| From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001 |
| From: Michael Chang <mchang@suse.com> |
| Date: Fri, 3 Dec 2021 16:13:28 +0800 |
| Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg |
| |
| The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating |
| configuration by grub-mkconfig) has inadvertently discarded umask for |
| creating grub.cfg in the process of running grub-mkconfig. The resulting |
| wrong permission (0644) would allow unprivileged users to read GRUB |
| configuration file content. This presents a low confidentiality risk |
| as grub.cfg may contain non-secured plain-text passwords. |
| |
| This patch restores the missing umask and sets the creation file mode |
| to 0600 preventing unprivileged access. |
| |
| Fixes: CVE-2021-3981 |
| |
| Signed-off-by: Michael Chang <mchang@suse.com> |
| Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
| |
| Upstream-Status: Backport |
| CVE: CVE-2021-3981 |
| |
| Reference to upstream patch: |
| https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0adec29674561034771c13e446069b41ef41e4d4 |
| |
| Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> |
| --- |
| util/grub-mkconfig.in | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in |
| index c3ea7612e..62335d027 100644 |
| --- a/util/grub-mkconfig.in |
| +++ b/util/grub-mkconfig.in |
| @@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with |
| exit 1 |
| else |
| # none of the children aborted with error, install the new grub.cfg |
| + oldumask=$(umask) |
| + umask 077 |
| cat ${grub_cfg}.new > ${grub_cfg} |
| + umask $oldumask |
| rm -f ${grub_cfg}.new |
| fi |
| fi |
| -- |
| 2.31.1 |
| |