Hi Richard, I saw this patch has been merged to master.
Could you help to merge this patch and commit 0f528608eb48809955b2610ecc4bd689f1cf8899 Author: Alexander Kanavin <[email protected]> Date: 2021-06-15 10:12 grub: upgrade 2.04+2.06~rc1 -> 2.06 Signed-off-by: Alexander Kanavin <[email protected]> Signed-off-by: Richard Purdie <[email protected]> to branch hardknott also? Or do I need to send those patches again for hardknott? Thanks, Yongxin > -----Original Message----- > From: [email protected] <openembedded- > [email protected]> On Behalf Of Yongxin Liu > Sent: Monday, December 27, 2021 14:55 > To: [email protected]; openembedded- > [email protected] > Subject: [OE-core][PATCH] grub2: fix CVE-2021-3981 > > Signed-off-by: Yongxin Liu <[email protected]> > --- > ...onfig-Restore-umask-for-the-grub.cfg.patch | 49 +++++++++++++++++++ > meta/recipes-bsp/grub/grub2.inc | 1 + > 2 files changed, 50 insertions(+) > create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3981-grub- > mkconfig-Restore-umask-for-the-grub.cfg.patch > > diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig- > Restore-umask-for-the-grub.cfg.patch b/meta/recipes-bsp/grub/files/CVE- > 2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch > new file mode 100644 > index 0000000000..dae26fd8bb > --- /dev/null > +++ b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-um > +++ ask-for-the-grub.cfg.patch > @@ -0,0 +1,49 @@ > +From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001 > +From: Michael Chang <[email protected]> > +Date: Fri, 3 Dec 2021 16:13:28 +0800 > +Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg > + > +The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating > +configuration by grub-mkconfig) has inadvertently discarded umask for > +creating grub.cfg in the process of running grub-mkconfig. The > +resulting wrong permission (0644) would allow unprivileged users to > +read GRUB configuration file content. This presents a low > +confidentiality risk as grub.cfg may contain non-secured plain-text > passwords. > + > +This patch restores the missing umask and sets the creation file mode > +to 0600 preventing unprivileged access. > + > +Fixes: CVE-2021-3981 > + > +Signed-off-by: Michael Chang <[email protected]> > +Reviewed-by: Daniel Kiper <[email protected]> > + > +Upstream-Status: Backport > +CVE: CVE-2021-3981 > + > +Reference to upstream patch: > +https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0adec296745610347 > +71c13e446069b41ef41e4d4 > + > +Signed-off-by: Yongxin Liu <[email protected]> > +--- > + util/grub-mkconfig.in | 3 +++ > + 1 file changed, 3 insertions(+) > + > +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in index > +c3ea7612e..62335d027 100644 > +--- a/util/grub-mkconfig.in > ++++ b/util/grub-mkconfig.in > +@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report > with > + exit 1 > + else > + # none of the children aborted with error, install the new > +grub.cfg > ++ oldumask=$(umask) > ++ umask 077 > + cat ${grub_cfg}.new > ${grub_cfg} > ++ umask $oldumask > + rm -f ${grub_cfg}.new > + fi > + fi > +-- > +2.31.1 > + > diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes- > bsp/grub/grub2.inc index bb791347dc..a72a562c5a 100644 > --- a/meta/recipes-bsp/grub/grub2.inc > +++ b/meta/recipes-bsp/grub/grub2.inc > @@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ > file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ > file://determinism.patch \ > file://0001-RISC-V-Restore-the-typcast-to-long.patch \ > + > + file://CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patc > + h \ > " > > SRC_URI[sha256sum] = > "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" > -- > 2.31.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#160222): https://lists.openembedded.org/g/openembedded-core/message/160222 Mute This Topic: https://lists.openembedded.org/mt/87974226/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
