fix CVE-2020-8631 CVE-2020-8632

2020-12-09 10:17:30 +08:00 · 2020-12-09 10:17:30 +08:00 · bc87085215
commit bc87085215
parent 75fcea07f3
3 changed files with 69 additions and 1 deletions
--- a/backport-CVE-2020-8631-utils-use-SystemRandom-when-generating-random-passwo.patch
+++ b/backport-CVE-2020-8631-utils-use-SystemRandom-when-generating-random-passwo.patch
@ -0,0 +1,31 @@
 From 3e2f7356effc9e9cccc5ae945846279804eedc46 Mon Sep 17 00:00:00 2001
 From: Dimitri John Ledkov <xnox@ubuntu.com>
 Date: Tue, 18 Feb 2020 17:03:24 +0000
 Subject: [PATCH] utils: use SystemRandom when generating random
 password. (#204)
 As noticed by Seth Arnold, non-deterministic SystemRandom should be
 used when creating security sensitive random strings.
 ---
 cloudinit/util.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/cloudinit/util.py b/cloudinit/util.py
 index d99e82f..c02b3d9 100644
 --- a/cloudinit/util.py
 +++ b/cloudinit/util.py
@@ -397,9 +397,10 @@ def translate_bool(val, addons=None):
 def rand_str(strlen=32, select_from=None):
 +    r = random.SystemRandom()
     if not select_from:
         select_from = string.ascii_letters + string.digits
 -    return "".join([random.choice(select_from) for _x in range(0, strlen)])
 +    return "".join([r.choice(select_from) for _x in range(0, strlen)])
 def rand_dict_key(dictionary, postfix=None):
 -- 
 1.8.3.1
--- a/backport-CVE-2020-8632-cc_set_password-increase-random-pwlength-from-9-to-2.patch
+++ b/backport-CVE-2020-8632-cc_set_password-increase-random-pwlength-from-9-to-2.patch
@ -0,0 +1,29 @@
 From 42788bf24a1a0a5421a2d00a7f59b59e38ba1a14 Mon Sep 17 00:00:00 2001
 From: Ryan Harper <ryan.harper@canonical.com>
 Date: Fri, 24 Jan 2020 21:33:12 +0200
 Subject: [PATCH] cc_set_password: increase random pwlength from 9 to
 20 (#189)
 Increasing the bits of security from 52 to 115.
 LP: #1860795
 ---
 cloudinit/config/cc_set_passwords.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/cloudinit/config/cc_set_passwords.py b/cloudinit/config/cc_set_passwords.py
 index e3b39d8..4943d54 100755
 --- a/cloudinit/config/cc_set_passwords.py
 +++ b/cloudinit/config/cc_set_passwords.py
@@ -236,7 +236,7 @@ def handle(_name, cfg, cloud, log, args):
         raise errors[-1]
 -def rand_user_password(pwlen=9):
 +def rand_user_password(pwlen=20):
     return util.rand_str(pwlen, select_from=PW_SET)
 -- 
 1.8.3.1
--- a/cloud-init.spec
+++ b/cloud-init.spec
@ -1,6 +1,6 @@
 Name: cloud-init
 Version: 19.4
-Release: 1
+Release: 2
 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance.
 License: ASL 2.0 or GPLv3
 URL: http://launchpad.net/cloud-init
@ -13,6 +13,8 @@ Patch2: cloud-init-19.4-no-override-default-network.patch
 Patch3: bugfix-cloud-init-add-openEuler-os.patch
 Patch4: bugfix-sort-requirements.patch
 Patch5: add-variable-to-forbid-tmp-dir.patch
 Patch6: backport-CVE-2020-8631-utils-use-SystemRandom-when-generating-random-passwo.patch
 Patch7: backport-CVE-2020-8632-cc_set_password-increase-random-pwlength-from-9-to-2.patch
 BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd
 BuildRequires: iproute python3-configobj python3-httpretty >= 0.8.14-2
@ -119,6 +121,12 @@ fi
 %exclude /usr/share/doc/*
 %changelog
 * Wed Dec 9 2020 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 19.4-2
 - Type:bugfix
 - ID:CVE-2020-8631 CVE-2020-8632
 - SUG:NA
 - DESC:fix CVE-2020-8631 CVE-2020-8632
 * Mon Aug 3 2020 chengquan <chengquan3@huawei.com> - 19.4-1
 - Update software to v19.4