diff options
Diffstat (limited to 'meta/recipes-bsp')
-rw-r--r-- | meta/recipes-bsp/efibootmgr/efibootmgr_17.bb | 2 | ||||
-rw-r--r-- | meta/recipes-bsp/efivar/efivar_37.bb | 2 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch | 49 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/grub2.inc | 1 | ||||
-rw-r--r-- | meta/recipes-bsp/opensbi/opensbi_0.9.bb | 2 | ||||
-rw-r--r-- | meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb | 2 | ||||
-rw-r--r-- | meta/recipes-bsp/u-boot/u-boot-common.inc | 2 |
7 files changed, 55 insertions, 5 deletions
diff --git a/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb b/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb index 5d6f200a73..e9dfa0770e 100644 --- a/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb +++ b/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb @@ -10,7 +10,7 @@ DEPENDS = "efivar popt" COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux" -SRC_URI = "git://github.com/rhinstaller/efibootmgr.git;protocol=https \ +SRC_URI = "git://github.com/rhinstaller/efibootmgr.git;protocol=https;branch=master \ file://0001-remove-extra-decl.patch \ file://97668ae0bce776a36ea2001dea63d376be8274ac.patch \ " diff --git a/meta/recipes-bsp/efivar/efivar_37.bb b/meta/recipes-bsp/efivar/efivar_37.bb index 5bf121ff6e..fa1fe1ecdf 100644 --- a/meta/recipes-bsp/efivar/efivar_37.bb +++ b/meta/recipes-bsp/efivar/efivar_37.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6626bb1e20189cfa95f2c508ba286393" COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux" -SRC_URI = "git://github.com/rhinstaller/efivar.git \ +SRC_URI = "git://github.com/rhinstaller/efivar.git;branch=master;protocol=https \ file://determinism.patch \ file://no-werror.patch" SRCREV = "c1d6b10e1ed4ba2be07f385eae5bceb694478a10" diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch new file mode 100644 index 0000000000..dae26fd8bb --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch @@ -0,0 +1,49 @@ +From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001 +From: Michael Chang <mchang@suse.com> +Date: Fri, 3 Dec 2021 16:13:28 +0800 +Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg + +The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating +configuration by grub-mkconfig) has inadvertently discarded umask for +creating grub.cfg in the process of running grub-mkconfig. The resulting +wrong permission (0644) would allow unprivileged users to read GRUB +configuration file content. This presents a low confidentiality risk +as grub.cfg may contain non-secured plain-text passwords. + +This patch restores the missing umask and sets the creation file mode +to 0600 preventing unprivileged access. + +Fixes: CVE-2021-3981 + +Signed-off-by: Michael Chang <mchang@suse.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> + +Upstream-Status: Backport +CVE: CVE-2021-3981 + +Reference to upstream patch: +https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0adec29674561034771c13e446069b41ef41e4d4 + +Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> +--- + util/grub-mkconfig.in | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index c3ea7612e..62335d027 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with + exit 1 + else + # none of the children aborted with error, install the new grub.cfg ++ oldumask=$(umask) ++ umask 077 + cat ${grub_cfg}.new > ${grub_cfg} ++ umask $oldumask + rm -f ${grub_cfg}.new + fi + fi +-- +2.31.1 + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 3c6b434c2d..a70754e346 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -20,6 +20,7 @@ SRC_URI = "https://alpha.gnu.org/gnu/grub/grub-${REALPV}.tar.xz \ file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ file://determinism.patch \ file://0001-RISC-V-Restore-the-typcast-to-long.patch \ + file://CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch \ " SRC_URI[sha256sum] = "2c87f1f21e2ab50043e6cd9163c08f1b6c3a6171556bf23ff9ed65b074145484" diff --git a/meta/recipes-bsp/opensbi/opensbi_0.9.bb b/meta/recipes-bsp/opensbi/opensbi_0.9.bb index cb1c3f2ebf..e01491c9b7 100644 --- a/meta/recipes-bsp/opensbi/opensbi_0.9.bb +++ b/meta/recipes-bsp/opensbi/opensbi_0.9.bb @@ -9,7 +9,7 @@ require opensbi-payloads.inc inherit autotools-brokensep deploy SRCREV = "234ed8e427f4d92903123199f6590d144e0d9351" -SRC_URI = "git://github.com/riscv/opensbi.git;branch=master \ +SRC_URI = "git://github.com/riscv/opensbi.git;branch=master;protocol=https \ file://0001-Makefile-Don-t-specify-mabi-or-march.patch \ " diff --git a/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb b/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb index 613e3161fb..8234b86162 100644 --- a/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb +++ b/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb @@ -10,7 +10,7 @@ LICENSE = "LGPL-2.1" LIC_FILES_CHKSUM = "file://Licenses/lgpl-2.1.txt;md5=4fbd65380cdd255951079008b364516c" SECTION = "libs" -SRC_URI = "git://github.com/sbabic/libubootenv;protocol=https" +SRC_URI = "git://github.com/sbabic/libubootenv;protocol=https;branch=master" SRCREV = "824551ac77bab1d0f7ae34d7a7c77b155240e754" S = "${WORKDIR}/git" diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc index 993478a73b..17c6140216 100644 --- a/meta/recipes-bsp/u-boot/u-boot-common.inc +++ b/meta/recipes-bsp/u-boot/u-boot-common.inc @@ -14,7 +14,7 @@ PE = "1" # repo during parse SRCREV = "c4fddedc48f336eabc4ce3f74940e6aa372de18c" -SRC_URI = "git://git.denx.de/u-boot.git \ +SRC_URI = "git://git.denx.de/u-boot.git;branch=master \ file://0001-add-valid-fdt-check.patch \ file://CVE-2021-27097-1.patch \ file://CVE-2021-27097-2.patch \ |