Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
sys-boot/grub: backport fix for CVE-2021-3981
Bug: https://bugs.gentoo.org/835082 Signed-off-by: Mike Gilbert <floppym@gentoo.org>
- Loading branch information
Showing
2 changed files
with
42 additions
and
0 deletions.
There are no files selected for viewing
41 changes: 41 additions & 0 deletions
41
sys-boot/grub/files/grub-2.06-grub-mkconfig-restore-umask.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001 | ||
From: Michael Chang <mchang@suse.com> | ||
Date: Fri, 3 Dec 2021 16:13:28 +0800 | ||
Subject: grub-mkconfig: Restore umask for the grub.cfg | ||
|
||
The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating | ||
configuration by grub-mkconfig) has inadvertently discarded umask for | ||
creating grub.cfg in the process of running grub-mkconfig. The resulting | ||
wrong permission (0644) would allow unprivileged users to read GRUB | ||
configuration file content. This presents a low confidentiality risk | ||
as grub.cfg may contain non-secured plain-text passwords. | ||
|
||
This patch restores the missing umask and sets the creation file mode | ||
to 0600 preventing unprivileged access. | ||
|
||
Fixes: CVE-2021-3981 | ||
|
||
Signed-off-by: Michael Chang <mchang@suse.com> | ||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
--- | ||
util/grub-mkconfig.in | 3 +++ | ||
1 file changed, 3 insertions(+) | ||
|
||
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in | ||
index c3ea761..62335d0 100644 | ||
--- a/util/grub-mkconfig.in | ||
+++ b/util/grub-mkconfig.in | ||
@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with | ||
exit 1 | ||
else | ||
# none of the children aborted with error, install the new grub.cfg | ||
+ oldumask=$(umask) | ||
+ umask 077 | ||
cat ${grub_cfg}.new > ${grub_cfg} | ||
+ umask $oldumask | ||
rm -f ${grub_cfg}.new | ||
fi | ||
fi | ||
-- | ||
cgit v1.1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters