
|
||||
%{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.onesig -a %%{5} -c %%{6} -n %%{7}}} \
|
||||
%{expand:%%{pesign -s -i %%{3}.orig -o %%{3}.onesig -a %%{5} -c %%{6} -n %%{7}}} \
|
||||
%{expand:%%define __pesign_client_cert %{name}-signer} \
|
||||
%{expand:%%{pesign -s -i %%{2}.onesig -o %%{2} -a %%{8} -c %%{9} -n %%{10}}} \
|
||||
%{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{8} -c %%{9} -n %%{10}}} \
|
||||
%{expand:%%{pesign -s -i %%{2}.orig -o %%{2} -a %%{5} -c %%{6} -n %%{7}}} \
|
||||
%{expand:%%{pesign -s -i %%{3}.orig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}} \
|
||||
%{nil}
|
||||
%else
|
||||
%define efi_mkimage() \
|
||||
@ -438,7 +413,7 @@ rm -f %{1}.conf \
|
||||
APPENDED_SIG_SIZE=0 \
|
||||
if [ -x /usr/bin/rpm-sign ]; then \
|
||||
touch empty.unsigned \
|
||||
rpm-sign --key %{5} \\\
|
||||
rpm-sign --key %{4} \\\
|
||||
--lkmsign empty.unsigned \\\
|
||||
--output empty.signed \
|
||||
APPENDED_SIG_SIZE="$(stat -c '%s' empty.signed)" \
|
||||
@ -447,12 +422,12 @@ fi \
|
||||
# FIXME: using this prefix is fragile, must be done properly \
|
||||
./grub-mkimage -O %{1} -o %{2}.orig \\\
|
||||
-p '/grub2' -d grub-core \\\
|
||||
-x %{3} -x %{4} \\\
|
||||
-x %{3} \\\
|
||||
--appended-signature-size ${APPENDED_SIG_SIZE} \\\
|
||||
${GRUB_MODULES} \
|
||||
if [ -x /usr/bin/rpm-sign ]; then \
|
||||
truncate -s -${APPENDED_SIG_SIZE} %{2}.orig \
|
||||
rpm-sign --key %{5} \\\
|
||||
rpm-sign --key %{4} \\\
|
||||
--lkmsign %{2}.orig \\\
|
||||
--output %{2} \
|
||||
else \
|
||||
@ -472,7 +447,7 @@ GRUB_MODULES+=%{platform_modules} \
|
||||
GRUB_MODULES+=%{grub_modules} \
|
||||
GRUB_MODULES+=%{platform_modules} \
|
||||
cd grub-%{1}-%{tarversion} \
|
||||
%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4} %%{5}} \
|
||||
%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4}} \
|
||||
cd .. \
|
||||
%{nil}
|
||||
|
||||
@ -484,15 +459,6 @@ cd grub-%{1}-%{tarversion} \
|
||||
cd .. \
|
||||
%{nil}
|
||||
|
||||
%define do_alt_efi_build() \
|
||||
cd grub-%{1}-%{tarversion} \
|
||||
%{expand:%%do_efi_configure %%{4} %%{5} %%{6}} \
|
||||
%do_efi_build_modules \
|
||||
%{expand:%%do_efi_link_utils %{grubefiarch}} \
|
||||
%{expand:%%do_efi_build_images %{alt_grub_target_name} %{2} %{3} ../grub-%{grubefiarch}-%{tarversion}/ %{7} %{8} %{9} %{10} %{11} %{12}} \
|
||||
cd .. \
|
||||
%{nil}
|
||||
|
||||
%define do_legacy_build() \
|
||||
cd grub-%{1}-%{tarversion} \
|
||||
%configure \\\
|
||||
@ -534,26 +500,6 @@ make %{?_smp_mflags} -C grub-core \
|
||||
cd .. \
|
||||
%{nil}
|
||||
|
||||
%define do_alt_efi_install() \
|
||||
cd grub-%{1}-%{tarversion} \
|
||||
install -d -m 755 $RPM_BUILD_ROOT/usr/lib/grub/%{grubaltefiarch}/ \
|
||||
find . '(' -iname gdb_grub \\\
|
||||
-o -iname kernel.exec \\\
|
||||
-o -iname kernel.img \\\
|
||||
-o -iname config.h \\\
|
||||
-o -iname gmodule.pl \\\
|
||||
-o -iname modinfo.sh \\\
|
||||
-o -iname '*.lst' \\\
|
||||
-o -iname '*.mod' \\\
|
||||
')' \\\
|
||||
-exec cp {} $RPM_BUILD_ROOT/usr/lib/grub/%{grubaltefiarch}/ \\\; \
|
||||
find $RPM_BUILD_ROOT -type f -iname "*.mod*" -exec chmod a-x {} '\;' \
|
||||
install -m 700 %{2} $RPM_BUILD_ROOT%{efi_esp_dir}/%{2} \
|
||||
