Bug#1001414: grub2: CVE-2021-3981: Incorrect permission in grub.cfg allow unprivileged user to read the file content

Salvatore Bonaccorso carnil at debian.org
Tue Nov 15 20:21:27 GMT 2022


Hi,

On Thu, Dec 09, 2021 at 09:01:13PM +0100, Salvatore Bonaccorso wrote:
> Source: grub2
> Version: 2.06-2
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for grub2.
> 
> CVE-2021-3981[0]:
> | Incorrect permission in grub.cfg allow unprivileged user to read the
> | file content
> 
> It was only introduced with [1] and patch upstream is in [2].
> 
> When the config contains "^password" then the grub.cfg would need to
> be created with stricter permissions.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2021-3981
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3981
> [1] https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=ab2e53c8a196a595e50f1c836bf756b9db1ae68d
> [2] https://lists.gnu.org/archive/html/grub-devel/2021-12/msg00013.html
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=2024170

A fix is commited as
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0adec29674561034771c13e446069b41ef41e4d4
. FTR, since the grub2 rebase to 2.06-3 based versions in bullseye,
the issue is now present there as well.

Regards,
Salvatore



More information about the Pkg-grub-devel mailing list