grub2/0222-grub-mkconfig-restore-umask-for-grub.cfg.patch
Robbie Harwood c06457c638 CVE fixes for 2022-05-24
Resolves: CVE-2022-28736 CVE-2022-28735 CVE-2022-28734 CVE-2022-28733
Resolves: CVE-2021-3697 CVE-2021-3696 CVE-2021-3695
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-06-03 13:59:49 -04:00

42 lines
1.4 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Michael Chang via Grub-devel <grub-devel@gnu.org>
Date: Fri, 3 Dec 2021 16:13:28 +0800
Subject: [PATCH] grub-mkconfig: restore umask for grub.cfg
Since commit:
ab2e53c8a grub-mkconfig: Honor a symlink when generating configuration
by grub-mkconfig
has inadvertently discarded umask for creating grub.cfg in the process
of grub-mkconfig. The resulting wrong permission (0644) would allow
unprivileged users to read grub's configuration file content. This
presents a low confidentiality risk as grub.cfg may contain non-secured
plain-text passwords.
This patch restores the missing umask and set the file mode of creation
to 0600 preventing unprivileged access.
Fixes: CVE-2021-3981
Signed-off-by: Michael Chang <mchang@suse.com>
(cherry picked from commit 3ea051e59e9c0cd79eac7f2e1563606e1e31a530)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
util/grub-mkconfig.in | 2 ++
1 file changed, 2 insertions(+)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index f55339a3f6..520a672cd2 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -311,7 +311,9 @@ and /etc/grub.d/* files or please file a bug report with
exit 1
else
# none of the children aborted with error, install the new grub.cfg
+ oldumask=$(umask); umask 077
cat ${grub_cfg}.new > ${grub_cfg}
+ umask $oldumask
rm -f ${grub_cfg}.new
fi
fi