From a137559e7192ae1054312d6b537c80aff10ffd8b Mon Sep 17 00:00:00 2001 From: Leo Sandoval Date: Fri, 24 May 2024 18:10:46 -0600 Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit Resolves: #2281464 Signed-off-by: Leo Sandoval --- ...fig.in-turn-off-executable-owner-bit.patch | 30 +++++++++++++++++++ grub.macros | 6 ++-- grub.patches | 1 + grub2.spec | 6 +++- 4 files changed, 39 insertions(+), 4 deletions(-) create mode 100644 0362-grub-mkconfig.in-turn-off-executable-owner-bit.patch diff --git a/0362-grub-mkconfig.in-turn-off-executable-owner-bit.patch b/0362-grub-mkconfig.in-turn-off-executable-owner-bit.patch new file mode 100644 index 0000000..ddd74e9 --- /dev/null +++ b/0362-grub-mkconfig.in-turn-off-executable-owner-bit.patch @@ -0,0 +1,30 @@ +From 4062ab33c8cd86ac15cefe1b4f2f422b28467f54 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Fri, 24 May 2024 18:22:17 -0600 +Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit + +Stricker permissions are required on the grub.cfg file, resulting in +at most 0600 owner's file permissions. This resolves conflicting +requirement permissions on grub2-pc package's grub2.cfg file. + +Signed-off-by: Leo Sandoval +--- + util/grub-mkconfig.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index 520a672cd..fb382b648 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -311,7 +311,7 @@ and /etc/grub.d/* files or please file a bug report with + exit 1 + else + # none of the children aborted with error, install the new grub.cfg +- oldumask=$(umask); umask 077 ++ oldumask=$(umask); umask 177 + cat ${grub_cfg}.new > ${grub_cfg} + umask $oldumask + rm -f ${grub_cfg}.new +-- +2.44.0 + diff --git a/grub.macros b/grub.macros index 241baf8..205a953 100644 --- a/grub.macros +++ b/grub.macros @@ -683,7 +683,7 @@ ln -s ../boot/grub2/grub.cfg \\\ %{expand:%%files %{1}} \ %defattr(-,root,root,-) \ %config(noreplace) %{_sysconfdir}/grub2.cfg \ -%ghost %config(noreplace) %attr(0700,root,root)/boot/grub2/grub.cfg \ +%ghost %config(noreplace) %attr(0600,root,root)/boot/grub2/grub.cfg \ %dir %attr(0700,root,root)/boot/loader/entries \ %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/grub2-%{1}.conf \ %ifarch ppc64le \ @@ -718,8 +718,8 @@ ln -s ../boot/grub2/grub.cfg \\\ %endif \ %attr(0700,root,root)/boot/grub2/fonts \ %dir %attr(0700,root,root)/boot/loader/entries \ -%ghost %config(noreplace) %attr(0700,root,root)/boot/grub2/grub.cfg \ -%ghost %config(noreplace) %verify(not mtime) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg \ +%ghost %config(noreplace) %attr(0600,root,root)/boot/grub2/grub.cfg \ +%ghost %config(noreplace) %verify(not mtime) %attr(0600,root,root)%{efi_esp_dir}/grub.cfg \ %config(noreplace) %verify(not size mode md5 mtime) /boot/grub2/grubenv \ %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/grub2-%{1}.conf \ %{expand:%if 0%{?without_efi_modules} \ diff --git a/grub.patches b/grub.patches index 5494862..673fa2a 100644 --- a/grub.patches +++ b/grub.patches @@ -359,3 +359,4 @@ Patch0358: 0358-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch Patch0359: 0359-fs-ntfs-Make-code-more-readable.patch Patch0360: 0360-fs-xfs-Handle-non-continuous-data-blocks-in-director.patch Patch0361: 0361-cmd-search-Rework-of-CVE-2023-4001-fix.patch +Patch0362: 0362-grub-mkconfig.in-turn-off-executable-owner-bit.patch diff --git a/grub2.spec b/grub2.spec index fe966ca..ffbe638 100644 --- a/grub2.spec +++ b/grub2.spec @@ -17,7 +17,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 122%{?dist} +Release: 123%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPL-3.0-or-later URL: http://www.gnu.org/software/grub/ @@ -555,6 +555,10 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog +* Tue May 28 2024 Leo Sandoval - 2.06.123 +- grub-mkconfig.in: turn off executable owner bit +- Resolves: #2281464 + * Thu May 23 2024 Nicolas Frayer - 2.06-122 - cmd/search: Rework of CVE-2023-4001 fix - Related: #2224951