diff --git a/backport-CVE-2020-8631-utils-use-SystemRandom-when-generating-random-passwo.patch b/backport-CVE-2020-8631-utils-use-SystemRandom-when-generating-random-passwo.patch new file mode 100644 index 0000000000000000000000000000000000000000..c2d86f38c58048bdc01967a0086bca5f63f690ce --- /dev/null +++ b/backport-CVE-2020-8631-utils-use-SystemRandom-when-generating-random-passwo.patch @@ -0,0 +1,31 @@ +From 3e2f7356effc9e9cccc5ae945846279804eedc46 Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov +Date: Tue, 18 Feb 2020 17:03:24 +0000 +Subject: [PATCH] utils: use SystemRandom when generating random + password. (#204) + +As noticed by Seth Arnold, non-deterministic SystemRandom should be +used when creating security sensitive random strings. +--- + cloudinit/util.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/cloudinit/util.py b/cloudinit/util.py +index d99e82f..c02b3d9 100644 +--- a/cloudinit/util.py ++++ b/cloudinit/util.py +@@ -397,9 +397,10 @@ def translate_bool(val, addons=None): + + + def rand_str(strlen=32, select_from=None): ++ r = random.SystemRandom() + if not select_from: + select_from = string.ascii_letters + string.digits +- return "".join([random.choice(select_from) for _x in range(0, strlen)]) ++ return "".join([r.choice(select_from) for _x in range(0, strlen)]) + + + def rand_dict_key(dictionary, postfix=None): +-- +1.8.3.1 + diff --git a/backport-CVE-2020-8632-cc_set_password-increase-random-pwlength-from-9-to-2.patch b/backport-CVE-2020-8632-cc_set_password-increase-random-pwlength-from-9-to-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..e48e8214a99d754f64c53e07b77ef12e084d0f50 --- /dev/null +++ b/backport-CVE-2020-8632-cc_set_password-increase-random-pwlength-from-9-to-2.patch @@ -0,0 +1,29 @@ +From 42788bf24a1a0a5421a2d00a7f59b59e38ba1a14 Mon Sep 17 00:00:00 2001 +From: Ryan Harper +Date: Fri, 24 Jan 2020 21:33:12 +0200 +Subject: [PATCH] cc_set_password: increase random pwlength from 9 to + 20 (#189) + +Increasing the bits of security from 52 to 115. + +LP: #1860795 +--- + cloudinit/config/cc_set_passwords.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cloudinit/config/cc_set_passwords.py b/cloudinit/config/cc_set_passwords.py +index e3b39d8..4943d54 100755 +--- a/cloudinit/config/cc_set_passwords.py ++++ b/cloudinit/config/cc_set_passwords.py +@@ -236,7 +236,7 @@ def handle(_name, cfg, cloud, log, args): + raise errors[-1] + + +-def rand_user_password(pwlen=9): ++def rand_user_password(pwlen=20): + return util.rand_str(pwlen, select_from=PW_SET) + + +-- +1.8.3.1 + diff --git a/cloud-init.spec b/cloud-init.spec index 86c5944f7f487e6bf1c2468f48b85a2da33732aa..3014dfb5cc20ddfdb381ca26bd93cdbb4244ac1c 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,6 +1,6 @@ Name: cloud-init Version: 19.4 -Release: 1 +Release: 2 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance. License: ASL 2.0 or GPLv3 URL: http://launchpad.net/cloud-init @@ -14,6 +14,8 @@ Patch2: cloud-init-19.4-no-override-default-network.patch Patch3: bugfix-cloud-init-add-openEuler-os.patch Patch4: bugfix-sort-requirements.patch Patch5: add-variable-to-forbid-tmp-dir.patch +Patch6: backport-CVE-2020-8631-utils-use-SystemRandom-when-generating-random-passwo.patch +Patch7: backport-CVE-2020-8632-cc_set_password-increase-random-pwlength-from-9-to-2.patch BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd BuildRequires: iproute python3-configobj python3-httpretty >= 0.8.14-2 @@ -120,6 +122,12 @@ fi %exclude /usr/share/doc/* %changelog +* Wed Dec 9 2020 yangzhuangzhuang - 19.4-2 +- Type:bugfix +- ID:CVE-2020-8631 CVE-2020-8632 +- SUG:NA +- DESC:fix CVE-2020-8631 CVE-2020-8632 + * Fri Jul 31 2020 Liquor - 19.4-1 - Type:update - ID:NA