boot/grub2: backport fixes for numerous CVEs
Grub 2.06 is affected by a number of CVEs, which have been fixed in
the master branch of Grub, but are not yet part of any release (there
is a 2.12-rc1 release, but nothing else between 2.06 and 2.12-rc1).
So this patch backports the relevant fixes for CVE-2022-28736,
CVE-2022-28735, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697,
CVE-2022-28733, CVE-2022-28734, CVE-2022-2601 and CVE-2022-3775.
It should be noted that CVE-2021-3695, CVE-2021-3696, CVE-2021-3697
are not reported as affecting Grub by our CVE matching logic because
the NVD database uses an incorrect CPE ID in those CVEs: it uses
"grub" as the product instead of "grub2" like all other CVEs for
grub. This issue has been reported to the NVD maintainers.
This requires backporting a lot of patches, but jumping from 2.06 to
2.12-rc1 implies getting 592 commits, which is quite a lot.
All Grub test cases are working fine:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500585
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500679
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Arnout: fix check-package warning in patch 0002]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-08-29 00:43:11 +02:00
|
|
|
From 4c1ad500e73d46c83dec369da85db39ae2fe62dd Mon Sep 17 00:00:00 2001
|
2022-09-20 23:29:19 +02:00
|
|
|
From: Michael Chang <mchang@suse.com>
|
|
|
|
Date: Fri, 3 Dec 2021 16:13:28 +0800
|
|
|
|
Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg
|
|
|
|
|
|
|
|
The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating
|
|
|
|
configuration by grub-mkconfig) has inadvertently discarded umask for
|
|
|
|
creating grub.cfg in the process of running grub-mkconfig. The resulting
|
|
|
|
wrong permission (0644) would allow unprivileged users to read GRUB
|
|
|
|
configuration file content. This presents a low confidentiality risk
|
|
|
|
as grub.cfg may contain non-secured plain-text passwords.
|
|
|
|
|
|
|
|
This patch restores the missing umask and sets the creation file mode
|
|
|
|
to 0600 preventing unprivileged access.
|
|
|
|
|
|
|
|
Fixes: CVE-2021-3981
|
|
|
|
|
|
|
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
|
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
boot/grub2: backport fixes for numerous CVEs
Grub 2.06 is affected by a number of CVEs, which have been fixed in
the master branch of Grub, but are not yet part of any release (there
is a 2.12-rc1 release, but nothing else between 2.06 and 2.12-rc1).
So this patch backports the relevant fixes for CVE-2022-28736,
CVE-2022-28735, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697,
CVE-2022-28733, CVE-2022-28734, CVE-2022-2601 and CVE-2022-3775.
It should be noted that CVE-2021-3695, CVE-2021-3696, CVE-2021-3697
are not reported as affecting Grub by our CVE matching logic because
the NVD database uses an incorrect CPE ID in those CVEs: it uses
"grub" as the product instead of "grub2" like all other CVEs for
grub. This issue has been reported to the NVD maintainers.
This requires backporting a lot of patches, but jumping from 2.06 to
2.12-rc1 implies getting 592 commits, which is quite a lot.
All Grub test cases are working fine:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500585
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500679
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Arnout: fix check-package warning in patch 0002]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-08-29 00:43:11 +02:00
|
|
|
Upstream: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0adec29674561034771c13e446069b41ef41e4d4
|
2022-09-20 23:29:19 +02:00
|
|
|
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
|
|
|
---
|
|
|
|
util/grub-mkconfig.in | 3 +++
|
|
|
|
1 file changed, 3 insertions(+)
|
|
|
|
|
|
|
|
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
|
|
|
|
index f8cbb8d7a..84f356ea4 100644
|
|
|
|
--- a/util/grub-mkconfig.in
|
|
|
|
+++ b/util/grub-mkconfig.in
|
|
|
|
@@ -300,7 +300,10 @@ and /etc/grub.d/* files or please file a bug report with
|
|
|
|
exit 1
|
|
|
|
else
|
|
|
|
# none of the children aborted with error, install the new grub.cfg
|
|
|
|
+ oldumask=$(umask)
|
|
|
|
+ umask 077
|
|
|
|
cat ${grub_cfg}.new > ${grub_cfg}
|
|
|
|
+ umask $oldumask
|
|
|
|
rm -f ${grub_cfg}.new
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
--
|
boot/grub2: backport fixes for numerous CVEs
Grub 2.06 is affected by a number of CVEs, which have been fixed in
the master branch of Grub, but are not yet part of any release (there
is a 2.12-rc1 release, but nothing else between 2.06 and 2.12-rc1).
So this patch backports the relevant fixes for CVE-2022-28736,
CVE-2022-28735, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697,
CVE-2022-28733, CVE-2022-28734, CVE-2022-2601 and CVE-2022-3775.
It should be noted that CVE-2021-3695, CVE-2021-3696, CVE-2021-3697
are not reported as affecting Grub by our CVE matching logic because
the NVD database uses an incorrect CPE ID in those CVEs: it uses
"grub" as the product instead of "grub2" like all other CVEs for
grub. This issue has been reported to the NVD maintainers.
This requires backporting a lot of patches, but jumping from 2.06 to
2.12-rc1 implies getting 592 commits, which is quite a lot.
All Grub test cases are working fine:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500585
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500679
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Arnout: fix check-package warning in patch 0002]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-08-29 00:43:11 +02:00
|
|
|
2.41.0
|
2022-09-20 23:29:19 +02:00
|
|
|
|