diff options
Diffstat (limited to '')
-rw-r--r-- | debian/patches/grub_mkconfig_restore_umask.patch | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/debian/patches/grub_mkconfig_restore_umask.patch b/debian/patches/grub_mkconfig_restore_umask.patch new file mode 100644 index 0000000..bd85cfc --- /dev/null +++ b/debian/patches/grub_mkconfig_restore_umask.patch @@ -0,0 +1,36 @@ +commit 0adec29674561034771c13e446069b41ef41e4d4 +Author: Michael Chang <mchang@suse.com> +Date: Fri Dec 3 16:13:28 2021 +0800 + + grub-mkconfig: Restore umask for the grub.cfg + + The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating + configuration by grub-mkconfig) has inadvertently discarded umask for + creating grub.cfg in the process of running grub-mkconfig. The resulting + wrong permission (0644) would allow unprivileged users to read GRUB + configuration file content. This presents a low confidentiality risk + as grub.cfg may contain non-secured plain-text passwords. + + This patch restores the missing umask and sets the creation file mode + to 0600 preventing unprivileged access. + + Fixes: CVE-2021-3981 + + Signed-off-by: Michael Chang <mchang@suse.com> + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index c3ea7612e..62335d027 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with + exit 1 + else + # none of the children aborted with error, install the new grub.cfg ++ oldumask=$(umask) ++ umask 077 + cat ${grub_cfg}.new > ${grub_cfg} ++ umask $oldumask + rm -f ${grub_cfg}.new + fi + fi |