cloud-init logs sensitive password data to world-readable files

Debian Bug report logs - #985540
cloud-init logs sensitive password data to world-readable files

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Noah Meyerhans <noahm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cloud-init logs sensitive password data to world-readable files

Date: Fri, 19 Mar 2021 09:15:24 -0700

Package: cloud-init
Version: 20.4-1
Severity: grave
Tags: security upstream patch
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

cloud-init has the ability to generate and set a randomized password for
system users.  This functionality is enabled at runtime by passing
cloud-config data such as:

   chpasswd:
       list: |
           user1:RANDOM

When used this way, cloud-init logs the raw, unhashed password to a
world-readable local file.

This is fixed in upstream commit https://github.com/canonical/cloud-init/commit/b794d426b9ab43ea9d6371477466070d86e10668

This issue has been allocated CVE-2021-3429.

Message #10 received at 985540-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 985540-close@bugs.debian.org

Subject: Bug#985540: fixed in cloud-init 20.4.1-2

Date: Fri, 19 Mar 2021 16:48:26 +0000

Source: cloud-init
Source-Version: 20.4.1-2
Done: Noah Meyerhans <noahm@debian.org>

We believe that the bug you reported is fixed in the latest version of
cloud-init, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 985540@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noah Meyerhans <noahm@debian.org> (supplier of updated cloud-init package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 19 Mar 2021 09:18:59 -0700
Source: cloud-init
Architecture: source
Version: 20.4.1-2
Distribution: unstable
Urgency: high
Maintainer: Debian Cloud Team <debian-cloud@lists.debian.org>
Changed-By: Noah Meyerhans <noahm@debian.org>
Closes: 985540
Changes:
 cloud-init (20.4.1-2) unstable; urgency=high
 .
   * Avoid logging generated passwords to world-readable log files.
     CVE-2021-3429. (Closes: #985540)
Checksums-Sha1:
 ca9314a0de20fa02f333ac728b023940a0ba4bb2 2413 cloud-init_20.4.1-2.dsc
 29447e11df809e8c71f0a0bbfba97a65fca61b4c 28300 cloud-init_20.4.1-2.debian.tar.xz
 75abd3195bf79233007ee83526f4f2088ab18a8d 6464 cloud-init_20.4.1-2_source.buildinfo
Checksums-Sha256:
 9e2bc448dda24cf202bbfa2e0b6a66d6de7d12d94043c2f944aa57974aa49ced 2413 cloud-init_20.4.1-2.dsc
 f8e0acc6b0f7084b27528b5b4608b504dece27089e038ef896bb89a4dc19c41e 28300 cloud-init_20.4.1-2.debian.tar.xz
 dbe8d2b8a8c6e9da482b1c51bdd1ff1fb42079742c896f4f2415271fe2ae2a1e 6464 cloud-init_20.4.1-2_source.buildinfo
Files:
 c1505e22fc9dcf86fdfeaaa7d10a9434 2413 admin optional cloud-init_20.4.1-2.dsc
 d4506774577d1731bb069caeb3dc096e 28300 admin optional cloud-init_20.4.1-2.debian.tar.xz
 f3365caf5e50e7e1416a40357c11cbce 6464 admin optional cloud-init_20.4.1-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAmBU0pYRHG5vYWhtQGRl
Ymlhbi5vcmcACgkQV68+Bn2yWDNCBhAAkNVeoDD66W7Hmaie3Mazp827vFuq7OSQ
tDBTw65lntTiNYLe5oFjaRtQyAVF/KxeXT1kZdPAA4Oomvh0DGyZrdpHGzzLBWo5
Pv3ic1QG3j/+92io9WIdWfpl1O/pwmKRP3PYBwaVkzyFLDksR+LlbC99kdWYC6YD
B7FSsNFRmZ/XMGUp43pB8OWEWc7+98qAlna3VPlGESnyfY/mc0fp0s5VQ4RZRPJ+
XwEss6XnZItIRDM1++38JTlPI5qmL9ITetnm9wCi/XBV4tw/P7ZKjWPJE69Da0Kd
83U80EE3kWTcHOb/1Y5pux9omjzbVsF5EybD+8QsoAvoXbdn7Nya3GQaxzg8Hfu9
MFeQlnopGxauHu91DWBxlD9UZG9OvwqBWmrIsTs9Ws9Fj9x8d/XrtpekLZLnYt5v
BQUPiduEA9BOGlCXX93YTTOJQyIGdLpcYqvgYV/JnWaUiwOOs36gUhUDTc5LrAOd
eeEwmN29QkWtvoTE+jIjXfAt+YibkGfWZ+9M80Ob5qyU4uvslZ/IA8fT5iBOitKl
julEfh44kMhIp1L4JI61vMJzkcXJC2dg1EGLoRS91LXoowJHZnpLMJb4Oi4EyuRG
ssIinztnCDIoL1Ey3/Si0N7WYqEgyNZVj0QdsG8NljRA5hsLthX5ebkPsu6hzM54
1HVlSSLPV5U=
=r/bs
-----END PGP SIGNATURE-----

