[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Nov 2013 16:04:31 -0800
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Cc: security@...ntu.com
Subject: CVE Request: grub-mkconfig
Hello Kurt, all,
Please assign a CVE for grub-mkconfig.
grub-mkconfig on Debian and derivatives sets mode 444 on grub.cfg
configuration files if there are no plaintext passwords in the
configuration file. However, the permissions are still set world readable
if the password_pbkdf2 directive includes a hashed password.
The original bug report and proposed patch is by Francesco Poli:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632598
Original compressed patch:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=safer_grub_cfg_perms.diff.gz;att=1;bug=632598
Patch, uncompressed and inlined:
diff -ruN a/grub-mkconfig b/grub-mkconfig
--- a/grub-mkconfig 2011-05-31 11:33:31.000000000 +0200
+++ b/grub-mkconfig 2011-07-03 21:15:53.000000000 +0200
@@ -293,7 +293,7 @@
esac
done
-if [ "x${grub_cfg}" != "x" ] && ! grep -q "^password " ${grub_cfg}.new ; then
+if [ "x${grub_cfg}" != "x" ] && ! grep -q "^password" ${grub_cfg}.new ; then
chmod 444 ${grub_cfg}.new || true
fi
Thanks
Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
