File 0001-grub-mkconfig-restore-umask-for-grub.cfg.patch of Package grub2.32026

From 7a5022ea64fd6af859383a1731632abc8755b8f7 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Thu, 26 Aug 2021 15:52:00 +0800
Subject: [PATCH] grub-mkconfig: restore umask for grub.cfg

Since commit:

  ab2e53c8a grub-mkconfig: Honor a symlink when generating configuration
by grub-mkconfig

has inadvertently discarded umask for creating grub.cfg in the process
of grub-mkconfig. The resulting wrong permission (0644) would allow
unprivileged users to read grub's configuration file content. This
presents a low confidentiality risk as grub.cfg may contain non-secured
plain-text passwords.

This patch restores the missing umask and set the file mode of creation
to 0600 preventing unprivileged access.

Fixes: CVE-2021-3981

Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 util/grub-mkconfig.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index 7f6d961d2..4aca09d8e 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -351,7 +351,9 @@ and /etc/grub.d/* files or please file a bug report with
     exit 1
   else
     # none of the children aborted with error, install the new grub.cfg
+    oldumask=$(umask); umask 077
     cat ${grub_cfg}.new > ${grub_cfg}
+    umask $oldumask
     rm -f ${grub_cfg}.new
     # check if default entry need to be corrected for updated distributor version
     # and/or use fallback entry if default kernel entry removed
-- 
2.31.1