Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 708738 (CVE-2020-8631, CVE-2020-8632) - <app-emulation/cloud-init-19.4: multiple vulnerabilities (CVE-2020-{8631,8632})
Summary: <app-emulation/cloud-init-19.4: multiple vulnerabilities (CVE-2020-{8631,8632})
Status: RESOLVED FIXED
Alias: CVE-2020-8631, CVE-2020-8632
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bugs.launchpad.net/ubuntu/+so...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-08 16:53 UTC by filip ambroz
Modified: 2020-03-17 14:31 UTC (History)
2 users (show)

See Also:
Package list:
app-emulation/cloud-init-19.4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-02-08 16:53:38 UTC
CVE-2020-8631:
cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function

https://nvd.nist.gov/vuln/detail/CVE-2020-8631


CVE-2020-8632:
In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords.

https://nvd.nist.gov/vuln/detail/CVE-2020-8632
Comment 1 Larry the Git Cow gentoo-dev 2020-02-11 18:12:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=353ead38dc41437704919d82b9bc4e64ed294cdc

commit 353ead38dc41437704919d82b9bc4e64ed294cdc
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2020-02-11 18:12:01 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2020-02-11 18:12:52 +0000

    app-emulation/cloud-init: 19.4 bump
    
    includes fix for CVE-2020-{8631,8632}
    Bug: https://bugs.gentoo.org/708738
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 app-emulation/cloud-init/Manifest                  |  1 +
 app-emulation/cloud-init/cloud-init-19.4.ebuild    | 90 +++++++++++++++++++++
 ...it-19.4-gentoo-support-upstream-templates.patch | 93 ++++++++++++++++++++++
 .../files/cloud-init-19.4_CVE-2020-8631.patch      | 25 ++++++
 app-emulation/cloud-init/metadata.xml              |  2 +-
 5 files changed, 210 insertions(+), 1 deletion(-)
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2020-02-11 18:13:49 UTC
updated the ebuild, are we fine for fast stable or should we wait?
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-02-25 00:21:47 UTC
CVE-2020-8632 (https://nvd.nist.gov/vuln/detail/CVE-2020-8632):
  In cloud-init through 19.4, rand_user_password in
  cloudinit/config/cc_set_passwords.py has a small default pwlen value, which
  makes it easier for attackers to guess passwords.

CVE-2020-8631 (https://nvd.nist.gov/vuln/detail/CVE-2020-8631):
  cloud-init through 19.4 relies on Mersenne Twister for a random password,
  which makes it easier for attackers to predict passwords, because rand_str
  in cloudinit/util.py calls the random.choice function.
Comment 4 Agostino Sarubbo gentoo-dev 2020-02-25 14:58:02 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-02-25 15:02:28 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Larry the Git Cow gentoo-dev 2020-02-25 17:52:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1aa00da6a419e83bab5c59c8163e391d9844adff

commit 1aa00da6a419e83bab5c59c8163e391d9844adff
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2020-02-25 17:51:58 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2020-02-25 17:52:17 +0000

    app-emulation/cloud-init: cleanup
    
    Bug: https://bugs.gentoo.org/708738
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 app-emulation/cloud-init/Manifest                  |  3 -
 app-emulation/cloud-init/cloud-init-17.2.ebuild    | 80 -------------------
 app-emulation/cloud-init/cloud-init-18.4-r1.ebuild | 89 ---------------------
 app-emulation/cloud-init/cloud-init-18.5.ebuild    | 91 ----------------------
 app-emulation/cloud-init/cloud-init-9999.ebuild    |  4 +-
 .../files/18.5-fix-invalid-string-format.patch     | 46 -----------
 ...it-18.4-gentoo-support-upstream-templates.patch | 91 ----------------------
 7 files changed, 2 insertions(+), 402 deletions(-)
Comment 7 Thomas Deutschmann gentoo-dev Security 2020-03-17 14:31:50 UTC
GLSA Vote: No!

Repository is clean, all done.