grub2: fix CVE-2021-3981

(From OE-Core rev: bb554d14142f93c39fd1516a31757006531c348f) Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yongxin Liu <yongxin.liu@windriver.com> 2021-12-27 14:54:56 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-01-04 23:14:05 +0000
commit: 1431a6f7f14d3e8d0bc826bf539462a87c4909b7 (patch)
tree: df8377420770c05e66a93e6f91863243cfc520e6 /meta/recipes-bsp/grub
parent: 2a9bcdb2ea4acda6c55e345de02e2fc315b642a0 (diff)
download: poky-1431a6f7f14d3e8d0bc826bf539462a87c4909b7.tar.gz
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch
new file mode 100644
index 0000000000..dae26fd8bb
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch
@@ -0,0 +1,49 @@
+From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Fri, 3 Dec 2021 16:13:28 +0800
+Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg
+The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating
+configuration by grub-mkconfig) has inadvertently discarded umask for
+creating grub.cfg in the process of running grub-mkconfig. The resulting
+wrong permission (0644) would allow unprivileged users to read GRUB
+configuration file content. This presents a low confidentiality risk
+as grub.cfg may contain non-secured plain-text passwords.
+This patch restores the missing umask and sets the creation file mode
+to 0600 preventing unprivileged access.
+Fixes: CVE-2021-3981
+Signed-off-by: Michael Chang <mchang@suse.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport
+CVE: CVE-2021-3981
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0adec29674561034771c13e446069b41ef41e4d4
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ util/grub-mkconfig.in | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index c3ea7612e..62335d027 100644
+--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
+@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with
+     exit 1
+   else
+     # none of the children aborted with error, install the new grub.cfg
+    oldumask=$(umask)
+    umask 077
+     cat ${grub_cfg}.new > ${grub_cfg}
+    umask $oldumask
+     rm -f ${grub_cfg}.new
+   fi
+ fi
+-- 
+2.31.1
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index bb791347dc..a72a562c5a 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \
           file://determinism.patch \
           file://0001-RISC-V-Restore-the-typcast-to-long.patch \
+           file://CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch \
 "
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
author	Yongxin Liu <yongxin.liu@windriver.com>	2021-12-27 14:54:56 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-01-04 23:14:05 +0000
commit	1431a6f7f14d3e8d0bc826bf539462a87c4909b7 (patch)
tree	df8377420770c05e66a93e6f91863243cfc520e6 /meta/recipes-bsp/grub
parent	2a9bcdb2ea4acda6c55e345de02e2fc315b642a0 (diff)
download	poky-1431a6f7f14d3e8d0bc826bf539462a87c4909b7.tar.gz

diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch new file mode 100644 index 0000000000..dae26fd8bb --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch
@@ -0,0 +1,49 @@
		1	From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001
		2	From: Michael Chang <mchang@suse.com>
		3	Date: Fri, 3 Dec 2021 16:13:28 +0800
		4	Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg
		5
		6	The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating
		7	configuration by grub-mkconfig) has inadvertently discarded umask for
		8	creating grub.cfg in the process of running grub-mkconfig. The resulting
		9	wrong permission (0644) would allow unprivileged users to read GRUB
		10	configuration file content. This presents a low confidentiality risk
		11	as grub.cfg may contain non-secured plain-text passwords.
		12
		13	This patch restores the missing umask and sets the creation file mode
		14	to 0600 preventing unprivileged access.
		15
		16	Fixes: CVE-2021-3981
		17
		18	Signed-off-by: Michael Chang <mchang@suse.com>
		19	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		20
		21	Upstream-Status: Backport
		22	CVE: CVE-2021-3981
		23
		24	Reference to upstream patch:
		25	https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0adec29674561034771c13e446069b41ef41e4d4
		26
		27	Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
		28	---
		29	util/grub-mkconfig.in \| 3 +++
		30	1 file changed, 3 insertions(+)
		31
		32	diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
		33	index c3ea7612e..62335d027 100644
		34	--- a/util/grub-mkconfig.in
		35	+++ b/util/grub-mkconfig.in
		36	@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with
		37	exit 1
		38	else
		39	# none of the children aborted with error, install the new grub.cfg
		40	+ oldumask=$(umask)
		41	+ umask 077
		42	cat ${grub_cfg}.new > ${grub_cfg}
		43	+ umask $oldumask
		44	rm -f ${grub_cfg}.new
		45	fi
		46	fi
		47	--
		48	2.31.1
		49


diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index bb791347dc..a72a562c5a 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc
@@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
20	file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \	20	file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \
21	file://determinism.patch \	21	file://determinism.patch \
22	file://0001-RISC-V-Restore-the-typcast-to-long.patch \	22	file://0001-RISC-V-Restore-the-typcast-to-long.patch \
		23	file://CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch \
23	"	24	"
24		25
25	SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"	26	SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"