install -m 700 %{3} $RPM_BUILD_ROOT%{efi_esp_dir}/%{3} \
|
||||
%{expand:%%do_install_protected_file %{name}-%{alt_package_arch}} \
|
||||
cd .. \
|
||||
%{nil}
|
||||
|
||||
%define do_efi_install() \
|
||||
cd grub-%{1}-%{tarversion} \
|
||||
make DESTDIR=$RPM_BUILD_ROOT install \
|
||||
@ -595,7 +541,7 @@ if [ -f $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp ]; then \
|
||||
mv $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp \\\
|
||||
$RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp \
|
||||
fi \
|
||||
if [ %{3} -eq 0 ]; then \
|
||||
if [ %{2} -eq 0 ]; then \
|
||||
${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv \\\
|
||||
${RPM_BUILD_ROOT}/boot/%{name}/grubenv create \
|
||||
fi \
|
||||
|
@ -221,3 +221,4 @@ Patch0220: 0220-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch
|
||||
Patch0221: 0221-fs-xfs-Fix-unreadable-filesystem-with-v4-superblock.patch
|
||||
Patch0222: 0222-Print-module-name-on-license-check-failure.patch
|
||||
Patch0223: 0223-powerpc-ieee1275-load-grub-at-4MB-not-2MB.patch
|
||||
Patch0224: 0224-grub-mkconfig-restore-umask-for-grub.cfg.patch
|
||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -14,7 +14,7 @@
|
||||
Name: grub2
|
||||
Epoch: 1
|
||||
Version: 2.06
|
||||
Release: 16%{?dist}
|
||||
Release: 23%{?dist}
|
||||
Summary: Bootloader with support for Linux, Multiboot and more
|
||||
License: GPLv3+
|
||||
URL: http://www.gnu.org/software/grub/
|
||||
@ -32,29 +32,27 @@ Source9: strtoull_test.c
|
||||
Source10: 20-grub.install
|
||||
Source11: grub.patches
|
||||
Source12: sbat.csv.in
|
||||
Source13: redhatsecurebootca3.cer
|
||||
Source14: redhatsecureboot301.cer
|
||||
Source15: redhatsecurebootca5.cer
|
||||
Source16: redhatsecureboot502.cer
|
||||
Source17: redhatsecureboot303.cer
|
||||
Source18: redhatsecureboot601.cer
|
||||
|
||||
%include %{SOURCE1}
|
||||
|
||||
%if 0%{with_efi_arch}
|
||||
%define old_sb_ca %{SOURCE13}
|
||||
%define old_sb_cer %{SOURCE14}
|
||||
%define old_sb_key redhatsecureboot301
|
||||
%define sb_ca %{SOURCE15}
|
||||
%define sb_cer %{SOURCE16}
|
||||
%define sb_key redhatsecureboot502
|
||||
%ifarch x86_64 aarch64 ppc64le
|
||||
%define sb_ca %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
|
||||
%define sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer
|
||||
%endif
|
||||
|
||||
%if 0%{?centos}
|
||||
%ifarch x86_64 aarch64 ppc64le
|
||||
%define sb_key centossecureboot202
|
||||
%endif
|
||||
%else
|
||||
%ifarch x86_64 aarch64
|
||||
%define sb_key redhatsecureboot502
|
||||
%endif
|
||||
%ifarch ppc64le
|
||||
%define old_sb_cer %{SOURCE17}
|
||||
%define sb_cer %{SOURCE18}
|
||||
%define sb_key redhatsecureboot602
|
||||
%endif
|
||||
%endif
|
||||
|
||||
|
||||
BuildRequires: gcc efi-srpm-macros
|
||||
BuildRequires: flex bison binutils python3
|
||||
@ -72,6 +70,9 @@ BuildRequires: systemd
|
||||
%ifarch %{efi_arch}
|
||||
BuildRequires: pesign >= 0.99-8
|
||||
%endif
|
||||
%ifarch aarch64 ppc64le x86_64
|
||||
BuildRequires: system-sb-certs
|
||||
%endif
|
||||
%if %{?_with_ccache: 1}%{?!_with_ccache: 0}
|
||||
BuildRequires: ccache
|
||||
%endif
|
||||
@ -156,9 +157,6 @@ This subpackage provides tools for support of all platforms.
