Andrew Geissler | 595f630 | 2022-01-24 19:11:47 +0000 | [diff] [blame] | 1 | From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001 |
| 2 | From: Michael Chang <mchang@suse.com> |
| 3 | Date: Fri, 3 Dec 2021 16:13:28 +0800 |
| 4 | Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg |
| 5 | |
| 6 | The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating |
| 7 | configuration by grub-mkconfig) has inadvertently discarded umask for |
| 8 | creating grub.cfg in the process of running grub-mkconfig. The resulting |
| 9 | wrong permission (0644) would allow unprivileged users to read GRUB |
| 10 | configuration file content. This presents a low confidentiality risk |
| 11 | as grub.cfg may contain non-secured plain-text passwords. |
| 12 | |
| 13 | This patch restores the missing umask and sets the creation file mode |
| 14 | to 0600 preventing unprivileged access. |
| 15 | |
| 16 | Fixes: CVE-2021-3981 |
| 17 | |
| 18 | Signed-off-by: Michael Chang <mchang@suse.com> |
| 19 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
| 20 | |
| 21 | Upstream-Status: Backport |
| 22 | CVE: CVE-2021-3981 |
| 23 | |
| 24 | Reference to upstream patch: |
| 25 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0adec29674561034771c13e446069b41ef41e4d4 |
| 26 | |
| 27 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> |
| 28 | --- |
| 29 | util/grub-mkconfig.in | 3 +++ |
| 30 | 1 file changed, 3 insertions(+) |
| 31 | |
| 32 | diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in |
| 33 | index c3ea7612e..62335d027 100644 |
| 34 | --- a/util/grub-mkconfig.in |
| 35 | +++ b/util/grub-mkconfig.in |
| 36 | @@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with |
| 37 | exit 1 |
| 38 | else |
| 39 | # none of the children aborted with error, install the new grub.cfg |
| 40 | + oldumask=$(umask) |
| 41 | + umask 077 |
| 42 | cat ${grub_cfg}.new > ${grub_cfg} |
| 43 | + umask $oldumask |
| 44 | rm -f ${grub_cfg}.new |
| 45 | fi |
| 46 | fi |
| 47 | -- |
| 48 | 2.31.1 |
| 49 | |