diff options
author | Mike Gilbert <floppym@gentoo.org> | 2022-09-16 19:08:57 -0400 |
---|---|---|
committer | Mike Gilbert <floppym@gentoo.org> | 2022-09-16 19:10:00 -0400 |
commit | 012331665f6d5c6f2a48b6619c54f509cd791485 (patch) | |
tree | cab46794cdf55a6d58321cf49ac40a97005832e0 /sys-boot | |
parent | sys-fs/zfs: revbump 2.1.5-r5, add zfs-snapshot-bootfs fixes (diff) | |
download | gentoo-012331665f6d5c6f2a48b6619c54f509cd791485.tar.gz gentoo-012331665f6d5c6f2a48b6619c54f509cd791485.tar.bz2 gentoo-012331665f6d5c6f2a48b6619c54f509cd791485.zip |
sys-boot/grub: backport fix for CVE-2021-3981
Bug: https://bugs.gentoo.org/835082
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Diffstat (limited to 'sys-boot')
-rw-r--r-- | sys-boot/grub/files/grub-2.06-grub-mkconfig-restore-umask.patch | 41 | ||||
-rw-r--r-- | sys-boot/grub/grub-2.06-r3.ebuild (renamed from sys-boot/grub/grub-2.06-r2.ebuild) | 1 |
2 files changed, 42 insertions, 0 deletions
diff --git a/sys-boot/grub/files/grub-2.06-grub-mkconfig-restore-umask.patch b/sys-boot/grub/files/grub-2.06-grub-mkconfig-restore-umask.patch new file mode 100644 index 000000000000..e2a6414ef05b --- /dev/null +++ b/sys-boot/grub/files/grub-2.06-grub-mkconfig-restore-umask.patch @@ -0,0 +1,41 @@ +From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001 +From: Michael Chang <mchang@suse.com> +Date: Fri, 3 Dec 2021 16:13:28 +0800 +Subject: grub-mkconfig: Restore umask for the grub.cfg + +The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating +configuration by grub-mkconfig) has inadvertently discarded umask for +creating grub.cfg in the process of running grub-mkconfig. The resulting +wrong permission (0644) would allow unprivileged users to read GRUB +configuration file content. This presents a low confidentiality risk +as grub.cfg may contain non-secured plain-text passwords. + +This patch restores the missing umask and sets the creation file mode +to 0600 preventing unprivileged access. + +Fixes: CVE-2021-3981 + +Signed-off-by: Michael Chang <mchang@suse.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + util/grub-mkconfig.in | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index c3ea761..62335d0 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with + exit 1 + else + # none of the children aborted with error, install the new grub.cfg ++ oldumask=$(umask) ++ umask 077 + cat ${grub_cfg}.new > ${grub_cfg} ++ umask $oldumask + rm -f ${grub_cfg}.new + fi + fi +-- +cgit v1.1 + diff --git a/sys-boot/grub/grub-2.06-r2.ebuild b/sys-boot/grub/grub-2.06-r3.ebuild index 6373aeeb54b7..3331ce3f9b71 100644 --- a/sys-boot/grub/grub-2.06-r2.ebuild +++ b/sys-boot/grub/grub-2.06-r3.ebuild @@ -57,6 +57,7 @@ PATCHES=( "${FILESDIR}"/gfxpayload.patch "${FILESDIR}"/grub-2.02_beta2-KERNEL_GLOBS.patch "${FILESDIR}"/grub-2.06-test-words.patch + "${FILESDIR}"/grub-2.06-grub-mkconfig-restore-umask.patch ) DEJAVU=dejavu-sans-ttf-2.37 |