From ca67b09c015d4af3ae3cce12aa72e60941dbb8b5 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 18:29:52 +0200 Subject: Adding debian version 2.06-13+deb12u1. Signed-off-by: Daniel Baumann --- debian/patches/grub_mkconfig_restore_umask.patch | 36 ++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 debian/patches/grub_mkconfig_restore_umask.patch (limited to 'debian/patches/grub_mkconfig_restore_umask.patch') diff --git a/debian/patches/grub_mkconfig_restore_umask.patch b/debian/patches/grub_mkconfig_restore_umask.patch new file mode 100644 index 0000000..bd85cfc --- /dev/null +++ b/debian/patches/grub_mkconfig_restore_umask.patch @@ -0,0 +1,36 @@ +commit 0adec29674561034771c13e446069b41ef41e4d4 +Author: Michael Chang +Date: Fri Dec 3 16:13:28 2021 +0800 + + grub-mkconfig: Restore umask for the grub.cfg + + The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating + configuration by grub-mkconfig) has inadvertently discarded umask for + creating grub.cfg in the process of running grub-mkconfig. The resulting + wrong permission (0644) would allow unprivileged users to read GRUB + configuration file content. This presents a low confidentiality risk + as grub.cfg may contain non-secured plain-text passwords. + + This patch restores the missing umask and sets the creation file mode + to 0600 preventing unprivileged access. + + Fixes: CVE-2021-3981 + + Signed-off-by: Michael Chang + Reviewed-by: Daniel Kiper + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index c3ea7612e..62335d027 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with + exit 1 + else + # none of the children aborted with error, install the new grub.cfg ++ oldumask=$(umask) ++ umask 077 + cat ${grub_cfg}.new > ${grub_cfg} ++ umask $oldumask + rm -f ${grub_cfg}.new + fi + fi -- cgit v1.2.3