Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Nov 2013 16:04:31 -0800
From: Seth Arnold <>
Subject: CVE Request: grub-mkconfig

Hello Kurt, all,

Please assign a CVE for grub-mkconfig.

grub-mkconfig on Debian and derivatives sets mode 444 on grub.cfg
configuration files if there are no plaintext passwords in the
configuration file. However, the permissions are still set world readable
if the password_pbkdf2 directive includes a hashed password.

The original bug report and proposed patch is by Francesco Poli:

Original compressed patch:;filename=safer_grub_cfg_perms.diff.gz;att=1;bug=632598

Patch, uncompressed and inlined:

diff -ruN a/grub-mkconfig b/grub-mkconfig
--- a/grub-mkconfig	2011-05-31 11:33:31.000000000 +0200
+++ b/grub-mkconfig	2011-07-03 21:15:53.000000000 +0200
@@ -293,7 +293,7 @@
-if [ "x${grub_cfg}" != "x" ] && ! grep -q "^password " ${grub_cfg}.new ; then
+if [ "x${grub_cfg}" != "x" ] && ! grep -q "^password" ${grub_cfg}.new ; then
   chmod 444 ${grub_cfg}.new || true


Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.