NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

boot/grub2: add patch to fix CVE-2021-3981

Browse Source 
This commit backports an upstream commit that fixes CVE-2021-3981.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit is contained in:
Thomas Petazzoni 2022-09-20 23:29:19 +02:00
parent e3f25de3e8
commit 51b04fc02c
2 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
boot/grub2/0002-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch Normal file
View File

@ -0,0 +1,43 @@
From 8418defaf0902bdd8af188221ae54c5a3d6ad05d Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Fri, 3 Dec 2021 16:13:28 +0800
Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg
The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating
configuration by grub-mkconfig) has inadvertently discarded umask for
creating grub.cfg in the process of running grub-mkconfig. The resulting
wrong permission (0644) would allow unprivileged users to read GRUB
configuration file content. This presents a low confidentiality risk
as grub.cfg may contain non-secured plain-text passwords.
This patch restores the missing umask and sets the creation file mode
to 0600 preventing unprivileged access.
Fixes: CVE-2021-3981
Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
[Upstream: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0adec29674561034771c13e446069b41ef41e4d4]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
util/grub-mkconfig.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index f8cbb8d7a..84f356ea4 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -300,7 +300,10 @@ and /etc/grub.d/* files or please file a bug report with
exit 1
else
# none of the children aborted with error, install the new grub.cfg
+ oldumask=$(umask)
+ umask 077
cat ${grub_cfg}.new > ${grub_cfg}
+ umask $oldumask
rm -f ${grub_cfg}.new
fi
fi
--
2.37.2

2
boot/grub2/grub2.mk
View File

@ -30,6 +30,8 @@ GRUB2_IGNORE_CVES += CVE-2019-14865
# grub_linuxefi_secure_validate() is not implemented in the grub2
# version available in Buildroot.
GRUB2_IGNORE_CVES += CVE-2020-15705
# 0002-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch
GRUB2_IGNORE_CVES += CVE-2021-3981
ifeq ($(BR2_TARGET_GRUB2_INSTALL_TOOLS),y)
GRUB2_INSTALL_TARGET = YES