Bug 29762

Summary: grub2 possible new security issue CVE-2021-3981
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Thierry Vignaud <thierry.vignaud>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, nicolas.salguero
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: grub2-2.06-8.mga9.src.rpm CVE:
Status comment: GRUB2 passwords should not be world-readable
Bug Depends on: 30527    
Bug Blocks:    

Description David Walser 2021-12-13 17:03:19 CET 
Fedora has issued an advisory on December 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5VRL3CBU6FOV6UY6CJLNRJXBCENVSF7Z/

I disagree with this issue as described here:
https://bugzilla.redhat.com/show_bug.cgi?id=2024170

GRUB2 has a mechanism for including other files in the configuration, such as the "source ${prefix}/user.cfg" in RedHat's default grub.cfg, so if there are encrypted passwords, they should be in a different file, as in that example from RedHat.  I don't think it makes sense to have grub.cfg itself unreadable by users.  I don't know how Mageia handles password-protecting GRUB2, so I'll leave this for the maintainers to figure out.
David Walser 2021-12-13 17:03:43 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => GRUB2 passwords should not be world-readable

Comment 1 Lewis Smith 2021-12-13 20:39:16 CET 
tv is the principle maintainer of Grub2, so assigning this to you.
In the light of DavidW's comment:
> I'll leave this for the maintainers to figure out
maybe it warrants discussion.

Assignee: bugsquad => thierry.vignaud

Comment 2 Nicolas Lécureuil 2021-12-14 00:19:02 CET 
the upstream fix: 

https://github.com/rhboot/grub2/commit/3ea051e59e9c0cd79eac7f2e1563606e1e31a530

CC: (none) => mageia

David Walser 2022-06-08 18:28:24 CEST

Depends on: (none) => 30527

Comment 3 Nicolas Salguero 2024-03-13 14:11:30 CET 
Mageia 8 EOL.

Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Version: Cauldron => 8
Status: NEW => RESOLVED
Resolution: (none) => OLD