Tree - rpms/grub2 - CentOS Git server

rpms / grub2

Blame SOURCES/0191-grub-mkconfig-restore-umask-for-grub.cfg.patch

Blob History Raw

		c16371	`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
		c16371	`From: Michael Chang via Grub-devel <grub-devel@gnu.org>`
		c16371	`Date: Fri, 3 Dec 2021 16:13:28 +0800`
		c16371	`Subject: [PATCH] grub-mkconfig: restore umask for grub.cfg`
		c16371
		c16371	`Since commit:`
		c16371
		c16371	`ab2e53c8a grub-mkconfig: Honor a symlink when generating configuration`
		c16371	`by grub-mkconfig`
		c16371
		c16371	`has inadvertently discarded umask for creating grub.cfg in the process`
		c16371	`of grub-mkconfig. The resulting wrong permission (0644) would allow`
		c16371	`unprivileged users to read grub's configuration file content. This`
		c16371	`presents a low confidentiality risk as grub.cfg may contain non-secured`
		c16371	`plain-text passwords.`
		c16371
		c16371	`This patch restores the missing umask and set the file mode of creation`
		c16371	`to 0600 preventing unprivileged access.`
		c16371
		c16371	`Fixes: CVE-2021-3981`
		c16371
		c16371	`Signed-off-by: Michael Chang <mchang@suse.com>`
		c16371	`---`
		c16371	`util/grub-mkconfig.in \| 2 ++`
		c16371	`1 file changed, 2 insertions(+)`
		c16371
		c16371	`diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in`
		b35c50	`index f55339a3f6..520a672cd2 100644`
		c16371	`--- a/util/grub-mkconfig.in`
		c16371	`+++ b/util/grub-mkconfig.in`
		c16371	`@@ -311,7 +311,9 @@ and /etc/grub.d/* files or please file a bug report with`
		c16371	`exit 1`
		c16371	`else`
		c16371	`# none of the children aborted with error, install the new grub.cfg`
		c16371	`+ oldumask=$(umask); umask 077`
		c16371	`cat ${grub_cfg}.new > ${grub_cfg}`
		c16371	`+ umask $oldumask`
		c16371	`rm -f ${grub_cfg}.new`
		c16371	`fi`
		c16371	`fi`

rpms / grub2

Source Code

Blame SOURCES/0191-grub-mkconfig-restore-umask-for-grub.cfg.patch