diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch | 49 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/grub2.inc | 1 |
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch new file mode 100644 index 0000000000..dae26fd8bb --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Chang <mchang@suse.com> | ||
3 | Date: Fri, 3 Dec 2021 16:13:28 +0800 | ||
4 | Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg | ||
5 | |||
6 | The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating | ||
7 | configuration by grub-mkconfig) has inadvertently discarded umask for | ||
8 | creating grub.cfg in the process of running grub-mkconfig. The resulting | ||
9 | wrong permission (0644) would allow unprivileged users to read GRUB | ||
10 | configuration file content. This presents a low confidentiality risk | ||
11 | as grub.cfg may contain non-secured plain-text passwords. | ||
12 | |||
13 | This patch restores the missing umask and sets the creation file mode | ||
14 | to 0600 preventing unprivileged access. | ||
15 | |||
16 | Fixes: CVE-2021-3981 | ||
17 | |||
18 | Signed-off-by: Michael Chang <mchang@suse.com> | ||
19 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
20 | |||
21 | Upstream-Status: Backport | ||
22 | CVE: CVE-2021-3981 | ||
23 | |||
24 | Reference to upstream patch: | ||
25 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0adec29674561034771c13e446069b41ef41e4d4 | ||
26 | |||
27 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
28 | --- | ||
29 | util/grub-mkconfig.in | 3 +++ | ||
30 | 1 file changed, 3 insertions(+) | ||
31 | |||
32 | diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in | ||
33 | index c3ea7612e..62335d027 100644 | ||
34 | --- a/util/grub-mkconfig.in | ||
35 | +++ b/util/grub-mkconfig.in | ||
36 | @@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with | ||
37 | exit 1 | ||
38 | else | ||
39 | # none of the children aborted with error, install the new grub.cfg | ||
40 | + oldumask=$(umask) | ||
41 | + umask 077 | ||
42 | cat ${grub_cfg}.new > ${grub_cfg} | ||
43 | + umask $oldumask | ||
44 | rm -f ${grub_cfg}.new | ||
45 | fi | ||
46 | fi | ||
47 | -- | ||
48 | 2.31.1 | ||
49 | |||
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 3c6b434c2d..a70754e346 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc | |||
@@ -20,6 +20,7 @@ SRC_URI = "https://alpha.gnu.org/gnu/grub/grub-${REALPV}.tar.xz \ | |||
20 | file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ | 20 | file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ |
21 | file://determinism.patch \ | 21 | file://determinism.patch \ |
22 | file://0001-RISC-V-Restore-the-typcast-to-long.patch \ | 22 | file://0001-RISC-V-Restore-the-typcast-to-long.patch \ |
23 | file://CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch \ | ||
23 | " | 24 | " |
24 | 25 | ||
25 | SRC_URI[sha256sum] = "2c87f1f21e2ab50043e6cd9163c08f1b6c3a6171556bf23ff9ed65b074145484" | 26 | SRC_URI[sha256sum] = "2c87f1f21e2ab50043e6cd9163c08f1b6c3a6171556bf23ff9ed65b074145484" |