CVE-2021-3981: A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. This represents a low severity confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg. This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no version with the fix is currently released. Patch: https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0adec29674561034771c13e446069b41ef41e4d4
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=012331665f6d5c6f2a48b6619c54f509cd791485 commit 012331665f6d5c6f2a48b6619c54f509cd791485 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-09-16 23:08:57 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-09-16 23:10:00 +0000 sys-boot/grub: backport fix for CVE-2021-3981 Bug: https://bugs.gentoo.org/835082 Signed-off-by: Mike Gilbert <floppym@gentoo.org> .../grub-2.06-grub-mkconfig-restore-umask.patch | 41 ++++++++++++++++++++++ .../{grub-2.06-r2.ebuild => grub-2.06-r3.ebuild} | 1 + 2 files changed, 42 insertions(+)
GLSA request filed
GLSA released, all done!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=9800f4266b85bdfe9aee0d03b98448c864ee9537 commit 9800f4266b85bdfe9aee0d03b98448c864ee9537 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-25 13:35:30 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-25 13:42:21 +0000 [ GLSA 202209-12 ] GRUB: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/835082 Bug: https://bugs.gentoo.org/850535 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-12.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+)