Message #19 received at 985540-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 985540-close@bugs.debian.org

Subject: Bug#985540: fixed in cloud-init 20.2-2~deb10u2

Date: Fri, 19 Mar 2021 23:02:07 +0000

Source: cloud-init
Source-Version: 20.2-2~deb10u2
Done: Noah Meyerhans <noahm@debian.org>

We believe that the bug you reported is fixed in the latest version of
cloud-init, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 985540@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noah Meyerhans <noahm@debian.org> (supplier of updated cloud-init package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 19 Mar 2021 09:43:23 -0700
Source: cloud-init
Architecture: source
Version: 20.2-2~deb10u2
Distribution: buster
Urgency: high
Maintainer: Debian Cloud Team <debian-cloud@lists.debian.org>
Changed-By: Noah Meyerhans <noahm@debian.org>
Closes: 985540
Changes:
 cloud-init (20.2-2~deb10u2) buster; urgency=high
 .
   * Avoid logging generated passwords to world-readable log files.
     CVE-2021-3429. (Closes: #985540)
Checksums-Sha1:
 d55f3de376613258a6d978ee5d6ac8c1cdb5fbae 2431 cloud-init_20.2-2~deb10u2.dsc
 1ec7ce722b526d12b4557e13a76c79f95a92ff35 27568 cloud-init_20.2-2~deb10u2.debian.tar.xz
 ae5568fb5e1e5e4cb484878e82342651c8f68c44 6844 cloud-init_20.2-2~deb10u2_source.buildinfo
Checksums-Sha256:
 f2b718c99fe8fdc7cfc1dfe5e499c521b61eb3d839a8d75e216fac940d352ce6 2431 cloud-init_20.2-2~deb10u2.dsc
 6c1294d5b212c77b7bf40b04a2c1c812c355006c49d8e62ae581984bc0b43bc4 27568 cloud-init_20.2-2~deb10u2.debian.tar.xz
 aae68927fee6ee42ebfa444c9984ff40b3343707f5260cfb540553aa2f9ac410 6844 cloud-init_20.2-2~deb10u2_source.buildinfo
Files:
 e1aaa79c61be38e671234acfb156fb21 2431 admin optional cloud-init_20.2-2~deb10u2.dsc
 d89a6e85f6cc7124d293f2ef38efa190 27568 admin optional cloud-init_20.2-2~deb10u2.debian.tar.xz
 6a86edac194fe2582c0f015b174e5713 6844 admin optional cloud-init_20.2-2~deb10u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAmBU9SkRHG5vYWhtQGRl
Ymlhbi5vcmcACgkQV68+Bn2yWDMGGRAAq3FvEXYz0sl7/s7Cs8MpNQUEIzpkjbdn
f43ctV9K5fr2nxE63n6WR3YplSPN1jaeNgdJ8i8SI34temIO3hXSJKVr2YBBkzFz
L+5P3TuZhALGUwYFCgTTt6X+SWXoP/jxBNdrXp5bT/uN8NDvbRlQBBRuqhWnMI+5
YDZMR2RqofC7eg+9A5IomLZIfF6NDOAhpY6x9Ckjia8CKa3hgTpmZzSVAyCbS3Rt
/leQkkdnzOIfkXSz/1nOT5Zv4xexrK7fRpIfzEUng8IVgpX/OmlwVRXUWsB8rl4r
kynGMjbBw2pSVWYx6EqSjCp36eAiiFsh+EM9kNP8Kf7cLSZkxsStTcLCTQ53rcGR
k15yHwfbBeNDzn6cB6heLkiOrhdEZ9eg4/3zm1y5Rv35+c5+rgx9bZDJvpUJx5Yw
mrb2GfOHUkh4DAnsfzF55oAc+LKV85cO2AWWqmUk2W7357pNe1Ns+vgWep/mxvRq
69D8FXxPNzDFnljs/abExXbzLVhv8BNUXfXXV+Wy2rX/lcIRFmjfir+536LvwcfR
gaG5zk03mL3kPnClMC3N7faYaf/6nTSzR7w6xIvWaFXJ2d3x1u6OEDM0AqqTOXZu
AKNTuIHTQ+P9INb6nM0aIujQU4pYDGDQnmuhf7sLHxmIfvjUXRaE6JP+i50UBOND
owC1BiKsyQM=
=NIYx
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.