Commit e7e99161 authored by Rocky Automation's avatar Rocky Automation 📺
Browse files

import grub2-2.06-23.el9

parent 0a994ba9
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Michael Chang via Grub-devel <grub-devel@gnu.org>
Date: Fri, 3 Dec 2021 16:13:28 +0800
Subject: [PATCH] grub-mkconfig: restore umask for grub.cfg
Since commit:
ab2e53c8a grub-mkconfig: Honor a symlink when generating configuration
by grub-mkconfig
has inadvertently discarded umask for creating grub.cfg in the process
of grub-mkconfig. The resulting wrong permission (0644) would allow
unprivileged users to read grub's configuration file content. This
presents a low confidentiality risk as grub.cfg may contain non-secured
plain-text passwords.
This patch restores the missing umask and set the file mode of creation
to 0600 preventing unprivileged access.
Fixes: CVE-2021-3981
Signed-off-by: Michael Chang <mchang@suse.com>
(cherry picked from commit 2acad06610da1488bfa387f56a847119ab758766)
---
util/grub-mkconfig.in | 2 ++
1 file changed, 2 insertions(+)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index f55339a3f64..520a672cd2c 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -311,7 +311,9 @@ and /etc/grub.d/* files or please file a bug report with
exit 1
else
# none of the children aborted with error, install the new grub.cfg
+ oldumask=$(umask); umask 077
cat ${grub_cfg}.new > ${grub_cfg}
+ umask $oldumask
rm -f ${grub_cfg}.new
fi
fi
......@@ -40,14 +40,17 @@ if [[ $DISABLE_BLS = "true" ]]; then
fi
fi
[ -f /etc/default/grub ] && . /etc/default/grub
if [ x$GRUB_ENABLE_BLSCFG = xfalse ]; then
RUN_MKCONFIG=true
fi
# A traditional grub configuration file needs to be generated only in the case when
# the bootloaders are not capable of populating a menu entry from the BLS fragments.
if [[ $RUN_MKCONFIG != "true" ]]; then
exit 0
fi
[[ -f /etc/default/grub ]] && . /etc/default/grub
COMMAND="$1"
case "$COMMAND" in
......
......@@ -68,7 +68,6 @@
%global efi_target_ldflags %{expand:%%(echo %{target_ldflags})}
%global with_efi_arch 0
%global with_alt_efi_arch 0
%global with_legacy_arch 0
%global with_emu_arch 1
%global emuarch %{_arch}
......@@ -154,19 +153,6 @@
%global legacy_target_cpu_name i386
%global legacy_package_arch pc
%global platform pc
%global alt_efi_arch ia32
%global alt_target_cpu_name i386
%global alt_grub_target_name i386-efi
%global alt_platform efi
%global alt_package_arch efi-ia32
%global alt_efi_host_cflags %{expand:%%(echo %{efi_host_cflags})}
%global alt_efi_target_cflags \\\
%{expand:%%(echo %{target_cflags} | \\\
%{cflags_sed} \\\
-e 's/-m64//g' \\\
)}
%endif
%ifarch aarch64
......@@ -200,7 +186,6 @@
%endif
%global _target_platform %{target_cpu_name}-%{_vendor}-%{_target_os}%{?_gnu}
%global _alt_target_platform %{alt_target_cpu_name}-%{_vendor}-%{_target_os}%{?_gnu}
%ifarch %{efi_arch}
%global with_efi_arch 1
......@@ -216,13 +201,6 @@
%endif
%endif
%if 0%{?alt_efi_arch:1}
%global with_alt_efi_arch 1
%global grubaltefiname grub%{alt_efi_arch}.efi
%global grubalteficdname gcd%{alt_efi_arch}.efi
%global grubaltefiarch %{alt_target_cpu_name}-efi
%endif
%ifnarch %{efi_only}
%global with_legacy_arch 1
%global grublegacyarch %{legacy_target_cpu_name}-%{platform}
......@@ -416,11 +394,8 @@ rm -f %{1}.conf \
${GRUB_MODULES} \
%{expand:%%define ___pesign_client_cert %{?___pesign_client_cert}%{!?___pesign_client_cert:%{__pesign_client_cert}}} \
%{?__pesign_client_cert:%{expand:%%define __pesign_client_cert %{___pesign_client_cert}}} \
%{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.onesig -a %%{5} -c %%{6} -n %%{7}}} \
