Skip to content
Snippets Groups Projects
Commit 4d592c31 authored by CentOS Sources's avatar CentOS Sources
Browse files

import grub2-2.02-78.el8_1.1

parent d772c2b7
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 257 additions and 93 deletions
SOURCES/0266-unix-platform-Initialize-variable-to-fix-grub-instal.patch 0 → 100644
+ 66
0
View file @ 4d592c31
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Paul Menzel <pmenzel@molgen.mpg.de>
Date: Tue, 23 Oct 2018 15:00:13 +0200
Subject: [PATCH] unix/platform: Initialize variable to fix grub-install on
UEFI system
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
On a UEFI system, were no boot entry *grub* is present, currently,
`grub-install` fails with an error.
$ efibootmgr
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0001,0006,0003,0004,0005
Boot0001 Diskette Drive
Boot0003* USB Storage Device
Boot0004* CD/DVD/CD-RW Drive
Boot0005 Onboard NIC
Boot0006* WDC WD2500AAKX-75U6AA0
$ sudo grub-install /dev/sda
Installing for x86_64-efi platform.
grub-install: error: efibootmgr failed to register the boot entry: Unknown error 22020.
The error code is always different, and the error message (incorrectly)
points to efibootmgr.
But, the error is in GRUB’s function
`grub_install_remove_efi_entries_by_distributor()`, where the variable
`rc` for the return value, is uninitialized and never set, when no boot
entry for the distributor is found.
The content of that uninitialized variable is then returned as the error
code of efibootmgr.
Set the variable to 0, so that success is returned, when no entry needs
to be deleted.
Tested on Dell OptiPlex 7010 with firmware A28.
$ sudo ./grub-install /dev/sda
Installing for x86_64-efi platform.
Installation finished. No error reported.
[1]: https://github.com/rhboot/efibootmgr/issues/100
Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/osdep/unix/platform.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/osdep/unix/platform.c b/grub-core/osdep/unix/platform.c
index ca448bc11a0..55b8f401624 100644
--- a/grub-core/osdep/unix/platform.c
+++ b/grub-core/osdep/unix/platform.c
@@ -85,7 +85,7 @@ grub_install_remove_efi_entries_by_distributor (const char *efi_distributor)
pid_t pid = grub_util_exec_pipe ((const char * []){ "efibootmgr", NULL }, &fd);
char *line = NULL;
size_t len = 0;
- int rc;
+ int rc = 0;
if (!pid)
{
SOURCES/0267-grub-set-bootflag-Update-comment-about-running-as-ro.patch 0 → 100644
+ 27
0
View file @ 4d592c31
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Wed, 13 Nov 2019 12:15:43 +0100
Subject: [PATCH] grub-set-bootflag: Update comment about running as root
through pkexec
We have stopped using pkexec for grub-set-bootflag, instead it is now
installed suid root, update the comment accordingly.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
util/grub-set-bootflag.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
index f8dc310909a..32f1c104a2b 100644
--- a/util/grub-set-bootflag.c
+++ b/util/grub-set-bootflag.c
@@ -18,7 +18,7 @@
*/
/*
- * NOTE this gets run by users as root (through pkexec), so this does not
+ * NOTE this gets run by users as root (its suid root), so this does not
* use any grub library / util functions to allow for easy auditing.
* The grub headers are only included to get certain defines.
*/
SOURCES/0268-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch 0 → 100644
+ 152
0
View file @ 4d592c31
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Fri, 22 Nov 2019 11:54:27 +0100
Subject: [PATCH] grub-set-bootflag: Write new env to tmpfile and then rename
Make the grubenv writing code in grub-set-bootflag more robust by
writing the modified grubenv to a tmpfile first and then renaming the
tmpfile over the old grubenv (following symlinks).
