diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch | 49 |
1 files changed, 0 insertions, 49 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch deleted file mode 100644 index dae26fd8bb..0000000000 --- a/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001 -From: Michael Chang <mchang@suse.com> -Date: Fri, 3 Dec 2021 16:13:28 +0800 -Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg - -The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating -configuration by grub-mkconfig) has inadvertently discarded umask for -creating grub.cfg in the process of running grub-mkconfig. The resulting -wrong permission (0644) would allow unprivileged users to read GRUB -configuration file content. This presents a low confidentiality risk -as grub.cfg may contain non-secured plain-text passwords. - -This patch restores the missing umask and sets the creation file mode -to 0600 preventing unprivileged access. - -Fixes: CVE-2021-3981 - -Signed-off-by: Michael Chang <mchang@suse.com> -Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> - -Upstream-Status: Backport -CVE: CVE-2021-3981 - -Reference to upstream patch: -https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0adec29674561034771c13e446069b41ef41e4d4 - -Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> ---- - util/grub-mkconfig.in | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in -index c3ea7612e..62335d027 100644 ---- a/util/grub-mkconfig.in -+++ b/util/grub-mkconfig.in -@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with - exit 1 - else - # none of the children aborted with error, install the new grub.cfg -+ oldumask=$(umask) -+ umask 077 - cat ${grub_cfg}.new > ${grub_cfg} -+ umask $oldumask - rm -f ${grub_cfg}.new - fi - fi --- -2.31.1 - |