PR#8: Backport for CVE-2020-8631 and CVE-2020-8632 - rpms/cloud-init

Eduardo Otubo • 4 years ago

34fecf9

file added

+28

		`@@ -0,0 +1,28 @@`
		`+ From 42788bf24a1a0a5421a2d00a7f59b59e38ba1a14 Mon Sep 17 00:00:00 2001`
		`+ From: Ryan Harper <ryan.harper@canonical.com>`
		`+ Date: Fri, 24 Jan 2020 21:33:12 +0200`
		`+ Subject: [PATCH] cc_set_password: increase random pwlength from 9 to 20 (#189)`
		`+`
		`+ Increasing the bits of security from 52 to 115.`
		`+`
		`+ LP: #1860795`
		`+ ---`
		`+ cloudinit/config/cc_set_passwords.py \| 2 +-`
		`+ 1 file changed, 1 insertion(+), 1 deletion(-)`
		`+`
		`+ diff --git a/cloudinit/config/cc_set_passwords.py b/cloudinit/config/cc_set_passwords.py`
		`+ index e3b39d8b..4943d545 100755`
		`+ --- a/cloudinit/config/cc_set_passwords.py`
		`+ +++ b/cloudinit/config/cc_set_passwords.py`
		`+ @@ -236,7 +236,7 @@ def handle(_name, cfg, cloud, log, args):`
		`+ raise errors[-1]`
		`+`
		`+`
		`+ -def rand_user_password(pwlen=9):`
		`+ +def rand_user_password(pwlen=20):`
		`+ return util.rand_str(pwlen, select_from=PW_SET)`
		`+`
		`+`
		`+ --`
		`+ 2.18.1`
		`+`

file added

+31

		`@@ -0,0 +1,31 @@`
		`+ From 3e2f7356effc9e9cccc5ae945846279804eedc46 Mon Sep 17 00:00:00 2001`
		`+ From: Dimitri John Ledkov <xnox@ubuntu.com>`
		`+ Date: Tue, 18 Feb 2020 17:03:24 +0000`
		`+ Subject: [PATCH] utils: use SystemRandom when generating random password.`
		`+ (#204)`
		`+`
		`+ As noticed by Seth Arnold, non-deterministic SystemRandom should be`
		`+ used when creating security sensitive random strings.`
		`+ ---`
		`+ cloudinit/util.py \| 3 ++-`
		`+ 1 file changed, 2 insertions(+), 1 deletion(-)`
		`+`
		`+ diff --git a/cloudinit/util.py b/cloudinit/util.py`
		`+ index d99e82fa..c02b3d9a 100644`
		`+ --- a/cloudinit/util.py`
		`+ +++ b/cloudinit/util.py`
		`+ @@ -397,9 +397,10 @@ def translate_bool(val, addons=None):`
		`+`
		`+`
		`+ def rand_str(strlen=32, select_from=None):`
		`+ + r = random.SystemRandom()`
		`+ if not select_from:`
		`+ select_from = string.ascii_letters + string.digits`
		`+ - return "".join([random.choice(select_from) for _x in range(0, strlen)])`
		`+ + return "".join([r.choice(select_from) for _x in range(0, strlen)])`
		`+`
		`+`
		`+ def rand_dict_key(dictionary, postfix=None):`
		`+ --`
		`+ 2.18.1`
		`+`

cloud-init.spec

file modified

+7 -1

		`@@ -1,6 +1,6 @@`
		`Name: cloud-init`
		`Version: 19.4`
		`- Release: 2%{?dist}`
		`+ Release: 3%{?dist}`
		`Summary: Cloud instance init scripts`
		`License: ASL 2.0 or GPLv3`
		`URL: http://launchpad.net/cloud-init`
		`@@ -161,6 +161,12 @@`


		`%changelog`
		`+ * Tue Apr 14 2020 Eduardo Otubo <otubo@redhat.com> - 19.4-3`
		`+ - Fix BZ#1798729 - CVE-2020-8632 cloud-init: Too short random password length`
		`+ in cc_set_password in config/cc_set_passwords.py`
		`+ - Fix BZ#1798732 - CVE-2020-8631 cloud-init: Use of random.choice when`
		`+ generating random password`
		`+`
		`* Sun Feb 23 2020 Dusty Mabe <dusty@dustymabe.com> - 19.4-2`
		`- Fix sed substitutions for unittest2 and assertItemsEqual`
		- Fix failing unittests by including `BuildRequires: passwd`

This commit backports the upstream commits for the CVEs:

CVE-2020-8632 cloud-init: Too short random password length in
cc_set_password in config/cc_set_passwords.py
https://bugzilla.redhat.com/show_bug.cgi?id=1798729
./cloud-init-19.4-cc_set_password-increase-random-pwlength-from-9-to-2.patch
CVE-2020-8631 cloud-init: Use of random.choice when generating random
password
https://bugzilla.redhat.com/show_bug.cgi?id=1798732
./cloud-init-19.4-utils-use-SystemRandom-when-generating-random-passwo.patch

Signed-off-by: Eduardo Otubo otubo@redhat.com