grub2: CVE-2021-3981 Incorrect permission in grub.cfg allow unprivileged user to read the file content

Source: https://git.savannah.gnu.org/cgit/grub.git/ MR: 116495 Type: Security Fix Disposition: Backport from https://git.savannah.gnu.org/cgit/grub.git/diff/util/grub-mkconfig.in?id=0adec29674561034771c13e446069b41ef41e4d4 ChangeID: fce3d59e50320bef247bb981352051b8f953a4fc Description: CVE-2021-3981 grub2: Incorrect permission in grub.cfg allow unprivileged user to read the file content. Affects "grub2 < 2.06" (From OE-Core rev: fd9dc688ead5cf0225cba94c380a618e332d548f) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hitendra Prajapati <hprajapati@mvista.com> 2022-06-29 11:24:07 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-07-08 08:27:20 +0100
commit: b6f4778e379a8323ebd9892430395db3de81ce6c (patch)
tree: 9fbfd02a211444c2632a9729ab0262d6036ac2de /meta/recipes-bsp/grub/files
parent: 6e79d96c6ded192e0a51d8ceed67b772a7b650c9 (diff)
download: poky-b6f4778e379a8323ebd9892430395db3de81ce6c.tar.gz
1 files changed, 32 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981.patch
new file mode 100644
index 0000000000..e27027ea65
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3981.patch
@@ -0,0 +1,32 @@
+From 67740c43c9326956ea5cd6be77f813b5499a56a5 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 27 Jun 2022 10:15:29 +0530
+Subject: [PATCH] CVE-2021-3981
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/diff/util/grub-mkconfig.in?id=0adec29674561034771c13e446069b41ef41e4d4]
+CVE: CVE-2021-3981
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ util/grub-mkconfig.in | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index 9f477ff..ead94a6 100644
+--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
+@@ -287,7 +287,11 @@ and /etc/grub.d/* files or please file a bug report with
+     exit 1
+   else
+     # none of the children aborted with error, install the new grub.cfg
+-    mv -f ${grub_cfg}.new ${grub_cfg}
+    oldumask=$(umask)
+    umask 077
+    cat ${grub_cfg}.new > ${grub_cfg}
+    umask $oldumask
+    rm -f ${grub_cfg}.new
+   fi
+ fi
+ 
+-- 
+2.25.1
author	Hitendra Prajapati <hprajapati@mvista.com>	2022-06-29 11:24:07 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-07-08 08:27:20 +0100
commit	b6f4778e379a8323ebd9892430395db3de81ce6c (patch)
tree	9fbfd02a211444c2632a9729ab0262d6036ac2de /meta/recipes-bsp/grub/files
parent	6e79d96c6ded192e0a51d8ceed67b772a7b650c9 (diff)
download	poky-b6f4778e379a8323ebd9892430395db3de81ce6c.tar.gz

diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981.patch new file mode 100644 index 0000000000..e27027ea65 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3981.patch
@@ -0,0 +1,32 @@
	1	From 67740c43c9326956ea5cd6be77f813b5499a56a5 Mon Sep 17 00:00:00 2001
	2	From: Hitendra Prajapati <hprajapati@mvista.com>
	3	Date: Mon, 27 Jun 2022 10:15:29 +0530
	4	Subject: [PATCH] CVE-2021-3981
	5
	6	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/diff/util/grub-mkconfig.in?id=0adec29674561034771c13e446069b41ef41e4d4]
	7	CVE: CVE-2021-3981
	8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	9	---
	10	util/grub-mkconfig.in \| 6 +++++-
	11	1 file changed, 5 insertions(+), 1 deletion(-)
	12
	13	diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
	14	index 9f477ff..ead94a6 100644
	15	--- a/util/grub-mkconfig.in
	16	+++ b/util/grub-mkconfig.in
	17	@@ -287,7 +287,11 @@ and /etc/grub.d/* files or please file a bug report with
	18	exit 1
	19	else
	20	# none of the children aborted with error, install the new grub.cfg
	21	- mv -f ${grub_cfg}.new ${grub_cfg}
	22	+ oldumask=$(umask)
	23	+ umask 077
	24	+ cat ${grub_cfg}.new > ${grub_cfg}
	25	+ umask $oldumask
	26	+ rm -f ${grub_cfg}.new
	27	fi
	28	fi
	29
	30	--
	31	2.25.1
	32