diff --git a/cloud-init-long-pass.patch b/cloud-init-long-pass.patch new file mode 100644 index 0000000..08fa87c --- /dev/null +++ b/cloud-init-long-pass.patch @@ -0,0 +1,11 @@ +--- cloudinit/config/cc_set_passwords.py.orig ++++ cloudinit/config/cc_set_passwords.py +@@ -236,7 +236,7 @@ def handle(_name, cfg, cloud, log, args) + raise errors[-1] + + +-def rand_user_password(pwlen=9): ++def rand_user_password(pwlen=20): + return util.rand_str(pwlen, select_from=PW_SET) + + diff --git a/cloud-init-use-different-random-src.diff b/cloud-init-use-different-random-src.diff new file mode 100644 index 0000000..bdbe684 --- /dev/null +++ b/cloud-init-use-different-random-src.diff @@ -0,0 +1,16 @@ +diff --git a/cloudinit/util.py b/cloudinit/util.py +index d99e82fa5..c02b3d9a5 100644 +--- a/cloudinit/util.py ++++ b/cloudinit/util.py +@@ -397,9 +397,10 @@ def translate_bool(val, addons=None): + + + def rand_str(strlen=32, select_from=None): ++ r = random.SystemRandom() + if not select_from: + select_from = string.ascii_letters + string.digits +- return "".join([random.choice(select_from) for _x in range(0, strlen)]) ++ return "".join([r.choice(select_from) for _x in range(0, strlen)]) + + + def rand_dict_key(dictionary, postfix=None): diff --git a/cloud-init-write-routes.patch b/cloud-init-write-routes.patch index 348d606..92573e8 100644 --- a/cloud-init-write-routes.patch +++ b/cloud-init-write-routes.patch @@ -8,7 +8,7 @@ from cloudinit import helpers from cloudinit import log as logging -@@ -172,7 +173,47 @@ class Distro(distros.Distro): +@@ -172,7 +173,53 @@ class Distro(distros.Distro): util.write_file(out_fn, str(conf), 0o644) def _write_network_config(self, netconfig): @@ -34,12 +34,18 @@ + for subnet in subnets: + routes = subnet.get('routes', []) + for route in routes: -+ dest = route.get('network') ++ dest = route.get('destination') + if dest in default_nets: + dest = 'default' + if dest != 'default': -+ prefix = mask_to_net_prefix(route.get('netmask')) -+ dest += '/' + str(prefix) ++ netmask = route.get('genmask') ++ if netmask: ++ prefix = mask_to_net_prefix(netmask) ++ dest += '/' + str(prefix) ++ if '/' not in dest: ++ LOG.warning( ++ 'Route destination has no prefix "%s"', dest ++ ) + gateway = route.get('gateway') + config_routes += ' '.join( + [dest, gateway, '-', '-\n'] diff --git a/cloud-init.changes b/cloud-init.changes index 30d104a..74c5cf2 100644 --- a/cloud-init.changes +++ b/cloud-init.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Thu Feb 13 14:07:50 UTC 2020 - Robert Schweikert + +- Add cloud-init-long-pass.patch (bsc#1162936, CVE-2020-8632) + + Increase the default length of generated passwords + +------------------------------------------------------------------- +Wed Feb 12 22:37:57 UTC 2020 - Robert Schweikert + +- Add cloud-init-use-different-random-src.diff (bsc#1162937, CVE-2020-8631) + + Use non-deterministic generator for password generation. + +------------------------------------------------------------------- +Wed Feb 12 19:30:42 UTC 2020 - Robert Schweikert + +- Update cloud-init-write-routes.patch (bsc#1163178) + + Entries in the routes definition have changed causing a traceback + during rout config file writing. This patch update addresses the + issue by extracting the new entries properly. + ------------------------------------------------------------------- Fri Jan 17 18:55:41 UTC 2020 - Robert Schweikert diff --git a/cloud-init.spec b/cloud-init.spec index e1400b6..c6cd5f2 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -45,6 +45,8 @@ Patch55: cloud-init-mix-static-dhcp.patch Patch56: cloud-init-sysconf-path.patch # FIXME (lp#1860164) Patch57: cloud-init-no-tempnet-oci.patch +Patch58: cloud-init-use-different-random-src.diff +Patch59: cloud-init-long-pass.patch BuildRequires: fdupes BuildRequires: filesystem @@ -190,6 +192,8 @@ Documentation and examples for cloud-init tools %patch55 -p0 %patch56 %patch57 +%patch58 -p1 +%patch59 %build %if 0%{?suse_version} && 0%{?suse_version} <= 1315