%{expand:%%{pesign -s -i %%{3}.orig -o %%{3}.onesig -a %%{5} -c %%{6} -n %%{7}}} \
%{expand:%%define __pesign_client_cert %{name}-signer} \
%{expand:%%{pesign -s -i %%{2}.onesig -o %%{2} -a %%{8} -c %%{9} -n %%{10}}} \
%{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{8} -c %%{9} -n %%{10}}} \
%{expand:%%{pesign -s -i %%{2}.orig -o %%{2} -a %%{5} -c %%{6} -n %%{7}}} \
%{expand:%%{pesign -s -i %%{3}.orig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}} \
%{nil}
%else
%define efi_mkimage() \
......@@ -438,7 +413,7 @@ rm -f %{1}.conf \
APPENDED_SIG_SIZE=0 \
if [ -x /usr/bin/rpm-sign ]; then \
touch empty.unsigned \
rpm-sign --key %{5} \\\
rpm-sign --key %{4} \\\
--lkmsign empty.unsigned \\\
--output empty.signed \
APPENDED_SIG_SIZE="$(stat -c '%s' empty.signed)" \
......@@ -447,12 +422,12 @@ fi \
# FIXME: using this prefix is fragile, must be done properly \
./grub-mkimage -O %{1} -o %{2}.orig \\\
-p '/grub2' -d grub-core \\\
-x %{3} -x %{4} \\\
-x %{3} \\\
--appended-signature-size ${APPENDED_SIG_SIZE} \\\
${GRUB_MODULES} \
if [ -x /usr/bin/rpm-sign ]; then \
truncate -s -${APPENDED_SIG_SIZE} %{2}.orig \
rpm-sign --key %{5} \\\
rpm-sign --key %{4} \\\
--lkmsign %{2}.orig \\\
--output %{2} \
else \
......@@ -468,12 +443,12 @@ GRUB_MODULES+=%{platform_modules} \
%{expand:%%{efi_mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7} %{8} %{9} %{10}}} \
%{nil}
%define do_ieee1275_build_images() \
GRUB_MODULES+=%{grub_modules} \
GRUB_MODULES+=%{platform_modules} \
cd grub-%{1}-%{tarversion} \
%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4} %%{5}} \
cd .. \
%define do_ieee1275_build_images() \
GRUB_MODULES+=%{grub_modules} \
GRUB_MODULES+=%{platform_modules} \
cd grub-%{1}-%{tarversion} \
%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4}} \
cd .. \
%{nil}
%define do_primary_efi_build() \
......@@ -484,15 +459,6 @@ cd grub-%{1}-%{tarversion} \
cd .. \
%{nil}
%define do_alt_efi_build() \
cd grub-%{1}-%{tarversion} \
%{expand:%%do_efi_configure %%{4} %%{5} %%{6}} \
%do_efi_build_modules \
%{expand:%%do_efi_link_utils %{grubefiarch}} \
%{expand:%%do_efi_build_images %{alt_grub_target_name} %{2} %{3} ../grub-%{grubefiarch}-%{tarversion}/ %{7} %{8} %{9} %{10} %{11} %{12}} \
cd .. \
%{nil}
%define do_legacy_build() \
cd grub-%{1}-%{tarversion} \
%configure \\\
......@@ -534,26 +500,6 @@ make %{?_smp_mflags} -C grub-core \
cd .. \
%{nil}
%define do_alt_efi_install() \
cd grub-%{1}-%{tarversion} \
install -d -m 755 $RPM_BUILD_ROOT/usr/lib/grub/%{grubaltefiarch}/ \
find . '(' -iname gdb_grub \\\
-o -iname kernel.exec \\\
-o -iname kernel.img \\\
-o -iname config.h \\\
-o -iname gmodule.pl \\\
-o -iname modinfo.sh \\\
-o -iname '*.lst' \\\
-o -iname '*.mod' \\\
')' \\\
-exec cp {} $RPM_BUILD_ROOT/usr/lib/grub/%{grubaltefiarch}/ \\\; \
find $RPM_BUILD_ROOT -type f -iname "*.mod*" -exec chmod a-x {} '\;' \
install -m 700 %{2} $RPM_BUILD_ROOT%{efi_esp_dir}/%{2} \
install -m 700 %{3} $RPM_BUILD_ROOT%{efi_esp_dir}/%{3} \
%{expand:%%do_install_protected_file %{name}-%{alt_package_arch}} \
cd .. \
%{nil}
%define do_efi_install() \
cd grub-%{1}-%{tarversion} \
make DESTDIR=$RPM_BUILD_ROOT install \
......@@ -595,7 +541,7 @@ if [ -f $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp ]; then \
mv $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp \\\
$RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp \
fi \
if [ %{3} -eq 0 ]; then \
if [ %{2} -eq 0 ]; then \
${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv \\\
${RPM_BUILD_ROOT}/boot/%{name}/grubenv create \
fi \
......
......@@ -221,3 +221,4 @@ Patch0220: 0220-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch
Patch0221: 0221-fs-xfs-Fix-unreadable-filesystem-with-v4-superblock.patch
Patch0222: 0222-Print-module-name-on-license-check-failure.patch
Patch0223: 0223-powerpc-ieee1275-load-grub-at-4MB-not-2MB.patch
Patch0224: 0224-grub-mkconfig-restore-umask-for-grub.cfg.patch
......@@ -14,7 +14,7 @@
Name: grub2
Epoch: 1
Version: 2.06
Release: 16%{?dist}
Release: 23%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+
URL: http://www.gnu.org/software/grub/
......@@ -32,29 +32,27 @@ Source9: strtoull_test.c
Source10: 20-grub.install
Source11: grub.patches
Source12: sbat.csv.in
Source13: redhatsecurebootca3.cer
Source14: redhatsecureboot301.cer
Source15: redhatsecurebootca5.cer
Source16: redhatsecureboot502.cer
Source17: redhatsecureboot303.cer
Source18: redhatsecureboot601.cer
%include %{SOURCE1}
%if 0%{with_efi_arch}
%define old_sb_ca %{SOURCE13}
%define old_sb_cer %{SOURCE14}
%define old_sb_key redhatsecureboot301
%define sb_ca %{SOURCE15}
%define sb_cer %{SOURCE16}
%define sb_key redhatsecureboot502
%ifarch x86_64 aarch64 ppc64le
%define sb_ca %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
%define sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer
%endif
%if 0%{?centos}
%ifarch x86_64 aarch64 ppc64le
%define sb_key centossecureboot202
%endif
%else
%ifarch x86_64 aarch64
%define sb_key redhatsecureboot502
%endif
%ifarch ppc64le
%define old_sb_cer %{SOURCE17}
%define sb_cer %{SOURCE18}
%define sb_key redhatsecureboot602
%endif
%endif
BuildRequires: gcc efi-srpm-macros
BuildRequires: flex bison binutils python3
......@@ -72,6 +70,9 @@ BuildRequires: systemd
%ifarch %{efi_arch}
BuildRequires: pesign >= 0.99-8
%endif
%ifarch aarch64 ppc64le x86_64
BuildRequires: system-sb-certs
%endif
%if %{?_with_ccache: 1}%{?!_with_ccache: 0}
BuildRequires: ccache
%endif
......@@ -156,9 +157,6 @@ This subpackage provides tools for support of all platforms.
%if 0%{with_efi_arch}
%{expand:%define_efi_variant %%{package_arch} -o}
%endif
%if 0%{with_alt_efi_arch}
%{expand:%define_efi_variant %%{alt_package_arch}}
%endif
%if 0%{with_legacy_arch}
%{expand:%define_legacy_variant %%{legacy_package_arch}}
%endif
......@@ -191,12 +189,6 @@ sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{relea
%{SOURCE12} > grub-%{grubefiarch}-%{tarversion}/sbat.csv
git add grub-%{grubefiarch}-%{tarversion}
%endif
%if 0%{with_alt_efi_arch}
mkdir grub-%{grubaltefiarch}-%{tarversion}
grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubaltefiarch}-%{tarversion}/.gitignore
cp %{SOURCE4} grub-%{grubaltefiarch}-%{tarversion}/unifont.pcf.gz
git add grub-%{grubaltefiarch}-%{tarversion}
%endif
%if 0%{with_legacy_arch}
mkdir grub-%{grublegacyarch}-%{tarversion}
grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grublegacyarch}-%{tarversion}/.gitignore
......@@ -213,10 +205,7 @@ git commit -m "After making subdirs"
%build
%if 0%{with_efi_arch}
%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}}
%endif
%if 0%{with_alt_efi_arch}
%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}}
%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{sb_ca} %{sb_cer} %{sb_key}}
%endif
%if 0%{with_legacy_arch}
%{expand:%do_legacy_build %%{grublegacyarch}}
......@@ -225,7 +214,7 @@ git commit -m "After making subdirs"
%{expand:%do_emu_build}
%endif
%ifarch ppc64le
%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{old_sb_cer} %{sb_cer} %{sb_key}}
%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{sb_cer} %{sb_key}}
%endif
makeinfo --info --no-split -I docs -o docs/grub-dev.info \
docs/grub-dev.texi
......@@ -244,11 +233,8 @@ rm -fr $RPM_BUILD_ROOT
%if 0%{with_efi_arch}
%{expand:%do_efi_install %%{grubefiarch} %%{grubefiname} %%{grubeficdname}}
%endif
%if 0%{with_alt_efi_arch}
%{expand:%do_alt_efi_install %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname}}
%endif
%if 0%{with_legacy_arch}
%{expand:%do_legacy_install %%{grublegacyarch} %%{alt_grub_target_name} 0%{with_efi_arch}}
%{expand:%do_legacy_install %%{grublegacyarch} 0%{with_efi_arch}}
%endif
%if 0%{with_emu_arch}
%{expand:%do_emu_install %%{package_arch}}
......@@ -529,9 +515,6 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%if 0%{with_efi_arch}
%{expand:%define_efi_variant_files %%{package_arch} %%{grubefiname} %%{grubeficdname} %%{grubefiarch} %%{target_cpu_name} %%{grub_target_name}}
%endif
%if 0%{with_alt_efi_arch}
%{expand:%define_efi_variant_files %%{alt_package_arch} %%{grubaltefiname} %%{grubalteficdname} %%{grubaltefiarch} %%{alt_target_cpu_name} %%{alt_grub_target_name}}
%endif
%if 0%{with_legacy_arch}
%{expand:%define_legacy_variant_files %%{legacy_package_arch} %%{grublegacyarch}}
%endif
......@@ -547,7 +530,35 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif
%changelog
* Tue Jan 04 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-16
* Fri Feb 18 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-23
- Re-arm GRUB_ENABLE_BLSCFG=false
- Resolves: #2018331
* Fri Feb 18 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-22
- Stop building unsupported 32-bit UEFI stuff
- Resolves: #2038401
* Wed Feb 16 2022 Brian Stinson <bstinson@redhat.com> - 2.06-21
- Require Secure Boot certs based on architecture
- Resolves: #2049214
* Wed Feb 16 2022 Brian Stinson <bstinson@redhat.com> - 2.06-20
- Conditionalize Secure Boot settings per architecture
- Resolves: #2049214
* Wed Feb 16 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-19
- Attempt to fix ppc64le signing bugs in previous change
- Resolves: #2049214
* Wed Feb 16 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-18
- Switch to single-signing and use certs from package (bstinson)
- Resolves: #2049214
* Wed Feb 02 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-17
- CVE-2021-3981 (Incorrect read permission in grub.cfg)
- Resolves: rhbz#2030724
* Tue Jan 04 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-16
- Stop having this problem and just copy over the beta tree
- Resolves: rhbz#2006784
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment