Backport for CVE-2020-8631 and CVE-2020-8632

This commit backports the upstream commits for the CVEs: - CVE-2020-8632 cloud-init: Too short random password length in cc_set_password in config/cc_set_passwords.py <https://bugzilla.redhat.com/show_bug.cgi?id=1798729> ./cloud-init-19.4-cc_set_password-increase-random-pwlength-from-9-to-2.patch - CVE-2020-8631 cloud-init: Use of random.choice when generating random password <https://bugzilla.redhat.com/show_bug.cgi?id=1798732> ./cloud-init-19.4-utils-use-SystemRandom-when-generating-random-passwo.patch Signed-off-by: Eduardo Otubo <otubo@redhat.com>
2020-04-14 15:57:28 +02:00 · 2020-04-14 15:57:28 +02:00 · 34fecf9a1f
commit 34fecf9a1f
parent b562c4e451
3 changed files with 66 additions and 1 deletions
--- a/cloud-init-19.4-cc_set_password-increase-random-pwlength-from-9-to-2.patch
+++ b/cloud-init-19.4-cc_set_password-increase-random-pwlength-from-9-to-2.patch
@ -0,0 +1,28 @@
+From 42788bf24a1a0a5421a2d00a7f59b59e38ba1a14 Mon Sep 17 00:00:00 2001
+From: Ryan Harper <ryan.harper@canonical.com>
+Date: Fri, 24 Jan 2020 21:33:12 +0200
+Subject: [PATCH] cc_set_password: increase random pwlength from 9 to 20 (#189)
+
+Increasing the bits of security from 52 to 115.
+
+LP: #1860795
+---
+ cloudinit/config/cc_set_passwords.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cloudinit/config/cc_set_passwords.py b/cloudinit/config/cc_set_passwords.py
+index e3b39d8b..4943d545 100755
+--- a/cloudinit/config/cc_set_passwords.py
+++ b/cloudinit/config/cc_set_passwords.py
+@@ -236,7 +236,7 @@ def handle(_name, cfg, cloud, log, args):
+         raise errors[-1]
+ 
+ 
+-def rand_user_password(pwlen=9):
+def rand_user_password(pwlen=20):
+     return util.rand_str(pwlen, select_from=PW_SET)
+ 
+ 
+-- 
+2.18.1
+
--- a/cloud-init-19.4-utils-use-SystemRandom-when-generating-random-passwo.patch
+++ b/cloud-init-19.4-utils-use-SystemRandom-when-generating-random-passwo.patch
@ -0,0 +1,31 @@
+From 3e2f7356effc9e9cccc5ae945846279804eedc46 Mon Sep 17 00:00:00 2001
+From: Dimitri John Ledkov <xnox@ubuntu.com>
+Date: Tue, 18 Feb 2020 17:03:24 +0000
+Subject: [PATCH] utils: use SystemRandom when generating random password.
+ (#204)
+
+As noticed by Seth Arnold, non-deterministic SystemRandom should be
+used when creating security sensitive random strings.
+---
+ cloudinit/util.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/cloudinit/util.py b/cloudinit/util.py
+index d99e82fa..c02b3d9a 100644
+--- a/cloudinit/util.py
+++ b/cloudinit/util.py
+@@ -397,9 +397,10 @@ def translate_bool(val, addons=None):
+ 
+ 
+ def rand_str(strlen=32, select_from=None):
+    r = random.SystemRandom()
+     if not select_from:
+         select_from = string.ascii_letters + string.digits
+-    return "".join([random.choice(select_from) for _x in range(0, strlen)])
+    return "".join([r.choice(select_from) for _x in range(0, strlen)])
+ 
+ 
+ def rand_dict_key(dictionary, postfix=None):
+-- 
+2.18.1
+
--- a/cloud-init.spec
+++ b/cloud-init.spec
@ -1,6 +1,6 @@
 Name:           cloud-init
 Version:        19.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Cloud instance init scripts
 License:        ASL 2.0 or GPLv3
 URL:            http://launchpad.net/cloud-init
@ -161,6 +161,12 @@ nosetests-%{python3_version} tests/unittests/


 %changelog
+* Tue Apr 14 2020 Eduardo Otubo <otubo@redhat.com> - 19.4-3
+- Fix BZ#1798729 - CVE-2020-8632 cloud-init: Too short random password length
+  in cc_set_password in config/cc_set_passwords.py
+- Fix BZ#1798732 - CVE-2020-8631 cloud-init: Use of random.choice when
+  generating random password
+
 * Sun Feb 23 2020 Dusty Mabe <dusty@dustymabe.com> - 19.4-2
 - Fix sed substitutions for unittest2 and assertItemsEqual
 - Fix failing unittests by including `BuildRequires: passwd`