* Switch build-deps from gcc-10 to gcc-12. Closes: #1022184
* Include upstream patch to enable EFI zboot support on arm64.
Closes: #1026092
+ * grub-mkconfig: Restore umask for the grub.cfg. CVE-2021-3981
+ Closes: #1001414
- -- Steve McIntyre <93sam@debian.org> Sun, 11 Dec 2022 12:08:44 +0000
+ -- Steve McIntyre <93sam@debian.org> Thu, 29 Dec 2022 13:36:22 +0000
grub2 (2.06-7) unstable; urgency=medium
--- /dev/null
+commit 0adec29674561034771c13e446069b41ef41e4d4
+Author: Michael Chang <mchang@suse.com>
+Date: Fri Dec 3 16:13:28 2021 +0800
+
+ grub-mkconfig: Restore umask for the grub.cfg
+
+ The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating
+ configuration by grub-mkconfig) has inadvertently discarded umask for
+ creating grub.cfg in the process of running grub-mkconfig. The resulting
+ wrong permission (0644) would allow unprivileged users to read GRUB
+ configuration file content. This presents a low confidentiality risk
+ as grub.cfg may contain non-secured plain-text passwords.
+
+ This patch restores the missing umask and sets the creation file mode
+ to 0600 preventing unprivileged access.
+
+ Fixes: CVE-2021-3981
+
+ Signed-off-by: Michael Chang <mchang@suse.com>
+ Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index c3ea7612e..62335d027 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with
+ exit 1
+ else
+ # none of the children aborted with error, install the new grub.cfg
++ oldumask=$(umask)
++ umask 077
+ cat ${grub_cfg}.new > ${grub_cfg}
++ umask $oldumask
+ rm -f ${grub_cfg}.new
+ fi
+ fi
projects / grub2.git / commitdiff