From f4801c0ebcd8d6952b89fffc6a70685c6724cdd3 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 9 Dec 2021 16:16:08 +0000 Subject: [PATCH] Restore grub.cfg umask (CVE-2021-3981) Resolves: rhbz#2030358 Signed-off-by: Robbie Harwood --- ...-mkconfig-restore-umask-for-grub.cfg.patch | 45 +++++++++++++++++++ grub.patches | 1 + grub2.spec | 6 ++- 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 0222-grub-mkconfig-restore-umask-for-grub.cfg.patch diff --git a/0222-grub-mkconfig-restore-umask-for-grub.cfg.patch b/0222-grub-mkconfig-restore-umask-for-grub.cfg.patch new file mode 100644 index 0000000..9f6305d --- /dev/null +++ b/0222-grub-mkconfig-restore-umask-for-grub.cfg.patch @@ -0,0 +1,45 @@ +From 65dc9998b9091c17b92fc41357a3926f937eb261 Mon Sep 17 00:00:00 2001 +From: Michael Chang via Grub-devel +Date: Fri, 3 Dec 2021 16:13:28 +0800 +Subject: [PATCH] grub-mkconfig: restore umask for grub.cfg + +Since commit: + + ab2e53c8a grub-mkconfig: Honor a symlink when generating configuration +by grub-mkconfig + +has inadvertently discarded umask for creating grub.cfg in the process +of grub-mkconfig. The resulting wrong permission (0644) would allow +unprivileged users to read grub's configuration file content. This +presents a low confidentiality risk as grub.cfg may contain non-secured +plain-text passwords. + +This patch restores the missing umask and set the file mode of creation +to 0600 preventing unprivileged access. + +Fixes: CVE-2021-3981 + +Signed-off-by: Michael Chang +(cherry picked from commit 3ea051e59e9c0cd79eac7f2e1563606e1e31a530) +Signed-off-by: Robbie Harwood +--- + util/grub-mkconfig.in | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index f55339a3f..520a672cd 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -311,7 +311,9 @@ and /etc/grub.d/* files or please file a bug report with + exit 1 + else + # none of the children aborted with error, install the new grub.cfg ++ oldumask=$(umask); umask 077 + cat ${grub_cfg}.new > ${grub_cfg} ++ umask $oldumask + rm -f ${grub_cfg}.new + fi + fi +-- +2.33.0 + diff --git a/grub.patches b/grub.patches index f474e1f..689876c 100644 --- a/grub.patches +++ b/grub.patches @@ -219,3 +219,4 @@ Patch0218: 0218-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch Patch0219: 0219-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch Patch0220: 0220-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch Patch0221: 0221-fs-xfs-Fix-unreadable-filesystem-with-v4-superblock.patch +Patch0222: 0222-grub-mkconfig-restore-umask-for-grub.cfg.patch diff --git a/grub2.spec b/grub2.spec index 7aa34f2..2b071ac 100644 --- a/grub2.spec +++ b/grub2.spec @@ -14,7 +14,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -523,6 +523,10 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog +* Thu Dec 09 2021 Robbie Harwood - 2.06-9 +- Restore grub.cfg umask (CVE-2021-3981) +- Resolves: rhbz#2030358 + * Thu Oct 07 2021 Peter Jones - 2.06-8 - Fix "grub2-mkimage --appended-signature-size" parsing.