Package: grub-common
Version: 1.98+20100804-14+squeeze1
Tags: patch security
Severity: minor
grub.cfg with password_pbkdf2 is still readable for anyone. It's not
too bad to restrict file access in this case too (for now,
debian/patches/grub.cfg_400.patch does it only if this file has
"password" directive).
Sid's version affected too.
--- /usr/sbin/grub-mkconfig.orig 2011-09-19 07:17:59.000000000 +0400
+++ /usr/sbin/grub-mkconfig 2012-06-14 19:58:45.000000000 +0400
@@ -313,7 +313,7 @@
esac
done
-if [ "x${grub_cfg}" != "x" ] && ! grep -q "^password " ${grub_cfg}.new ; then
+if [ "x${grub_cfg}" != "x" ] && ! grep -q "^password[ _]" ${grub_cfg}.new ; then
chmod 444 ${grub_cfg}.new || true
fi
