grub-mkconfig: Restore umask for the grub.cfg. CVE-2021-3981

Apply patch from upstream, Closes: #1001414

grub-mkconfig: Restore umask for the grub.cfg. CVE-2021-3981
Apply patch from upstream, Closes: #1001414
9ba3bf38 · Steve McIntyre · 9df17d0b · 9ba3bf38 · 9ba3bf38 · 9ba3bf38
Commit 9ba3bf38 authored 2 years ago by Steve McIntyre
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,8 +7,10 @@ grub2 (2.06-8) UNRELEASED; urgency=medium
  * Switch build-deps from gcc-10 to gcc-12. Closes: #1022184
  * Include upstream patch to enable EFI zboot support on arm64.
    Closes: #1026092
+  * grub-mkconfig: Restore umask for the grub.cfg. CVE-2021-3981
+    Closes: #1001414
- -- Steve McIntyre <93sam@debian.org>  Sun, 11 Dec 2022 12:08:44 +0000
+ -- Steve McIntyre <93sam@debian.org>  Thu, 29 Dec 2022 13:36:22 +0000
 grub2 (2.06-7) unstable; urgency=medium

--- a/debian/patches/grub_mkconfig_restore_umask.patch
+++ b/debian/patches/grub_mkconfig_restore_umask.patch
+commit 0adec29674561034771c13e446069b41ef41e4d4
+Author: Michael Chang <mchang@suse.com>
+Date:   Fri Dec 3 16:13:28 2021 +0800
+    grub-mkconfig: Restore umask for the grub.cfg
+    The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating
+    configuration by grub-mkconfig) has inadvertently discarded umask for
+    creating grub.cfg in the process of running grub-mkconfig. The resulting
+    wrong permission (0644) would allow unprivileged users to read GRUB
+    configuration file content. This presents a low confidentiality risk
+    as grub.cfg may contain non-secured plain-text passwords.
+    This patch restores the missing umask and sets the creation file mode
+    to 0600 preventing unprivileged access.
+    Fixes: CVE-2021-3981
+    Signed-off-by: Michael Chang <mchang@suse.com>
+    Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index c3ea7612e..62335d027 100644
+--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
+@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with
+     exit 1
+   else
+     # none of the children aborted with error, install the new grub.cfg
+    oldumask=$(umask)
+    umask 077
+     cat ${grub_cfg}.new > ${grub_cfg}
+    umask $oldumask
+     rm -f ${grub_cfg}.new
+   fi
+ fi
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -111,3 +111,4 @@ gcc12_build_dangling_pointer.patch
 gcc12_build_array_bounds.patch
 gcc12_build_array_bounds2.patch
 arm64_remove_magic_number_check.patch
+grub_mkconfig_restore_umask.patch