diff mbox series

[1/2] boot/grub2: add patch to fix CVE-2021-3981

Message ID 20220920212921.732287-1-thomas.petazzoni@bootlin.com
State Accepted
Headers show
Series [1/2] boot/grub2: add patch to fix CVE-2021-3981 | expand

Commit Message

Thomas Petazzoni Sept. 20, 2022, 9:29 p.m. UTC 
This commit backports an upstream commit that fixes CVE-2021-3981.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 ...onfig-Restore-umask-for-the-grub.cfg.patch | 43 +++++++++++++++++++
 boot/grub2/grub2.mk                           |  2 +
 2 files changed, 45 insertions(+)
 create mode 100644 boot/grub2/0002-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch

Comments

Thomas Petazzoni Oct. 25, 2022, 9:06 p.m. UTC | #1 
On Tue, 20 Sep 2022 23:29:19 +0200
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:

> This commit backports an upstream commit that fixes CVE-2021-3981.
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  ...onfig-Restore-umask-for-the-grub.cfg.patch | 43 +++++++++++++++++++
>  boot/grub2/grub2.mk                           |  2 +
>  2 files changed, 45 insertions(+)
>  create mode 100644 boot/grub2/0002-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch

Both applied, thanks!

Thomas
Peter Korsgaard Nov. 5, 2022, 4:44 p.m. UTC | #2 
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

 > This commit backports an upstream commit that fixes CVE-2021-3981.
 > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Committed to 2022.08.x, thanks.

It doesn't apply to 2022.02.x as the code is different (uses mv), so it
is presumably not affected.
diff mbox series

Patch

diff --git a/boot/grub2/0002-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch b/boot/grub2/0002-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch
new file mode 100644
index 0000000000..0d6a1a6e01
--- /dev/null
+++ b/boot/grub2/0002-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch
@@ -0,0 +1,43 @@ 
+From 8418defaf0902bdd8af188221ae54c5a3d6ad05d Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Fri, 3 Dec 2021 16:13:28 +0800
+Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg
+
+The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating
+configuration by grub-mkconfig) has inadvertently discarded umask for
+creating grub.cfg in the process of running grub-mkconfig. The resulting
+wrong permission (0644) would allow unprivileged users to read GRUB
+configuration file content. This presents a low confidentiality risk
+as grub.cfg may contain non-secured plain-text passwords.
+
+This patch restores the missing umask and sets the creation file mode
+to 0600 preventing unprivileged access.
+
+Fixes: CVE-2021-3981
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+[Upstream: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0adec29674561034771c13e446069b41ef41e4d4]
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ util/grub-mkconfig.in | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index f8cbb8d7a..84f356ea4 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -300,7 +300,10 @@ and /etc/grub.d/* files or please file a bug report with
+     exit 1
+   else
+     # none of the children aborted with error, install the new grub.cfg
++    oldumask=$(umask)
++    umask 077
+     cat ${grub_cfg}.new > ${grub_cfg}
++    umask $oldumask
+     rm -f ${grub_cfg}.new
+   fi
+ fi
+-- 
+2.37.2
+
diff --git a/boot/grub2/grub2.mk b/boot/grub2/grub2.mk
index 4e7e0fa898..f04be05227 100644
--- a/boot/grub2/grub2.mk
+++ b/boot/grub2/grub2.mk
@@ -30,6 +30,8 @@  GRUB2_IGNORE_CVES += CVE-2019-14865
 # grub_linuxefi_secure_validate() is not implemented in the grub2
 # version available in Buildroot.
 GRUB2_IGNORE_CVES += CVE-2020-15705
+# 0002-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch
+GRUB2_IGNORE_CVES += CVE-2021-3981
 
 ifeq ($(BR2_TARGET_GRUB2_INSTALL_TOOLS),y)
 GRUB2_INSTALL_TARGET = YES