[honister,04/10] grub2: fix CVE-2021-3981

Message ID	9c839db1144a8a96f8b848e3e1aad2fd93859abd.1641787452.git.anuj.mittal@intel.com
State	Accepted, archived
Commit	4bdd5ca6e9f9561d80044eaececcfad71cd9262b
Headers	show Return-Path: <anuj.mittal@intel.com> ip: 192.55.52.115, mailfrom: anuj.mittal@intel.com) From: Anuj Mittal <anuj.mittal@intel.com> To: openembedded-core@lists.openembedded.org Subject: [honister][PATCH 04/10] grub2: fix CVE-2021-3981 Date: Mon, 10 Jan 2022 12:09:08 +0800 Message-Id: <9c839db1144a8a96f8b848e3e1aad2fd93859abd.1641787452.git.anuj.mittal@intel.com> In-Reply-To: <cover.1641787452.git.anuj.mittal@intel.com> References: <cover.1641787452.git.anuj.mittal@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[honister,01/10] linux-yocto: add libmpc-native to DEPENDS \| expand [honister,01/10] linux-yocto: add libmpc-native to DEPENDS [honister,02/10] xserver-xorg: update CVE_PRODUCT [honister,03/10] package_manager: ipk: Fix host manifest generation [honister,04/10] grub2: fix CVE-2021-3981 [honister,05/10] rpm: remove tmp folder created during install [honister,06/10] openssl: Add reproducibility fix [honister,07/10] webkitgtk: Add reproducibility fix [honister,08/10] vulkan-loader: inherit pkgconfig [honister,09/10] scripts: Update to use exec_module() instead of load_module() [honister,10/10] scripts/buildhistory-diff: drop use of distutils

Message ID

9c839db1144a8a96f8b848e3e1aad2fd93859abd.1641787452.git.anuj.mittal@intel.com

State

Accepted, archived

Commit

4bdd5ca6e9f9561d80044eaececcfad71cd9262b

Headers

From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-core@lists.openembedded.org
Subject: [honister][PATCH 04/10] grub2: fix CVE-2021-3981
Date: Mon, 10 Jan 2022 12:09:08 +0800
Message-Id: 
 <9c839db1144a8a96f8b848e3e1aad2fd93859abd.1641787452.git.anuj.mittal@intel.com>
In-Reply-To: <cover.1641787452.git.anuj.mittal@intel.com>
References: <cover.1641787452.git.anuj.mittal@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[honister,01/10] linux-yocto: add libmpc-native to DEPENDS | expand

Commit Message

Anuj Mittal Jan. 10, 2022, 4:09 a.m. UTC

From: Yongxin Liu <yongxin.liu@windriver.com>

Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bb554d14142f93c39fd1516a31757006531c348f)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 ...onfig-Restore-umask-for-the-grub.cfg.patch | 49 +++++++++++++++++++
 meta/recipes-bsp/grub/grub2.inc               |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch

Comments

Marta Rybczynska Jan. 10, 2022, 9 a.m. UTC | #1

> diff --git a/meta/recipes-bsp/grub/grub2.inc
> b/meta/recipes-bsp/grub/grub2.inc
> index bb791347dc..a72a562c5a 100644
> --- a/meta/recipes-bsp/grub/grub2.inc
> +++ b/meta/recipes-bsp/grub/grub2.inc
> @@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
>             file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \
>             file://determinism.patch \
>             file://0001-RISC-V-Restore-the-typcast-to-long.patch \
> +
>  file://CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch \
>  "
>
>  SRC_URI[sha256sum] =
> "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
>
>
This one should go to dunfell too. If the original poster would like to
backport,
that would be nice, otherwise it is on my list.

Kind regards,
Marta

Marta Rybczynska Jan. 17, 2022, 7:06 p.m. UTC | #2

On Mon, Jan 10, 2022 at 10:01 AM Marta Rybczynska via lists.openembedded.org
<rybczynska=gmail.com@lists.openembedded.org> wrote:

>
> diff --git a/meta/recipes-bsp/grub/grub2.inc
>> b/meta/recipes-bsp/grub/grub2.inc
>> index bb791347dc..a72a562c5a 100644
>> --- a/meta/recipes-bsp/grub/grub2.inc
>> +++ b/meta/recipes-bsp/grub/grub2.inc
>> @@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
>>             file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \
>>             file://determinism.patch \
>>             file://0001-RISC-V-Restore-the-typcast-to-long.patch \
>> +
>>  file://CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch \
>>  "
>>
>>  SRC_URI[sha256sum] =
>> "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
>>
>>
> This one should go to dunfell too. If the original poster would like to
> backport,
> that would be nice, otherwise it is on my list.
>

This issue does not apply in dunfell, as the change introducing the problem
is post-2.04.
No need to backport.

Marta

diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch
new file mode 100644
index 0000000000..dae26fd8bb
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch
@@ -0,0 +1,49 @@ 
+From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Fri, 3 Dec 2021 16:13:28 +0800
+Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg
+
+The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating
+configuration by grub-mkconfig) has inadvertently discarded umask for
+creating grub.cfg in the process of running grub-mkconfig. The resulting
+wrong permission (0644) would allow unprivileged users to read GRUB
+configuration file content. This presents a low confidentiality risk
+as grub.cfg may contain non-secured plain-text passwords.
+
+This patch restores the missing umask and sets the creation file mode
+to 0600 preventing unprivileged access.
+
+Fixes: CVE-2021-3981
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3981
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0adec29674561034771c13e446069b41ef41e4d4
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ util/grub-mkconfig.in | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index c3ea7612e..62335d027 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with
+     exit 1
+   else
+     # none of the children aborted with error, install the new grub.cfg
++    oldumask=$(umask)
++    umask 077
+     cat ${grub_cfg}.new > ${grub_cfg}
++    umask $oldumask
+     rm -f ${grub_cfg}.new
+   fi
+ fi
+-- 
+2.31.1
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index bb791347dc..a72a562c5a 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -20,6 +20,7 @@  SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
            file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \
            file://determinism.patch \
            file://0001-RISC-V-Restore-the-typcast-to-long.patch \
+           file://CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch \
 "
 
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"

[honister,04/10] grub2: fix CVE-2021-3981

Commit Message

Comments

Patch