aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDermot Bradley <dermot_bradley@yahoo.com>2021-03-20 02:44:00 +0000
committerDermot Bradley <dermot_bradley@yahoo.com>2021-03-20 02:46:16 +0000
commita15cef0a2e412b240d2f4aa6c1057cd8cd3bec41 (patch)
tree27892549d467d0db89cc744b226d1f575d8dca6d
parent54cefe59f418f66039c4f4c2b6370c8d14286f4e (diff)
downloadaports-a15cef0a2e412b240d2f4aa6c1057cd8cd3bec41.tar.gz
aports-a15cef0a2e412b240d2f4aa6c1057cd8cd3bec41.tar.bz2
aports-a15cef0a2e412b240d2f4aa6c1057cd8cd3bec41.tar.xz
[3.13] community/cloud-init: fix CVE-2021-3429
-rw-r--r--community/cloud-init/APKBUILD8
-rw-r--r--community/cloud-init/CVE-2021-3429.patch115
2 files changed, 122 insertions, 1 deletions
diff --git a/community/cloud-init/APKBUILD b/community/cloud-init/APKBUILD
index 608c8be8dc..48376789ee 100644
--- a/community/cloud-init/APKBUILD
+++ b/community/cloud-init/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Dermot Bradley <dermot_bradley@yahoo.com>
pkgname=cloud-init
pkgver=20.4.1
-pkgrel=0
+pkgrel=1
pkgdesc="Cloud instance init scripts"
url="https://cloud-init.io"
# Dependant package "cloud-utils-growpart" is not available for mips,
@@ -33,12 +33,17 @@ subpackages="$pkgname-doc $pkgname-bash-completion $pkgname-openrc"
source="cloud-init-$pkgver.tar.gz::https://github.com/canonical/cloud-init/archive/$pkgver.tar.gz
01-oauthlib-remove.patch
02-hosts-template-fix.patch
+ CVE-2021-3429.patch
interfaces
setup-cloud-init
README.Alpine
"
install="$pkgname.post-install"
+# secfixes:
+# 20.4.1-r1:
+# - CVE-2021-3429
+
prepare() {
default_prepare
}
@@ -92,6 +97,7 @@ package() {
sha512sums="7d30c5540a793202889a9e7d891323cfb782d807542f7eac0e53a497b72785d0f4d33d3fe6cfc01704aba30e7246d4b3179b95c5f2ddf79b264479247f305289 cloud-init-20.4.1.tar.gz
c14ce3b27c55d1c381e27b2898bb73da8a74c53480d496bdfc87318b69fb612678205ab5a686c1ce703ef5c2c7a8529f629c8f908aeff39524d36870a83c1929 01-oauthlib-remove.patch
444b15f0d81138f7f3767bc10b0bee29ff10fa8b74dfc3542e1abe20d745f09bb2e36cb30ef8035a677ba81af80743207fbd9973d7cb4f33ca37891ae7493916 02-hosts-template-fix.patch
+469be5ef480ebfc0856e265822d5f43f28f6ae5fe2cbb7e5c240660fc24c31cb7a3c84178c2e3594fa13b6362048fdbb6a3632865868f4dcb4463a346b19759a CVE-2021-3429.patch
48b25ec4457c2b3772a7d210033551d041749a0d1869818d888030e6df7fd9bbc13a38b95cf465de3d46d96881a722f94a337584ce48f280c4a52b819586563a interfaces
f32b90f26d1df0d88fbea7a1a9ab6704a20babdb750b933484bb7c4e91cc19a587d4bfbc95489a354003ecd00795d1592e71b4b93eccd41e392bb7170bfebb0e setup-cloud-init
2a491afea3ea979d0910f0b21739ee3bfb902ddfe66a8162eb1dd477475c4185ac85afc6522e979015d966f4b984b151cb4b6515aec6ce6eaf7e13ac7def1b5f README.Alpine"
diff --git a/community/cloud-init/CVE-2021-3429.patch b/community/cloud-init/CVE-2021-3429.patch
new file mode 100644
index 0000000000..d98a7ee33b
--- /dev/null
+++ b/community/cloud-init/CVE-2021-3429.patch
@@ -0,0 +1,115 @@
+Write passwords only to serial console, lock down cloud-init-output.log
+
+Fixes CVE-2021-3429.
+
+Prior to this commit, when a user specified configuration which would
+generate random passwords for users, cloud-init would cause those
+passwords to be written to the serial console by emitting them on
+stderr. In the default configuration, any stdout or stderr emitted by
+cloud-init is also written to /var/log/cloud-init-output.log. This
+file is world-readable, meaning that those randomly-generated passwords
+were available to be read by any user with access to the system. This
+presents an obvious security issue.
+
+Upstream: Yes
+
+---
+
+diff -aur a/cloudinit/config/cc_set_passwords.py b/cloudinit/config/cc_set_passwords.py
+--- a/cloudinit/config/cc_set_passwords.py
++++ b/cloudinit/config/cc_set_passwords.py
+@@ -78,7 +78,6 @@
+ """
+
+ import re
+-import sys
+
+ from cloudinit.distros import ug_util
+ from cloudinit import log as logging
+@@ -214,7 +213,9 @@
+ if len(randlist):
+ blurb = ("Set the following 'random' passwords\n",
+ '\n'.join(randlist))
+- sys.stderr.write("%s\n%s\n" % blurb)
++ util.multi_log(
++ "%s\n%s\n" % blurb, stderr=False, fallback_to_stdout=False
++ )
+
+ if expire:
+ expired_users = []
+diff -aur a/cloudinit/util.py b/cloudinit/util.py
+--- a/cloudinit/util.py
++++ b/cloudinit/util.py
+@@ -359,7 +359,7 @@
+
+
+ def multi_log(text, console=True, stderr=True,
+- log=None, log_level=logging.DEBUG):
++ log=None, log_level=logging.DEBUG, fallback_to_stdout=True):
+ if stderr:
+ sys.stderr.write(text)
+ if console:
+@@ -368,7 +368,7 @@
+ with open(conpath, 'w') as wfh:
+ wfh.write(text)
+ wfh.flush()
+- else:
++ elif fallback_to_stdout:
+ # A container may lack /dev/console (arguably a container bug). If
+ # it does not exist, then write output to stdout. this will result
+ # in duplicate stderr and stdout messages if stderr was True.
+@@ -623,6 +623,26 @@
+ if not o_err:
+ o_err = sys.stderr
+
++ # pylint: disable=subprocess-popen-preexec-fn
++ def set_subprocess_umask_and_gid():
++ """Reconfigure umask and group ID to create output files securely.
++
++ This is passed to subprocess.Popen as preexec_fn, so it is executed in
++ the context of the newly-created process. It:
++
++ * sets the umask of the process so created files aren't world-readable
++ * if an adm group exists in the system, sets that as the process' GID
++ (so that the created file(s) are owned by root:adm)
++ """
++ os.umask(0o037)
++ try:
++ group_id = grp.getgrnam("adm").gr_gid
++ except KeyError:
++ # No adm group, don't set a group
++ pass
++ else:
++ os.setgid(group_id)
++
+ if outfmt:
+ LOG.debug("Redirecting %s to %s", o_out, outfmt)
+ (mode, arg) = outfmt.split(" ", 1)
+@@ -632,7 +652,12 @@
+ owith = "wb"
+ new_fp = open(arg, owith)
+ elif mode == "|":
+- proc = subprocess.Popen(arg, shell=True, stdin=subprocess.PIPE)
++ proc = subprocess.Popen(
++ arg,
++ shell=True,
++ stdin=subprocess.PIPE,
++ preexec_fn=set_subprocess_umask_and_gid,
++ )
+ new_fp = proc.stdin
+ else:
+ raise TypeError("Invalid type for output format: %s" % outfmt)
+@@ -654,7 +679,12 @@
+ owith = "wb"
+ new_fp = open(arg, owith)
+ elif mode == "|":
+- proc = subprocess.Popen(arg, shell=True, stdin=subprocess.PIPE)
++ proc = subprocess.Popen(
++ arg,
++ shell=True,
++ stdin=subprocess.PIPE,
++ preexec_fn=set_subprocess_umask_and_gid,
++ )
+ new_fp = proc.stdin
+ else:
+ raise TypeError("Invalid type for error format: %s" % errfmt)