|
|
@@ -0,0 +1,43 @@
|
|
|
+From 8418defaf0902bdd8af188221ae54c5a3d6ad05d Mon Sep 17 00:00:00 2001
|
|
|
+From: Michael Chang <mchang@suse.com>
|
|
|
+Date: Fri, 3 Dec 2021 16:13:28 +0800
|
|
|
+Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg
|
|
|
+
|
|
|
+The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating
|
|
|
+configuration by grub-mkconfig) has inadvertently discarded umask for
|
|
|
+creating grub.cfg in the process of running grub-mkconfig. The resulting
|
|
|
+wrong permission (0644) would allow unprivileged users to read GRUB
|
|
|
+configuration file content. This presents a low confidentiality risk
|
|
|
+as grub.cfg may contain non-secured plain-text passwords.
|
|
|
+
|
|
|
+This patch restores the missing umask and sets the creation file mode
|
|
|
+to 0600 preventing unprivileged access.
|
|
|
+
|
|
|
+Fixes: CVE-2021-3981
|
|
|
+
|
|
|
+Signed-off-by: Michael Chang <mchang@suse.com>
|
|
|
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
+[Upstream: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0adec29674561034771c13e446069b41ef41e4d4]
|
|
|
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
|
|
+---
|
|
|
+ util/grub-mkconfig.in | 3 +++
|
|
|
+ 1 file changed, 3 insertions(+)
|
|
|
+
|
|
|
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
|
|
|
+index f8cbb8d7a..84f356ea4 100644
|
|
|
+--- a/util/grub-mkconfig.in
|
|
|
++++ b/util/grub-mkconfig.in
|
|
|
+@@ -300,7 +300,10 @@ and /etc/grub.d/* files or please file a bug report with
|
|
|
+ exit 1
|
|
|
+ else
|
|
|
+ # none of the children aborted with error, install the new grub.cfg
|
|
|
++ oldumask=$(umask)
|
|
|
++ umask 077
|
|
|
+ cat ${grub_cfg}.new > ${grub_cfg}
|
|
|
++ umask $oldumask
|
|
|
+ rm -f ${grub_cfg}.new
|
|
|
+ fi
|
|
|
+ fi
|
|
|
+--
|
|
|
+2.37.2
|
|
|
+
|
Thomas Petazzoni