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
util/grub-set-bootflag.c | 87 +++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 78 insertions(+), 9 deletions(-)
diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
index 32f1c104a2b..d3b80a0d204 100644
--- a/util/grub-set-bootflag.c
+++ b/util/grub-set-bootflag.c
@@ -26,7 +26,9 @@
#include <config-util.h> /* For *_DIR_NAME defines */
#include <grub/types.h>
#include <grub/lib/envblk.h> /* For GRUB_ENVBLK_DEFCFG define */
+#include <limits.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
#include <unistd.h>
@@ -52,8 +54,10 @@ int main(int argc, char *argv[])
{
/* NOTE buf must be at least the longest bootflag length + 4 bytes */
char env[GRUBENV_SIZE + 1], buf[64], *s;
+ /* +1 for 0 termination, +6 for "XXXXXX" in tmp filename */
+ char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 6 + 1];
const char *bootflag;
- int i, len, ret;
+ int i, fd, len, ret;
FILE *f;
if (argc != 2)
@@ -75,7 +79,32 @@ int main(int argc, char *argv[])
bootflag = bootflags[i];
len = strlen (bootflag);
- f = fopen (GRUBENV, "r");
+ /*
+ * Really become root. setuid avoids an user killing us, possibly leaking
+ * the tmpfile. setgid avoids the new grubenv's gid being that of the user.
+ */
+ ret = setuid(0);
+ if (ret)
+ {
+ perror ("Error setuid(0) failed");
+ return 1;
+ }
+
+ ret = setgid(0);
+ if (ret)
+ {
+ perror ("Error setgid(0) failed");
+ return 1;
+ }
+
+ /* Canonicalize GRUBENV filename, resolving symlinks, etc. */
+ if (!realpath(GRUBENV, env_filename))
+ {
+ perror ("Error canonicalizing " GRUBENV " filename");
+ return 1;
+ }
+
+ f = fopen (env_filename, "r");
if (!f)
{
perror ("Error opening " GRUBENV " for reading");
@@ -129,30 +158,70 @@ int main(int argc, char *argv[])
snprintf(buf, sizeof(buf), "%s=1\n", bootflag);
memcpy(s, buf, len + 3);
- /* "r+", don't truncate so that the diskspace stays reserved */
- f = fopen (GRUBENV, "r+");
+
+ /*
+ * Create a tempfile for writing the new env. Use the canonicalized filename
+ * for the template so that the tmpfile is in the same dir / on same fs.
+ */
+ snprintf(tmp_filename, sizeof(tmp_filename), "%sXXXXXX", env_filename);
+ fd = mkstemp(tmp_filename);
+ if (fd == -1)
+ {
+ perror ("Creating tmpfile failed");
+ return 1;
+ }
+
+ f = fdopen (fd, "w");
if (!f)
{
- perror ("Error opening " GRUBENV " for writing");
+ perror ("Error fdopen of tmpfile failed");
+ unlink(tmp_filename);
return 1;
}
ret = fwrite (env, 1, GRUBENV_SIZE, f);
if (ret != GRUBENV_SIZE)
{
- perror ("Error writing to " GRUBENV);
+ perror ("Error writing tmpfile");
+ unlink(tmp_filename);
return 1;
}
ret = fflush (f);
if (ret)
{
- perror ("Error flushing " GRUBENV);
+ perror ("Error flushing tmpfile");
+ unlink(tmp_filename);
return 1;
}
- fsync (fileno (f));
- fclose (f);
+ ret = fsync (fileno (f));
+ if (ret)
+ {
+ perror ("Error syncing tmpfile");
+ unlink(tmp_filename);
+ return 1;
+ }
+
+ ret = fclose (f);
+ if (ret)
+ {
+ perror ("Error closing tmpfile");
+ unlink(tmp_filename);
+ return 1;
+ }
+
+ /*
+ * And finally rename the tmpfile with the new env over the old env, the
+ * linux kernel guarantees that this is atomic (from a syscall pov).
