34fecf9a1f
This commit backports the upstream commits for the CVEs: - CVE-2020-8632 cloud-init: Too short random password length in cc_set_password in config/cc_set_passwords.py <https://bugzilla.redhat.com/show_bug.cgi?id=1798729> ./cloud-init-19.4-cc_set_password-increase-random-pwlength-from-9-to-2.patch - CVE-2020-8631 cloud-init: Use of random.choice when generating random password <https://bugzilla.redhat.com/show_bug.cgi?id=1798732> ./cloud-init-19.4-utils-use-SystemRandom-when-generating-random-passwo.patch Signed-off-by: Eduardo Otubo <otubo@redhat.com>
32 lines
1003 B
Diff
32 lines
1003 B
Diff
From 3e2f7356effc9e9cccc5ae945846279804eedc46 Mon Sep 17 00:00:00 2001
|
|
From: Dimitri John Ledkov <xnox@ubuntu.com>
|
|
Date: Tue, 18 Feb 2020 17:03:24 +0000
|
|
Subject: [PATCH] utils: use SystemRandom when generating random password.
|
|
(#204)
|
|
|
|
As noticed by Seth Arnold, non-deterministic SystemRandom should be
|
|
used when creating security sensitive random strings.
|
|
---
|
|
cloudinit/util.py | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/cloudinit/util.py b/cloudinit/util.py
|
|
index d99e82fa..c02b3d9a 100644
|
|
--- a/cloudinit/util.py
|
|
+++ b/cloudinit/util.py
|
|
@@ -397,9 +397,10 @@ def translate_bool(val, addons=None):
|
|
|
|
|
|
def rand_str(strlen=32, select_from=None):
|
|
+ r = random.SystemRandom()
|
|
if not select_from:
|
|
select_from = string.ascii_letters + string.digits
|
|
- return "".join([random.choice(select_from) for _x in range(0, strlen)])
|
|
+ return "".join([r.choice(select_from) for _x in range(0, strlen)])
|
|
|
|
|
|
def rand_dict_key(dictionary, postfix=None):
|
|
--
|
|
2.18.1
|
|
|