diff --git a/backport-CVE-2021-3981-restore-umask-for-the-grub.patch b/backport-CVE-2021-3981-restore-umask-for-the-grub.patch new file mode 100644 index 0000000000000000000000000000000000000000..e2a6414ef05b736844b80d0917c4435f694a2778 --- /dev/null +++ b/backport-CVE-2021-3981-restore-umask-for-the-grub.patch @@ -0,0 +1,41 @@ +From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Fri, 3 Dec 2021 16:13:28 +0800 +Subject: grub-mkconfig: Restore umask for the grub.cfg + +The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating +configuration by grub-mkconfig) has inadvertently discarded umask for +creating grub.cfg in the process of running grub-mkconfig. The resulting +wrong permission (0644) would allow unprivileged users to read GRUB +configuration file content. This presents a low confidentiality risk +as grub.cfg may contain non-secured plain-text passwords. + +This patch restores the missing umask and sets the creation file mode +to 0600 preventing unprivileged access. + +Fixes: CVE-2021-3981 + +Signed-off-by: Michael Chang +Reviewed-by: Daniel Kiper +--- + util/grub-mkconfig.in | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index c3ea761..62335d0 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with + exit 1 + else + # none of the children aborted with error, install the new grub.cfg ++ oldumask=$(umask) ++ umask 077 + cat ${grub_cfg}.new > ${grub_cfg} ++ umask $oldumask + rm -f ${grub_cfg}.new + fi + fi +-- +cgit v1.1 + diff --git a/grub.patches b/grub.patches index 3a8c74c29268458d4e1a8ee8d4bc1705a14a8fb0..f2f68ce6b2589f396ec2dac47423619749cf3d9c 100644 --- a/grub.patches +++ b/grub.patches @@ -358,3 +358,4 @@ Patch0357: support-TPM2.0.patch Patch0358: use-default-timestamp.patch Patch0359: backport-arm64-Fix-EFI-loader-kernel-image-allocation.patch Patch0360: backport-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch +Patch0361: backport-CVE-2021-3981-restore-umask-for-the-grub.patch diff --git a/grub2.spec b/grub2.spec index 4725173a1a4d8155dac2e5f64ac9e8397e6fe1b1..fc84118f3827a4f57807d75bbb9d19051d914d30 100644 --- a/grub2.spec +++ b/grub2.spec @@ -8,7 +8,7 @@ Name: grub2 Epoch: 1 Version: 2.04 -Release: 24 +Release: 25 Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -450,6 +450,12 @@ rm -r /boot/grub2.tmp/ || : %{_datadir}/man/man* %changelog +* Wed Mar 16 2022 xihaochen - 2.04-25 +- Type:CVE +- CVE:CVE-2021-3981 +- SUG:NA +- DESC:Fix CVE-2021-3981 + * Sat Feb 26 2022 yanan - 2.04-24 - Type:bugfix - CVE:NA