Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 835082 (CVE-2021-3981)

Summary: <sys-boot/grub-2.06-r3: creates config file world-readable
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: base-system, floppym, gentoo
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/27288
Whiteboard: A4 [glsa+]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-13 14:33:16 UTC 
CVE-2021-3981:

A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. This represents a low severity confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg. This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no version with the fix is currently released.

Patch: https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0adec29674561034771c13e446069b41ef41e4d4
Comment 1 Larry the Git Cow gentoo-dev 2022-09-16 23:10:03 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=012331665f6d5c6f2a48b6619c54f509cd791485

commit 012331665f6d5c6f2a48b6619c54f509cd791485
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2022-09-16 23:08:57 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2022-09-16 23:10:00 +0000

    sys-boot/grub: backport fix for CVE-2021-3981
    
    Bug: https://bugs.gentoo.org/835082
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 .../grub-2.06-grub-mkconfig-restore-umask.patch    | 41 ++++++++++++++++++++++
 .../{grub-2.06-r2.ebuild => grub-2.06-r3.ebuild}   |  1 +
 2 files changed, 42 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-19 04:57:50 UTC 
GLSA request filed
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-25 13:44:11 UTC 
GLSA released, all done!
Comment 4 Larry the Git Cow gentoo-dev 2022-09-25 13:56:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=9800f4266b85bdfe9aee0d03b98448c864ee9537

commit 9800f4266b85bdfe9aee0d03b98448c864ee9537
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-25 13:35:30 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-25 13:42:21 +0000

    [ GLSA 202209-12 ] GRUB: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/835082
    Bug: https://bugs.gentoo.org/850535
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-12.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)