From 17a445ed58c9b5128a590e50e85c50ae821f4560 Mon Sep 17 00:00:00 2001 From: xihaochen Date: Wed, 16 Mar 2022 14:19:29 +0800 Subject: [PATCH] Fix CVE-2021-3981 (cherry picked from commit 3c38566f8b71e0c6d9bff0f208c6dee16b58769e) --- ...2021-3981-restore-umask-for-the-grub.patch | 41 +++++++++++++++++++ grub.patches | 1 + grub2.spec | 8 +++- 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-3981-restore-umask-for-the-grub.patch diff --git a/backport-CVE-2021-3981-restore-umask-for-the-grub.patch b/backport-CVE-2021-3981-restore-umask-for-the-grub.patch new file mode 100644 index 0000000..e2a6414 --- /dev/null +++ b/backport-CVE-2021-3981-restore-umask-for-the-grub.patch @@ -0,0 +1,41 @@ +From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Fri, 3 Dec 2021 16:13:28 +0800 +Subject: grub-mkconfig: Restore umask for the grub.cfg + +The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating +configuration by grub-mkconfig) has inadvertently discarded umask for +creating grub.cfg in the process of running grub-mkconfig. The resulting +wrong permission (0644) would allow unprivileged users to read GRUB +configuration file content. This presents a low confidentiality risk +as grub.cfg may contain non-secured plain-text passwords. + +This patch restores the missing umask and sets the creation file mode +to 0600 preventing unprivileged access. + +Fixes: CVE-2021-3981 + +Signed-off-by: Michael Chang +Reviewed-by: Daniel Kiper +--- + util/grub-mkconfig.in | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index c3ea761..62335d0 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with + exit 1 + else + # none of the children aborted with error, install the new grub.cfg ++ oldumask=$(umask) ++ umask 077 + cat ${grub_cfg}.new > ${grub_cfg} ++ umask $oldumask + rm -f ${grub_cfg}.new + fi + fi +-- +cgit v1.1 + diff --git a/grub.patches b/grub.patches index 3a8c74c..f2f68ce 100644 --- a/grub.patches +++ b/grub.patches @@ -358,3 +358,4 @@ Patch0357: support-TPM2.0.patch Patch0358: use-default-timestamp.patch Patch0359: backport-arm64-Fix-EFI-loader-kernel-image-allocation.patch Patch0360: backport-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch +Patch0361: backport-CVE-2021-3981-restore-umask-for-the-grub.patch diff --git a/grub2.spec b/grub2.spec index 4725173..fc84118 100644 --- a/grub2.spec +++ b/grub2.spec @@ -8,7 +8,7 @@ Name: grub2 Epoch: 1 Version: 2.04 -Release: 24 +Release: 25 Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -450,6 +450,12 @@ rm -r /boot/grub2.tmp/ || : %{_datadir}/man/man* %changelog +* Wed Mar 16 2022 xihaochen - 2.04-25 +- Type:CVE +- CVE:CVE-2021-3981 +- SUG:NA +- DESC:Fix CVE-2021-3981 + * Sat Feb 26 2022 yanan - 2.04-24 - Type:bugfix - CVE:NA -- Gitee