From d90546c5ee7dec2cb829f1ebe8c4eed7bad412d9 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Dec 09 2021 16:11:30 +0000
Subject: restore umask for grub.cfg (CVE-2021-3981)


Signed-off-by: Robbie Harwood <rharwood@redhat.com>

---

diff --git a/0212-grub-mkconfig-restore-umask-for-grub.cfg.patch b/0212-grub-mkconfig-restore-umask-for-grub.cfg.patch
new file mode 100644
index 0000000..d9a8196
--- /dev/null
+++ b/0212-grub-mkconfig-restore-umask-for-grub.cfg.patch
@@ -0,0 +1,43 @@
+From 3ea051e59e9c0cd79eac7f2e1563606e1e31a530 Mon Sep 17 00:00:00 2001
+From: Michael Chang via Grub-devel <grub-devel@gnu.org>
+Date: Fri, 3 Dec 2021 16:13:28 +0800
+Subject: [PATCH] grub-mkconfig: restore umask for grub.cfg
+
+Since commit:
+
+  ab2e53c8a grub-mkconfig: Honor a symlink when generating configuration
+by grub-mkconfig
+
+has inadvertently discarded umask for creating grub.cfg in the process
+of grub-mkconfig. The resulting wrong permission (0644) would allow
+unprivileged users to read grub's configuration file content. This
+presents a low confidentiality risk as grub.cfg may contain non-secured
+plain-text passwords.
+
+This patch restores the missing umask and set the file mode of creation
+to 0600 preventing unprivileged access.
+
+Fixes: CVE-2021-3981
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ util/grub-mkconfig.in | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index f55339a3f..520a672cd 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -311,7 +311,9 @@ and /etc/grub.d/* files or please file a bug report with
+     exit 1
+   else
+     # none of the children aborted with error, install the new grub.cfg
++    oldumask=$(umask); umask 077
+     cat ${grub_cfg}.new > ${grub_cfg}
++    umask $oldumask
+     rm -f ${grub_cfg}.new
+   fi
+ fi
+-- 
+2.33.0
+
diff --git a/grub.patches b/grub.patches
index 4a349cd..b833690 100644
--- a/grub.patches
+++ b/grub.patches
@@ -209,3 +209,4 @@ Patch0208: 0208-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch
 Patch0209: 0209-fs-xfs-Fix-unreadable-filesystem-with-v4-superblock.patch
 Patch0210: 0210-Print-module-name-on-license-check-failure.patch
 Patch0211: 0211-powerpc-ieee1275-load-grub-at-4MB-not-2MB.patch
+Patch0212: 0212-grub-mkconfig-restore-umask-for-grub.cfg.patch
diff --git a/grub2.spec b/grub2.spec
index 25b2b52..89030ea 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -14,7 +14,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	9%{?dist}
+Release:	10%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@@ -523,6 +523,9 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif
 
 %changelog
+* Thu Dec 09 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-10
+- restore umask for grub.cfg (CVE-2021-3981)
+
 * Thu Nov 04 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-9
 - Drop UI patches and update provenance information