Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sys-boot/grub: Fix for CVE-2021-3981 #27288

Closed
wants to merge 1 commit into from
Closed

sys-boot/grub: Fix for CVE-2021-3981 #27288

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
9 changes: 0 additions & 9 deletions sys-boot/grub/files/gfxpayload.patch
View file
Open in desktop
Expand Up @@ -5,12 +5,6 @@ Subject: [PATCH] 10_linux: Default gfxpayload=keep only when booting using efi

vesafb seems to be unreliable when using BIOS compat mode.

---
util/grub.d/10_linux.in | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
index d2e2a8f..a54b888 100644
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -104,7 +104,9 @@ linux_entry ()
Expand All @@ -24,6 +18,3 @@ index d2e2a8f..a54b888 100644
fi
else
if [ "x$GRUB_GFXPAYLOAD_LINUX" != xtext ]; then
--
2.7.2

9 changes: 0 additions & 9 deletions sys-boot/grub/files/grub-2.02_beta2-KERNEL_GLOBS.patch
View file
Open in desktop
Expand Up @@ -7,13 +7,6 @@ Subject: [PATCH] GRUB_LINUX_KERNEL_GLOBS: configurable kernel selection
* docs/grub.texi: Document GRUB_LINUX_KERNEL_GLOBS

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
docs/grub.texi | 5 +++++
util/grub.d/10_linux.in | 21 +++++++++++----------
2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/docs/grub.texi b/docs/grub.texi
index 9a25a0b..d1129ec 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -1490,6 +1490,11 @@ This option may be set to a list of GRUB module names separated by spaces.
Expand All @@ -28,8 +21,6 @@ index 9a25a0b..d1129ec 100644
@end table

The following options are still accepted for compatibility with existing
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
index 859b608..e5ac11d 100644
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -145,18 +145,19 @@ EOF
Expand Down
6 changes: 0 additions & 6 deletions sys-boot/grub/files/grub-2.06-binutils-2.36.patch
View file
Open in desktop
Expand Up @@ -13,12 +13,6 @@ by default. Use the assmbler option -mx86-used-note=no to disable the
section from being generated to workaround the ensuing linker issue.

Signed-off-by: Michael Chang <mchang@suse.com>
---
configure.ac | 14 ++++++++++++++
1 file changed, 14 insertions(+)

diff --git a/configure.ac b/configure.ac
index fa8f74bb9..38ee5f579 100644
--- a/configure.ac
+++ b/configure.ac
@@ -836,6 +836,20 @@ if ( test "x$target_cpu" = xi386 || test "x$target_cpu" = xx86_64 ) && test "x$p
Expand Down
34 changes: 34 additions & 0 deletions sys-boot/grub/files/grub-2.06-restore-umask.patch
View file
Open in desktop
@@ -0,0 +1,34 @@
https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0adec29674561034771c13e446069b41ef41e4d4
From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Fri, 3 Dec 2021 16:13:28 +0800
Subject: grub-mkconfig: Restore umask for the grub.cfg

The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating
configuration by grub-mkconfig) has inadvertently discarded umask for
creating grub.cfg in the process of running grub-mkconfig. The resulting
wrong permission (0644) would allow unprivileged users to read GRUB
configuration file content. This presents a low confidentiality risk
as grub.cfg may contain non-secured plain-text passwords.

This patch restores the missing umask and sets the creation file mode
to 0600 preventing unprivileged access.

Fixes: CVE-2021-3981

Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with
exit 1
else
# none of the children aborted with error, install the new grub.cfg
+ oldumask=$(umask)
+ umask 077
cat ${grub_cfg}.new > ${grub_cfg}
+ umask $oldumask
rm -f ${grub_cfg}.new
fi
fi
cgit v1.1
9 changes: 0 additions & 9 deletions sys-boot/grub/files/grub-2.06-test-words.patch
View file
Open in desktop
Expand Up @@ -3,12 +3,6 @@ From: Mike Gilbert <floppym@gentoo.org>
Date: Sun, 14 Mar 2021 12:44:52 -0400
Subject: [PATCH] Use /usr/share/dict/words as a 'compressible' file

---
tests/util/grub-fs-tester.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in
index bfc425e1f..efd2977b0 100644
--- a/tests/util/grub-fs-tester.in
+++ b/tests/util/grub-fs-tester.in
@@ -265,7 +265,7 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do
Expand All @@ -20,6 +14,3 @@ index bfc425e1f..efd2977b0 100644
if test -f "$cand" ; then
CFILESRC="$cand"
break
--
2.31.0.rc1

8 changes: 0 additions & 8 deletions sys-boot/grub/files/grub-2.06-xfs-v4.patch
View file
Open in desktop
Expand Up @@ -75,12 +75,6 @@ Fixes: 8b1e5d193 (fs/xfs: Add bigtime incompat feature support)
Signed-off-by: Erwan Velu <e.velu@criteo.com>
Tested-by: Carlos Maiolino <cmaiolino@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/xfs.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
index 0f524c3a8..e3816d1ec 100644
--- a/grub-core/fs/xfs.c
+++ b/grub-core/fs/xfs.c
@@ -192,6 +192,11 @@ struct grub_xfs_time_legacy
Expand Down Expand Up @@ -115,6 +109,4 @@ index 0f524c3a8..e3816d1ec 100644

struct grub_xfs_dirblock_tail
{
--
cgit v1.2.1