Bug#1001414: grub2: CVE-2021-3981: Incorrect permission in grub.cfg allow unprivileged user to read the file content
Salvatore Bonaccorso
carnil at debian.org
Thu Dec 9 20:01:13 GMT 2021
Source: grub2
Version: 2.06-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for grub2.
CVE-2021-3981[0]:
| Incorrect permission in grub.cfg allow unprivileged user to read the
| file content
It was only introduced with [1] and patch upstream is in [2].
When the config contains "^password" then the grub.cfg would need to
be created with stricter permissions.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-3981
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3981
[1] https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=ab2e53c8a196a595e50f1c836bf756b9db1ae68d
[2] https://lists.gnu.org/archive/html/grub-devel/2021-12/msg00013.html
[3] https://bugzilla.redhat.com/show_bug.cgi?id=2024170
Regards,
Salvatore
More information about the Pkg-grub-devel
mailing list