+ */
+ ret = rename(tmp_filename, env_filename);
+ if (ret)
+ {
+ perror ("Error renaming tmpfile to " GRUBENV " failed");
+ unlink(tmp_filename);
+ return 1;
+ }
return 0;
}
SOURCES/centos-ca-secureboot.der deleted 100644 → 0
+ 0
0
View file @ d772c2b7
File deleted
SOURCES/centossecureboot001.crt deleted 100644 → 0
+ 0
81
View file @ d772c2b7
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b6:16:15:71:72:fb:31:7e
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org
Validity
Not Before: Aug 1 11:47:30 2018 GMT
Not After : Dec 31 11:47:30 2037 GMT
Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa:
76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51:
cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2:
4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3:
24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0:
bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18:
00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97:
a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57:
6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35:
6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0:
aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65:
53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46:
f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f:
6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2:
76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4:
94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28:
4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef:
94:0f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29
X509v3 Authority Key Identifier:
keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3
Signature Algorithm: sha256WithRSAEncryption
97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c:
dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da:
11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b:
2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a:
28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e:
b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef:
f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f:
0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56:
a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30:
17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a:
ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97:
58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c:
75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77:
da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71:
da:7f:89:1d
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV
BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB
FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx
NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg
BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4
MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP
f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2
bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/
VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR
pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud
EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb
Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B
AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G
1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV
IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv
0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ
+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD
bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ==
-----END CERTIFICATE-----
SOURCES/grub.patches
+ 3
0
View file @ 4d592c31
......@@ -263,3 +263,6 @@ Patch0262: 0262-blscfg-fallback-to-default_kernelopts-if-BLS-option-.patch
Patch0263: 0263-Remove-bogus-load_env-after-blscfg-command-in-10_lin.patch
Patch0264: 0264-10_linux_bls-use-to-separate-id-argument-due-a-Petit.patch
Patch0265: 0265-10_linux_bls-don-t-add-users-option-to-generated-men.patch
Patch0266: 0266-unix-platform-Initialize-variable-to-fix-grub-instal.patch
Patch0267: 0267-grub-set-bootflag-Update-comment-about-running-as-ro.patch
Patch0268: 0268-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch
SPECS/grub2.spec
+ 9
12
View file @ 4d592c31
......@@ -7,7 +7,7 @@
Name: grub2
Epoch: 1
Version: 2.02
Release: 78%{?dist}
Release: 78%{?dist}.1
Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base
License: GPLv3+
......@@ -24,8 +24,8 @@ Source6: gitignore
Source8: strtoull_test.c
Source9: 20-grub.install
Source12: 99-grub-mkconfig.install
Source13: centos-ca-secureboot.der
Source14: centossecureboot001.crt
Source13: securebootca.cer
Source14: secureboot.cer
%include %{SOURCE1}
......@@ -52,11 +52,7 @@ BuildRequires: pesign >= 0.99-8
BuildRequires: ccache
%endif
%if 0%{?centos}
%global efidir centos
%endif
ExcludeArch: s390 s390x
ExcludeArch: s390 s390x %{arm}
Obsoletes: %{name} <= %{evr}
%if 0%{with_legacy_arch}
......@@ -168,10 +164,10 @@ git commit -m "After making subdirs"
%build
%if 0%{with_efi_arch}
%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001}
%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301}
%endif
%if 0%{with_alt_efi_arch}
%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001}
%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301}
%endif
%if 0%{with_legacy_arch}
%{expand:%do_legacy_build %%{grublegacyarch}}
......@@ -502,8 +498,9 @@ fi
%endif
%changelog
* Tue Nov 05 2019 CentOS Sources <bugs@centos.org> - 2.02-78.el8.centos
- Apply debranding changes
* Tue Dec 03 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-78.el8_1.1
- grub-set-bootflag: Write new env to tmpfile and then rename (hdegoede)
Resolves: CVE-2019-14865
* Thu Sep 26 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-77
- 10_linux_bls: don't add --users option to generated menu entries
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment