From 3bb80bd89af0cb657cf0cd0fbe85097b15db06eabf9f6db0919474374b5e6909 Mon Sep 17 00:00:00 2001 From: Robert Schweikert Date: Wed, 12 Feb 2020 19:33:31 +0000 Subject: [PATCH 1/3] - Update cloud-init-write-routes.patch (bsc#1163178) + Entries in the routes definition have changed causing a traceback during rout config file writing. This patch update addresses the issue by extracting the new entries properly. OBS-URL: https://build.opensuse.org/package/show/Cloud:Tools/cloud-init?expand=0&rev=161 --- cloud-init-write-routes.patch | 14 ++++++++++---- cloud-init.changes | 8 ++++++++ 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/cloud-init-write-routes.patch b/cloud-init-write-routes.patch index 348d606..92573e8 100644 --- a/cloud-init-write-routes.patch +++ b/cloud-init-write-routes.patch @@ -8,7 +8,7 @@ from cloudinit import helpers from cloudinit import log as logging -@@ -172,7 +173,47 @@ class Distro(distros.Distro): +@@ -172,7 +173,53 @@ class Distro(distros.Distro): util.write_file(out_fn, str(conf), 0o644) def _write_network_config(self, netconfig): @@ -34,12 +34,18 @@ + for subnet in subnets: + routes = subnet.get('routes', []) + for route in routes: -+ dest = route.get('network') ++ dest = route.get('destination') + if dest in default_nets: + dest = 'default' + if dest != 'default': -+ prefix = mask_to_net_prefix(route.get('netmask')) -+ dest += '/' + str(prefix) ++ netmask = route.get('genmask') ++ if netmask: ++ prefix = mask_to_net_prefix(netmask) ++ dest += '/' + str(prefix) ++ if '/' not in dest: ++ LOG.warning( ++ 'Route destination has no prefix "%s"', dest ++ ) + gateway = route.get('gateway') + config_routes += ' '.join( + [dest, gateway, '-', '-\n'] diff --git a/cloud-init.changes b/cloud-init.changes index 30d104a..dfbf5f0 100644 --- a/cloud-init.changes +++ b/cloud-init.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Feb 12 19:30:42 UTC 2020 - Robert Schweikert + +- Update cloud-init-write-routes.patch (bsc#1163178) + + Entries in the routes definition have changed causing a traceback + during rout config file writing. This patch update addresses the + issue by extracting the new entries properly. + ------------------------------------------------------------------- Fri Jan 17 18:55:41 UTC 2020 - Robert Schweikert From d3536e70a5ba423f1a37fd33a83d659f8d7684759eba531ecd37ffdb34f4cf03 Mon Sep 17 00:00:00 2001 From: Robert Schweikert Date: Wed, 12 Feb 2020 22:40:02 +0000 Subject: [PATCH 2/3] - Add cloud-init-use-different-random-src.diff (bsc#1162937, CVE-2020-8631) + Use non-deterministic generator for password generation. OBS-URL: https://build.opensuse.org/package/show/Cloud:Tools/cloud-init?expand=0&rev=162 --- cloud-init-use-different-random-src.diff | 16 ++++++++++++++++ cloud-init.changes | 6 ++++++ cloud-init.spec | 2 ++ 3 files changed, 24 insertions(+) create mode 100644 cloud-init-use-different-random-src.diff diff --git a/cloud-init-use-different-random-src.diff b/cloud-init-use-different-random-src.diff new file mode 100644 index 0000000..bdbe684 --- /dev/null +++ b/cloud-init-use-different-random-src.diff @@ -0,0 +1,16 @@ +diff --git a/cloudinit/util.py b/cloudinit/util.py +index d99e82fa5..c02b3d9a5 100644 +--- a/cloudinit/util.py ++++ b/cloudinit/util.py +@@ -397,9 +397,10 @@ def translate_bool(val, addons=None): + + + def rand_str(strlen=32, select_from=None): ++ r = random.SystemRandom() + if not select_from: + select_from = string.ascii_letters + string.digits +- return "".join([random.choice(select_from) for _x in range(0, strlen)]) ++ return "".join([r.choice(select_from) for _x in range(0, strlen)]) + + + def rand_dict_key(dictionary, postfix=None): diff --git a/cloud-init.changes b/cloud-init.changes index dfbf5f0..2d2beda 100644 --- a/cloud-init.changes +++ b/cloud-init.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Feb 12 22:37:57 UTC 2020 - Robert Schweikert + +- Add cloud-init-use-different-random-src.diff (bsc#1162937, CVE-2020-8631) + + Use non-deterministic generator for password generation. + ------------------------------------------------------------------- Wed Feb 12 19:30:42 UTC 2020 - Robert Schweikert diff --git a/cloud-init.spec b/cloud-init.spec index e1400b6..29cbe9d 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -45,6 +45,7 @@ Patch55: cloud-init-mix-static-dhcp.patch Patch56: cloud-init-sysconf-path.patch # FIXME (lp#1860164) Patch57: cloud-init-no-tempnet-oci.patch +Patch58: cloud-init-use-different-random-src.diff BuildRequires: fdupes BuildRequires: filesystem @@ -190,6 +191,7 @@ Documentation and examples for cloud-init tools %patch55 -p0 %patch56 %patch57 +%patch58 -p1 %build %if 0%{?suse_version} && 0%{?suse_version} <= 1315 From 1b2a3c0e235cfba3bd2994bcd82f72e25351cf08c6ce8fbb94b98ad9a86a13e8 Mon Sep 17 00:00:00 2001 From: Robert Schweikert Date: Thu, 13 Feb 2020 14:08:57 +0000 Subject: [PATCH 3/3] - Add cloud-init-long-pass.patch (bsc#1162936, CVE-2020-8632) + Increase the default length of generated passwords OBS-URL: https://build.opensuse.org/package/show/Cloud:Tools/cloud-init?expand=0&rev=163 --- cloud-init-long-pass.patch | 11 +++++++++++ cloud-init.changes | 6 ++++++ cloud-init.spec | 2 ++ 3 files changed, 19 insertions(+) create mode 100644 cloud-init-long-pass.patch diff --git a/cloud-init-long-pass.patch b/cloud-init-long-pass.patch new file mode 100644 index 0000000..08fa87c --- /dev/null +++ b/cloud-init-long-pass.patch @@ -0,0 +1,11 @@ +--- cloudinit/config/cc_set_passwords.py.orig ++++ cloudinit/config/cc_set_passwords.py +@@ -236,7 +236,7 @@ def handle(_name, cfg, cloud, log, args) + raise errors[-1] + + +-def rand_user_password(pwlen=9): ++def rand_user_password(pwlen=20): + return util.rand_str(pwlen, select_from=PW_SET) + + diff --git a/cloud-init.changes b/cloud-init.changes index 2d2beda..74c5cf2 100644 --- a/cloud-init.changes +++ b/cloud-init.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Feb 13 14:07:50 UTC 2020 - Robert Schweikert + +- Add cloud-init-long-pass.patch (bsc#1162936, CVE-2020-8632) + + Increase the default length of generated passwords + ------------------------------------------------------------------- Wed Feb 12 22:37:57 UTC 2020 - Robert Schweikert diff --git a/cloud-init.spec b/cloud-init.spec index 29cbe9d..c6cd5f2 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -46,6 +46,7 @@ Patch56: cloud-init-sysconf-path.patch # FIXME (lp#1860164) Patch57: cloud-init-no-tempnet-oci.patch Patch58: cloud-init-use-different-random-src.diff +Patch59: cloud-init-long-pass.patch BuildRequires: fdupes BuildRequires: filesystem @@ -192,6 +193,7 @@ Documentation and examples for cloud-init tools %patch56 %patch57 %patch58 -p1 +%patch59 %build %if 0%{?suse_version} && 0%{?suse_version} <= 1315