Backport for CVE-2020-8631 and CVE-2020-8632

This commit backports the upstream commits for the CVEs: - CVE-2020-8632 cloud-init: Too short random password length in cc_set_password in config/cc_set_passwords.py <https://bugzilla.redhat.com/show_bug.cgi?id=1798729> ./cloud-init-19.4-cc_set_password-increase-random-pwlength-from-9-to-2.patch - CVE-2020-8631 cloud-init: Use of random.choice when generating random password <https://bugzilla.redhat.com/show_bug.cgi?id=1798732> ./cloud-init-19.4-utils-use-SystemRandom-when-generating-random-passwo.patch Signed-off-by: Eduardo Otubo <otubo@redhat.com>
2020-04-14 15:57:28 +02:00 · 2020-04-14 15:57:28 +02:00 · 34fecf9a1f
commit 34fecf9a1f
parent b562c4e451
3 changed files with 66 additions and 1 deletions
--- a/cloud-init-19.4-cc_set_password-increase-random-pwlength-from-9-to-2.patch
+++ b/cloud-init-19.4-cc_set_password-increase-random-pwlength-from-9-to-2.patch
@ -0,0 +1,28 @@
 From 42788bf24a1a0a5421a2d00a7f59b59e38ba1a14 Mon Sep 17 00:00:00 2001
 From: Ryan Harper <ryan.harper@canonical.com>
 Date: Fri, 24 Jan 2020 21:33:12 +0200
 Subject: [PATCH] cc_set_password: increase random pwlength from 9 to 20 (#189)
 Increasing the bits of security from 52 to 115.
 LP: #1860795
 ---
 cloudinit/config/cc_set_passwords.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/cloudinit/config/cc_set_passwords.py b/cloudinit/config/cc_set_passwords.py
 index e3b39d8b..4943d545 100755
 --- a/cloudinit/config/cc_set_passwords.py
 +++ b/cloudinit/config/cc_set_passwords.py
@@ -236,7 +236,7 @@ def handle(_name, cfg, cloud, log, args):
         raise errors[-1]
 -def rand_user_password(pwlen=9):
 +def rand_user_password(pwlen=20):
     return util.rand_str(pwlen, select_from=PW_SET)
 -- 
 2.18.1
--- a/cloud-init-19.4-utils-use-SystemRandom-when-generating-random-passwo.patch
+++ b/cloud-init-19.4-utils-use-SystemRandom-when-generating-random-passwo.patch
@ -0,0 +1,31 @@
 From 3e2f7356effc9e9cccc5ae945846279804eedc46 Mon Sep 17 00:00:00 2001
 From: Dimitri John Ledkov <xnox@ubuntu.com>
 Date: Tue, 18 Feb 2020 17:03:24 +0000
 Subject: [PATCH] utils: use SystemRandom when generating random password.
 (#204)
 As noticed by Seth Arnold, non-deterministic SystemRandom should be
 used when creating security sensitive random strings.
 ---
 cloudinit/util.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/cloudinit/util.py b/cloudinit/util.py
 index d99e82fa..c02b3d9a 100644
 --- a/cloudinit/util.py
 +++ b/cloudinit/util.py
@@ -397,9 +397,10 @@ def translate_bool(val, addons=None):
 def rand_str(strlen=32, select_from=None):
 +    r = random.SystemRandom()
     if not select_from:
         select_from = string.ascii_letters + string.digits
 -    return "".join([random.choice(select_from) for _x in range(0, strlen)])
 +    return "".join([r.choice(select_from) for _x in range(0, strlen)])
 def rand_dict_key(dictionary, postfix=None):
 -- 
 2.18.1
--- a/cloud-init.spec
+++ b/cloud-init.spec
@ -1,6 +1,6 @@
 Name:           cloud-init
 Version:        19.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Cloud instance init scripts
 License:        ASL 2.0 or GPLv3
 URL:            http://launchpad.net/cloud-init
@ -161,6 +161,12 @@ nosetests-%{python3_version} tests/unittests/
 %changelog
 * Tue Apr 14 2020 Eduardo Otubo <otubo@redhat.com> - 19.4-3
 - Fix BZ#1798729 - CVE-2020-8632 cloud-init: Too short random password length
  in cc_set_password in config/cc_set_passwords.py
 - Fix BZ#1798732 - CVE-2020-8631 cloud-init: Use of random.choice when
  generating random password
 * Sun Feb 23 2020 Dusty Mabe <dusty@dustymabe.com> - 19.4-2
 - Fix sed substitutions for unittest2 and assertItemsEqual
 - Fix failing unittests by including `BuildRequires: passwd`