diff options
-rw-r--r-- | community/cloud-init/APKBUILD | 8 | ||||
-rw-r--r-- | community/cloud-init/CVE-2021-3429.patch | 115 |
2 files changed, 122 insertions, 1 deletions
diff --git a/community/cloud-init/APKBUILD b/community/cloud-init/APKBUILD index 608c8be8dc6..48376789ee6 100644 --- a/community/cloud-init/APKBUILD +++ b/community/cloud-init/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Dermot Bradley <dermot_bradley@yahoo.com> pkgname=cloud-init pkgver=20.4.1 -pkgrel=0 +pkgrel=1 pkgdesc="Cloud instance init scripts" url="https://cloud-init.io" # Dependant package "cloud-utils-growpart" is not available for mips, @@ -33,12 +33,17 @@ subpackages="$pkgname-doc $pkgname-bash-completion $pkgname-openrc" source="cloud-init-$pkgver.tar.gz::https://github.com/canonical/cloud-init/archive/$pkgver.tar.gz 01-oauthlib-remove.patch 02-hosts-template-fix.patch + CVE-2021-3429.patch interfaces setup-cloud-init README.Alpine " install="$pkgname.post-install" +# secfixes: +# 20.4.1-r1: +# - CVE-2021-3429 + prepare() { default_prepare } @@ -92,6 +97,7 @@ package() { sha512sums="7d30c5540a793202889a9e7d891323cfb782d807542f7eac0e53a497b72785d0f4d33d3fe6cfc01704aba30e7246d4b3179b95c5f2ddf79b264479247f305289 cloud-init-20.4.1.tar.gz c14ce3b27c55d1c381e27b2898bb73da8a74c53480d496bdfc87318b69fb612678205ab5a686c1ce703ef5c2c7a8529f629c8f908aeff39524d36870a83c1929 01-oauthlib-remove.patch 444b15f0d81138f7f3767bc10b0bee29ff10fa8b74dfc3542e1abe20d745f09bb2e36cb30ef8035a677ba81af80743207fbd9973d7cb4f33ca37891ae7493916 02-hosts-template-fix.patch +469be5ef480ebfc0856e265822d5f43f28f6ae5fe2cbb7e5c240660fc24c31cb7a3c84178c2e3594fa13b6362048fdbb6a3632865868f4dcb4463a346b19759a CVE-2021-3429.patch 48b25ec4457c2b3772a7d210033551d041749a0d1869818d888030e6df7fd9bbc13a38b95cf465de3d46d96881a722f94a337584ce48f280c4a52b819586563a interfaces f32b90f26d1df0d88fbea7a1a9ab6704a20babdb750b933484bb7c4e91cc19a587d4bfbc95489a354003ecd00795d1592e71b4b93eccd41e392bb7170bfebb0e setup-cloud-init 2a491afea3ea979d0910f0b21739ee3bfb902ddfe66a8162eb1dd477475c4185ac85afc6522e979015d966f4b984b151cb4b6515aec6ce6eaf7e13ac7def1b5f README.Alpine" diff --git a/community/cloud-init/CVE-2021-3429.patch b/community/cloud-init/CVE-2021-3429.patch new file mode 100644 index 00000000000..d98a7ee33b0 --- /dev/null +++ b/community/cloud-init/CVE-2021-3429.patch @@ -0,0 +1,115 @@ +Write passwords only to serial console, lock down cloud-init-output.log + +Fixes CVE-2021-3429. + +Prior to this commit, when a user specified configuration which would +generate random passwords for users, cloud-init would cause those +passwords to be written to the serial console by emitting them on +stderr. In the default configuration, any stdout or stderr emitted by +cloud-init is also written to /var/log/cloud-init-output.log. This +file is world-readable, meaning that those randomly-generated passwords +were available to be read by any user with access to the system. This +presents an obvious security issue. + +Upstream: Yes + +--- + +diff -aur a/cloudinit/config/cc_set_passwords.py b/cloudinit/config/cc_set_passwords.py +--- a/cloudinit/config/cc_set_passwords.py ++++ b/cloudinit/config/cc_set_passwords.py +@@ -78,7 +78,6 @@ + """ + + import re +-import sys + + from cloudinit.distros import ug_util + from cloudinit import log as logging +@@ -214,7 +213,9 @@ + if len(randlist): + blurb = ("Set the following 'random' passwords\n", + '\n'.join(randlist)) +- sys.stderr.write("%s\n%s\n" % blurb) ++ util.multi_log( ++ "%s\n%s\n" % blurb, stderr=False, fallback_to_stdout=False ++ ) + + if expire: + expired_users = [] +diff -aur a/cloudinit/util.py b/cloudinit/util.py +--- a/cloudinit/util.py ++++ b/cloudinit/util.py +@@ -359,7 +359,7 @@ + + + def multi_log(text, console=True, stderr=True, +- log=None, log_level=logging.DEBUG): ++ log=None, log_level=logging.DEBUG, fallback_to_stdout=True): + if stderr: + sys.stderr.write(text) + if console: +@@ -368,7 +368,7 @@ + with open(conpath, 'w') as wfh: + wfh.write(text) + wfh.flush() +- else: ++ elif fallback_to_stdout: + # A container may lack /dev/console (arguably a container bug). If + # it does not exist, then write output to stdout. this will result + # in duplicate stderr and stdout messages if stderr was True. +@@ -623,6 +623,26 @@ + if not o_err: + o_err = sys.stderr + ++ # pylint: disable=subprocess-popen-preexec-fn ++ def set_subprocess_umask_and_gid(): ++ """Reconfigure umask and group ID to create output files securely. ++ ++ This is passed to subprocess.Popen as preexec_fn, so it is executed in ++ the context of the newly-created process. It: ++ ++ * sets the umask of the process so created files aren't world-readable ++ * if an adm group exists in the system, sets that as the process' GID ++ (so that the created file(s) are owned by root:adm) ++ """ ++ os.umask(0o037) ++ try: ++ group_id = grp.getgrnam("adm").gr_gid ++ except KeyError: ++ # No adm group, don't set a group ++ pass ++ else: ++ os.setgid(group_id) ++ + if outfmt: + LOG.debug("Redirecting %s to %s", o_out, outfmt) + (mode, arg) = outfmt.split(" ", 1) +@@ -632,7 +652,12 @@ + owith = "wb" + new_fp = open(arg, owith) + elif mode == "|": +- proc = subprocess.Popen(arg, shell=True, stdin=subprocess.PIPE) ++ proc = subprocess.Popen( ++ arg, ++ shell=True, ++ stdin=subprocess.PIPE, ++ preexec_fn=set_subprocess_umask_and_gid, ++ ) + new_fp = proc.stdin + else: + raise TypeError("Invalid type for output format: %s" % outfmt) +@@ -654,7 +679,12 @@ + owith = "wb" + new_fp = open(arg, owith) + elif mode == "|": +- proc = subprocess.Popen(arg, shell=True, stdin=subprocess.PIPE) ++ proc = subprocess.Popen( ++ arg, ++ shell=True, ++ stdin=subprocess.PIPE, ++ preexec_fn=set_subprocess_umask_and_gid, ++ ) + new_fp = proc.stdin + else: + raise TypeError("Invalid type for error format: %s" % errfmt) |