Hi, On Thu, Dec 09, 2021 at 09:01:13PM +0100, Salvatore Bonaccorso wrote: > Source: grub2 > Version: 2.06-2 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for grub2. > > CVE-2021-3981[0]: > | Incorrect permission in grub.cfg allow unprivileged user to read the > | file content > > It was only introduced with [1] and patch upstream is in [2]. > > When the config contains "^password" then the grub.cfg would need to > be created with stricter permissions. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2021-3981 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3981 > [1] > https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=ab2e53c8a196a595e50f1c836bf756b9db1ae68d > [2] https://lists.gnu.org/archive/html/grub-devel/2021-12/msg00013.html > [3] https://bugzilla.redhat.com/show_bug.cgi?id=2024170
A fix is commited as https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0adec29674561034771c13e446069b41ef41e4d4 . FTR, since the grub2 rebase to 2.06-3 based versions in bullseye, the issue is now present there as well. Regards, Salvatore