|
||||
%if 0%{with_efi_arch}
|
||||
%{expand:%define_efi_variant %%{package_arch} -o}
|
||||
%endif
|
||||
%if 0%{with_alt_efi_arch}
|
||||
%{expand:%define_efi_variant %%{alt_package_arch}}
|
||||
%endif
|
||||
%if 0%{with_legacy_arch}
|
||||
%{expand:%define_legacy_variant %%{legacy_package_arch}}
|
||||
%endif
|
||||
@ -191,12 +189,6 @@ sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{relea
|
||||
%{SOURCE12} > grub-%{grubefiarch}-%{tarversion}/sbat.csv
|
||||
git add grub-%{grubefiarch}-%{tarversion}
|
||||
%endif
|
||||
%if 0%{with_alt_efi_arch}
|
||||
mkdir grub-%{grubaltefiarch}-%{tarversion}
|
||||
grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubaltefiarch}-%{tarversion}/.gitignore
|
||||
cp %{SOURCE4} grub-%{grubaltefiarch}-%{tarversion}/unifont.pcf.gz
|
||||
git add grub-%{grubaltefiarch}-%{tarversion}
|
||||
%endif
|
||||
%if 0%{with_legacy_arch}
|
||||
mkdir grub-%{grublegacyarch}-%{tarversion}
|
||||
grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grublegacyarch}-%{tarversion}/.gitignore
|
||||
@ -213,10 +205,7 @@ git commit -m "After making subdirs"
|
||||
|
||||
%build
|
||||
%if 0%{with_efi_arch}
|
||||
%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}}
|
||||
%endif
|
||||
%if 0%{with_alt_efi_arch}
|
||||
%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}}
|
||||
%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{sb_ca} %{sb_cer} %{sb_key}}
|
||||
%endif
|
||||
%if 0%{with_legacy_arch}
|
||||
%{expand:%do_legacy_build %%{grublegacyarch}}
|
||||
@ -225,7 +214,7 @@ git commit -m "After making subdirs"
|
||||
%{expand:%do_emu_build}
|
||||
%endif
|
||||
%ifarch ppc64le
|
||||
%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{old_sb_cer} %{sb_cer} %{sb_key}}
|
||||
%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{sb_cer} %{sb_key}}
|
||||
%endif
|
||||
makeinfo --info --no-split -I docs -o docs/grub-dev.info \
|
||||
docs/grub-dev.texi
|
||||
@ -244,11 +233,8 @@ rm -fr $RPM_BUILD_ROOT
|
||||
%if 0%{with_efi_arch}
|
||||
%{expand:%do_efi_install %%{grubefiarch} %%{grubefiname} %%{grubeficdname}}
|
||||
%endif
|
||||
%if 0%{with_alt_efi_arch}
|
||||
%{expand:%do_alt_efi_install %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname}}
|
||||
%endif
|
||||
%if 0%{with_legacy_arch}
|
||||
%{expand:%do_legacy_install %%{grublegacyarch} %%{alt_grub_target_name} 0%{with_efi_arch}}
|
||||
%{expand:%do_legacy_install %%{grublegacyarch} 0%{with_efi_arch}}
|
||||
%endif
|
||||
%if 0%{with_emu_arch}
|
||||
%{expand:%do_emu_install %%{package_arch}}
|
||||
@ -529,9 +515,6 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
|
||||
%if 0%{with_efi_arch}
|
||||
%{expand:%define_efi_variant_files %%{package_arch} %%{grubefiname} %%{grubeficdname} %%{grubefiarch} %%{target_cpu_name} %%{grub_target_name}}
|
||||
%endif
|
||||
%if 0%{with_alt_efi_arch}
|
||||
%{expand:%define_efi_variant_files %%{alt_package_arch} %%{grubaltefiname} %%{grubalteficdname} %%{grubaltefiarch} %%{alt_target_cpu_name} %%{alt_grub_target_name}}
|
||||
%endif
|
||||
%if 0%{with_legacy_arch}
|
||||
%{expand:%define_legacy_variant_files %%{legacy_package_arch} %%{grublegacyarch}}
|
||||
%endif
|
||||
@ -547,7 +530,35 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jan 04 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-16
|
||||
* Fri Feb 18 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-23
|
||||
- Re-arm GRUB_ENABLE_BLSCFG=false
|
||||
- Resolves: #2018331
|
||||
|
||||
* Fri Feb 18 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-22
|
||||
- Stop building unsupported 32-bit UEFI stuff
|
||||
- Resolves: #2038401
|
||||
|
||||
* Wed Feb 16 2022 Brian Stinson <bstinson@redhat.com> - 2.06-21
|
||||
- Require Secure Boot certs based on architecture
|
||||
- Resolves: #2049214
|
||||
|
||||
* Wed Feb 16 2022 Brian Stinson <bstinson@redhat.com> - 2.06-20
|
||||
- Conditionalize Secure Boot settings per architecture
|
||||
- Resolves: #2049214
|
||||
|
||||
* Wed Feb 16 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-19
|
||||
- Attempt to fix ppc64le signing bugs in previous change
|
||||
- Resolves: #2049214
|
||||
|
||||
* Wed Feb 16 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-18
|
||||
- Switch to single-signing and use certs from package (bstinson)
|
||||
- Resolves: #2049214
|
||||
|
||||
* Wed Feb 02 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-17
|
||||
- CVE-2021-3981 (Incorrect read permission in grub.cfg)
|
||||
- Resolves: rhbz#2030724
|
||||
|
||||
* Tue Jan 04 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-16
|
||||
- Stop having this problem and just copy over the beta tree
|
||||
- Resolves: rhbz#2006784
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user