CVE-2019-0816

Debian Bug report logs - #926043
CVE-2019-0816

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2019-0816

Date: Sat, 30 Mar 2019 20:10:39 +0100

Package: cloud-init
Severity: grave
Tags: security

This was assigned CVE-2019-0816:
https://code.launchpad.net/~jasonzio/cloud-init/+git/cloud-init/+merge/363445
https://support.microsoft.com/en-us/help/4491476/extraneous-ssh-public-keys-added-to-authorized-keys-file-on-linux-vm

Is this something that affects cloud-init as shipped in Debian or in the way we generate Debian
images for Azure?

Cheers,
        Moritz

Message #10 received at 926043@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 926043@bugs.debian.org, security@debian.org, "debian-cloud@lists.debian.org" <debian-cloud@lists.debian.org>

Subject: Re: Bug#926043: CVE-2019-0816

Date: Sun, 31 Mar 2019 00:33:45 +0100

On 3/30/19 8:10 PM, Moritz Muehlenhoff wrote:
> Package: cloud-init
> Severity: grave
> Tags: security
> 
> This was assigned CVE-2019-0816:
> https://code.launchpad.net/~jasonzio/cloud-init/+git/cloud-init/+merge/363445
> https://support.microsoft.com/en-us/help/4491476/extraneous-ssh-public-keys-added-to-authorized-keys-file-on-linux-vm
> 
> Is this something that affects cloud-init as shipped in Debian or in the way we generate Debian
> images for Azure?
> 
> Cheers,
>         Moritz

Hi Moritz,

If I understand well the problem, the issue is simply that some extra
Microsoft keys may end up being setup into an Azure Debian instance. I
don't see this as a very "grave" security issue because:

1/ Azure users must trust Azure anyways, otherwise, they should just
stop doing hosting there.
2/ It only affects Azure users.

I'm not even sure that our image is really using cloud-init to do the
ssh key provisioning, if I'm not mistaking, it's using the Azure agent
to do that (can Bastian confirm this?).

In any case, can we downgrade this bug to "important"? Or am I missing
something here?

Cheers,

Thomas Goirand (zigo)

Message #17 received at 926043@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Thomas Goirand <zigo@debian.org>

Cc: 926043@bugs.debian.org, security@debian.org, "debian-cloud@lists.debian.org" <debian-cloud@lists.debian.org>

Subject: Re: Bug#926043: CVE-2019-0816

Date: Mon, 1 Apr 2019 23:44:50 +0200

Hi Thomas,

On Sun, Mar 31, 2019 at 12:33:45AM +0100, Thomas Goirand wrote:
> If I understand well the problem, the issue is simply that some extra
> Microsoft keys may end up being setup into an Azure Debian instance. I
> don't see this as a very "grave" security issue because:
> 
> 1/ Azure users must trust Azure anyways, otherwise, they should just
> stop doing hosting there.

It's still a big difference whether Microsoft has access during the provision
phase vs. the running system (where it may contain sensitive data).

Metaphorically speaking, I'm fine with builders having access to my house
while it's under construction, but not with them having the keys once the
house is built.

> 2/ It only affects Azure users.

But Azure is an official use case, isn't it? We only recently pushed
a DSA for the Azure agent e.g.

> I'm not even sure that our image is really using cloud-init to do the
> ssh key provisioning, if I'm not mistaking, it's using the Azure agent
> to do that (can Bastian confirm this?).

I don't know, if it can be confirmed it doesn't affect Debian, when we
can close the bug, ofc.

> In any case, can we downgrade this bug to "important"? Or am I missing
> something here?

Instead of arguing over bug severities, can't we rather fix the bug?
Ubuntu fixed this already and their versions seems fairly close.

Cheers,
        Moritz

Message #22 received at 926043@bugs.debian.org (full text, mbox, reply):

From: Bastian Blank <waldi@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 926043@bugs.debian.org

Subject: Re: Bug#926043: CVE-2019-0816

Date: Tue, 2 Apr 2019 09:59:30 +0200

On Sat, Mar 30, 2019 at 08:10:39PM +0100, Moritz Muehlenhoff wrote:
> Is this something that affects cloud-init as shipped in Debian or in the way we generate Debian
> images for Azure?

No, it is not affected as we don't support cloud-init based
provisioning, yet.

Regards,
Bastian

-- 
No one can guarantee the actions of another.
		-- Spock, "Day of the Dove", stardate unknown

Message #29 received at 926043@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 926043@bugs.debian.org, security@debian.org, "debian-cloud@lists.debian.org" <debian-cloud@lists.debian.org>

Subject: Re: Bug#926043: CVE-2019-0816

Date: Tue, 2 Apr 2019 12:33:10 +0200

On 4/1/19 11:44 PM, Moritz Mühlenhoff wrote:
> Instead of arguing over bug severities, can't we rather fix the bug?

Sure.

> Ubuntu fixed this already and their versions seems fairly close.

That's the thing. I went into the launchpad bug report, and it's full of
small, incremental commits, from which it is very hard to figure out
which one is really fixing the issue. Also, the Ubuntu package is just
getting a snapshot from upstream, it's not integrating any patch. If
someone can point at the correct patch, I'll do the update work.

Cheers,

Thomas Goirand (zigo)

Message #34 received at 926043@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Thomas Goirand <zigo@debian.org>

Cc: 926043@bugs.debian.org, security@debian.org, "debian-cloud@lists.debian.org" <debian-cloud@lists.debian.org>

Subject: Re: Bug#926043: CVE-2019-0816

Date: Tue, 2 Apr 2019 12:46:38 +0200

On Tue, Apr 02, 2019 at 12:33:10PM +0200, Thomas Goirand wrote:
> On 4/1/19 11:44 PM, Moritz Mühlenhoff wrote:
> > Instead of arguing over bug severities, can't we rather fix the bug?
> 
> Sure.
> 
> > Ubuntu fixed this already and their versions seems fairly close.
> 
> That's the thing. I went into the launchpad bug report, and it's full of
> small, incremental commits, from which it is very hard to figure out
> which one is really fixing the issue. Also, the Ubuntu package is just
> getting a snapshot from upstream, it's not integrating any patch. If
> someone can point at the correct patch, I'll do the update work.

Actually, given Bastian's reply, we can just close the bug, or am I missing
something?

Cheers,
        Moritz

Message #39 received at 926043@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

Cc: 926043@bugs.debian.org, security@debian.org, "debian-cloud@lists.debian.org" <debian-cloud@lists.debian.org>

Subject: Re: Bug#926043: CVE-2019-0816

Date: Tue, 2 Apr 2019 13:56:35 +0200

On 4/2/19 12:46 PM, Moritz Muehlenhoff wrote:
> On Tue, Apr 02, 2019 at 12:33:10PM +0200, Thomas Goirand wrote:
>> On 4/1/19 11:44 PM, Moritz Mühlenhoff wrote:
>>> Instead of arguing over bug severities, can't we rather fix the bug?
>>
>> Sure.
>>
>>> Ubuntu fixed this already and their versions seems fairly close.
>>
>> That's the thing. I went into the launchpad bug report, and it's full of
>> small, incremental commits, from which it is very hard to figure out
>> which one is really fixing the issue. Also, the Ubuntu package is just
>> getting a snapshot from upstream, it's not integrating any patch. If
>> someone can point at the correct patch, I'll do the update work.
> 
> Actually, given Bastian's reply, we can just close the bug, or am I missing
> something?
> 
> Cheers,
>         Moritz

Well, not 100%. "we" don't support cloud-init provisioning yet. Though
someone running Debian, building their own image, cloud be affected by
the bug. Which is why I'd suggest downgrading the bug to important, as
it would only affect, only potentially, a very small subset of users.

I still believe we should try to get this fixed in time for Buster, and
backport it to Stretch.

Cheers,

Thomas Goirand (zigo)

Message #44 received at 926043@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Thomas Goirand <zigo@debian.org>

Cc: 926043@bugs.debian.org, security@debian.org, "debian-cloud@lists.debian.org" <debian-cloud@lists.debian.org>, control@bugs.debian.org

Subject: Re: Bug#926043: CVE-2019-0816

Date: Tue, 2 Apr 2019 22:29:33 +0200

severity 926043 important
thanks

On Tue, Apr 02, 2019 at 01:56:35PM +0200, Thomas Goirand wrote:
> On 4/2/19 12:46 PM, Moritz Muehlenhoff wrote:
> > On Tue, Apr 02, 2019 at 12:33:10PM +0200, Thomas Goirand wrote:
> >> On 4/1/19 11:44 PM, Moritz Mühlenhoff wrote:
> >>> Instead of arguing over bug severities, can't we rather fix the bug?
> >>
> >> Sure.
> >>
> >>> Ubuntu fixed this already and their versions seems fairly close.
> >>
> >> That's the thing. I went into the launchpad bug report, and it's full of
> >> small, incremental commits, from which it is very hard to figure out
> >> which one is really fixing the issue. Also, the Ubuntu package is just
> >> getting a snapshot from upstream, it's not integrating any patch. If
> >> someone can point at the correct patch, I'll do the update work.
> > 
> > Actually, given Bastian's reply, we can just close the bug, or am I missing
> > something?
> > 
> > Cheers,
> >         Moritz
> 
> Well, not 100%. "we" don't support cloud-init provisioning yet. Though
> someone running Debian, building their own image, cloud be affected by
> the bug. Which is why I'd suggest downgrading the bug to important, as
> it would only affect, only potentially, a very small subset of users.

OK, I see! Downgrading makes total sense, then. Doing that now.
 
> I still believe we should try to get this fixed in time for Buster, and
> backport it to Stretch.

Ack.

Cheers,
        Moritz

Message #49 received at 926043@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Thomas Goirand <zigo@debian.org>, 926043@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>, security@debian.org

Subject: Re: Bug#926043: CVE-2019-0816

Date: Wed, 24 Apr 2019 22:02:34 +0200

Hi Thomas,

On Tue, Apr 02, 2019 at 10:29:33PM +0200, Moritz Mühlenhoff wrote:
> severity 926043 important
> thanks
> 
> On Tue, Apr 02, 2019 at 01:56:35PM +0200, Thomas Goirand wrote:
> > On 4/2/19 12:46 PM, Moritz Muehlenhoff wrote:
> > > On Tue, Apr 02, 2019 at 12:33:10PM +0200, Thomas Goirand wrote:
> > >> On 4/1/19 11:44 PM, Moritz Mühlenhoff wrote:
> > >>> Instead of arguing over bug severities, can't we rather fix the bug?
> > >>
> > >> Sure.
> > >>
> > >>> Ubuntu fixed this already and their versions seems fairly close.
> > >>
> > >> That's the thing. I went into the launchpad bug report, and it's full of
> > >> small, incremental commits, from which it is very hard to figure out
> > >> which one is really fixing the issue. Also, the Ubuntu package is just
> > >> getting a snapshot from upstream, it's not integrating any patch. If
> > >> someone can point at the correct patch, I'll do the update work.
> > > 
> > > Actually, given Bastian's reply, we can just close the bug, or am I missing
> > > something?
> > > 
> > > Cheers,
> > >         Moritz
> > 
> > Well, not 100%. "we" don't support cloud-init provisioning yet. Though
> > someone running Debian, building their own image, cloud be affected by
> > the bug. Which is why I'd suggest downgrading the bug to important, as
> > it would only affect, only potentially, a very small subset of users.
> 
> OK, I see! Downgrading makes total sense, then. Doing that now.
>  
> > I still believe we should try to get this fixed in time for Buster, and
> > backport it to Stretch.
> 
> Ack.

Did you had a chance to look into this specifically for unstable and
possibly buster (still agreeing on the reasoning, but was looking
trough some pending mails and spotted the intend above).

Regards,
Salvatore

Message #54 received at 926043@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 926043@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>, security@debian.org

Subject: Re: Bug#926043: CVE-2019-0816

Date: Thu, 25 Apr 2019 08:38:03 +0200

On 4/24/19 10:02 PM, Salvatore Bonaccorso wrote:
> Hi Thomas,
> 
> On Tue, Apr 02, 2019 at 10:29:33PM +0200, Moritz Mühlenhoff wrote:
>> severity 926043 important
>> thanks
>>
>> On Tue, Apr 02, 2019 at 01:56:35PM +0200, Thomas Goirand wrote:
>>> On 4/2/19 12:46 PM, Moritz Muehlenhoff wrote:
>>>> On Tue, Apr 02, 2019 at 12:33:10PM +0200, Thomas Goirand wrote:
>>>>> On 4/1/19 11:44 PM, Moritz Mühlenhoff wrote:
>>>>>> Instead of arguing over bug severities, can't we rather fix the bug?
>>>>>
>>>>> Sure.
>>>>>
>>>>>> Ubuntu fixed this already and their versions seems fairly close.
>>>>>
>>>>> That's the thing. I went into the launchpad bug report, and it's full of
>>>>> small, incremental commits, from which it is very hard to figure out
>>>>> which one is really fixing the issue. Also, the Ubuntu package is just
>>>>> getting a snapshot from upstream, it's not integrating any patch. If
>>>>> someone can point at the correct patch, I'll do the update work.
>>>>
>>>> Actually, given Bastian's reply, we can just close the bug, or am I missing
>>>> something?
>>>>
>>>> Cheers,
>>>>         Moritz
>>>
>>> Well, not 100%. "we" don't support cloud-init provisioning yet. Though
>>> someone running Debian, building their own image, cloud be affected by
>>> the bug. Which is why I'd suggest downgrading the bug to important, as
>>> it would only affect, only potentially, a very small subset of users.
>>
>> OK, I see! Downgrading makes total sense, then. Doing that now.
>>  
>>> I still believe we should try to get this fixed in time for Buster, and
>>> backport it to Stretch.
>>
>> Ack.
> 
> Did you had a chance to look into this specifically for unstable and
> possibly buster (still agreeing on the reasoning, but was looking
> trough some pending mails and spotted the intend above).
> 
> Regards,
> Salvatore

Hi,

We are probably better off packaging the latest upstream release, as
it's kind of hard to find out what commit fixes the issue. However, I'm
really not sure if the release team is comfortable with it at this point.

Your thoughts?
Cheers,

Thomas Goirand (zigo)

Message #59 received at 926043@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 926043@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>, security@debian.org

Subject: Re: Bug#926043: CVE-2019-0816

Date: Thu, 25 Apr 2019 08:50:18 +0200

On 4/24/19 10:02 PM, Salvatore Bonaccorso wrote:
> Hi Thomas,
> 
> On Tue, Apr 02, 2019 at 10:29:33PM +0200, Moritz Mühlenhoff wrote:
>> severity 926043 important
>> thanks
>>
>> On Tue, Apr 02, 2019 at 01:56:35PM +0200, Thomas Goirand wrote:
>>> On 4/2/19 12:46 PM, Moritz Muehlenhoff wrote:
>>>> On Tue, Apr 02, 2019 at 12:33:10PM +0200, Thomas Goirand wrote:
>>>>> On 4/1/19 11:44 PM, Moritz Mühlenhoff wrote:
>>>>>> Instead of arguing over bug severities, can't we rather fix the bug?
>>>>>
>>>>> Sure.
>>>>>
>>>>>> Ubuntu fixed this already and their versions seems fairly close.
>>>>>
>>>>> That's the thing. I went into the launchpad bug report, and it's full of
>>>>> small, incremental commits, from which it is very hard to figure out
>>>>> which one is really fixing the issue. Also, the Ubuntu package is just
>>>>> getting a snapshot from upstream, it's not integrating any patch. If
>>>>> someone can point at the correct patch, I'll do the update work.
>>>>
>>>> Actually, given Bastian's reply, we can just close the bug, or am I missing
>>>> something?
>>>>
>>>> Cheers,
>>>>         Moritz
>>>
>>> Well, not 100%. "we" don't support cloud-init provisioning yet. Though
>>> someone running Debian, building their own image, cloud be affected by
>>> the bug. Which is why I'd suggest downgrading the bug to important, as
>>> it would only affect, only potentially, a very small subset of users.
>>
>> OK, I see! Downgrading makes total sense, then. Doing that now.
>>  
>>> I still believe we should try to get this fixed in time for Buster, and
>>> backport it to Stretch.
>>
>> Ack.
> 
> Did you had a chance to look into this specifically for unstable and
> possibly buster (still agreeing on the reasoning, but was looking
> trough some pending mails and spotted the intend above).
> 
> Regards,
> Salvatore

My appologies, I found the patch in the cloud-init Git, and it applies
almost cleanly to the current Sid/Buster release of cloud-init (just a
few offsets...). I'm uploading the fix then...

Thanks for pushing me to do a better job! :)

Cheers,

Thomas Goirand (zigo)

Message #64 received at 926043-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 926043-close@bugs.debian.org

Subject: Bug#926043: fixed in cloud-init 18.3-6

Date: Thu, 25 Apr 2019 07:18:28 +0000

Source: cloud-init
Source-Version: 18.3-6

We believe that the bug you reported is fixed in the latest version of
cloud-init, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 926043@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated cloud-init package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 25 Apr 2019 08:54:18 +0200
Source: cloud-init
Binary: cloud-init
Architecture: source all
Version: 18.3-6
Distribution: unstable
Urgency: high
Maintainer: Debian Cloud Team <debian-cloud@lists.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 cloud-init - initialization system for infrastructure cloud instances
Closes: 926043
Changes:
 cloud-init (18.3-6) unstable; urgency=high
 .
   * CVE-2019-0816: Extraneous SSH Public Keys added to Authorized Keys file.
     Applied a refreshed patch from upstream: azure: Filter list of ssh keys
     pulled from fabric (Closes: #926043).
Checksums-Sha1:
 7e0242a1e8a484901d905968a56fe52fd8d67522 2375 cloud-init_18.3-6.dsc
 e10158ddd7f4fbc7da7b9031e28b84faf1051fd6 33632 cloud-init_18.3-6.debian.tar.xz
 9e93c969da3921d6f902fe50506373d5499eff75 403280 cloud-init_18.3-6_all.deb
 b95cc3316d7db562f05cab3b81e05c1f32979c2f 7983 cloud-init_18.3-6_amd64.buildinfo
Checksums-Sha256:
 acf6d90808345b2152bc8b3904d1a6589a454f3c7b390059594b95da4ca4ac3c 2375 cloud-init_18.3-6.dsc
 c14327d9106bcfe8c74650db5521bf8ba3fd9400f0cf88fafd3e4137d2f3a6c8 33632 cloud-init_18.3-6.debian.tar.xz
 085f7af8e7ecca9ab9c4ee041e818b01850fe3a5b53bda9b45ae299416b6a99c 403280 cloud-init_18.3-6_all.deb
 99bd208e29703790b2858836a830aac0119dd051f6a53c0fbe0e391f056b7f10 7983 cloud-init_18.3-6_amd64.buildinfo
Files:
 4dfec23986ec555e976518feef9ecead 2375 admin optional cloud-init_18.3-6.dsc
 e05be5270470060796a28d66f1c2e572 33632 admin optional cloud-init_18.3-6.debian.tar.xz
 d8051e59ece0310760af99c1434ce140 403280 admin optional cloud-init_18.3-6_all.deb
 8641b9147fa0049e8045c18b555f135e 7983 admin optional cloud-init_18.3-6_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlzBWr4ACgkQq1PlA1ho
d6Zqqg/9Gy7rkttsDk88ie7ymBR6tjQW10THJ5Cszt8SQWWIBXe24RZ5e5fF1lrv
sy3o/PkUh46NjeJTIiReR1qD6EsEg8xurEUJUniiZro9GQ+KUO6Zw10iZa4tVvKh
fOO3azQyxy7duxfCSbif5bnTjp0RFqErPiMYD+xmYuTE/1F8UiY+BJw5YyhNO2No
Ez1FenFXmgupBxShjHMf8mdiZyo4FnJXOpRnWlwmSaiIaQvYTaDn+wj8Buf5NDE2
OdcIsz6wFr0TuMWQfJ1MpsRq5VJ2X4cWOcpP4eZ0N8SMasvB2avTL73lMr+s7mTQ
P6FrS9P8kFfDlvWwBkcph62h9TA/LIBBSl5TOEuMkyhkQS1Kb6NPK92FB+a4bJR5
+bPo90OOFfguoymxE5u94DLWmh6JvR0WhOEazo8gXNMdrHNYvh0YbDwVP9Zl7XoS
vNMB3KrQmOIhmWiy1dIiPgXw1KWy40KP0STqxIGbfJHkz0cvtEKZvIrm5qiGOP/X
btDkxfoGhXILsx+H+plhw6R2F3b3hu2nia5lCiLjuwV0dijiOZU/cXIX9NfOlJ4K
yqrLdyDLs/Fx2FRhSr42TR7zo9Vi0Ln2v0Nr2l8FdoVndkcMQ7A7VzZucHriRi64
Hll1JgUUnYfIOj+NQZcZke5xQHwR9059+bAfDbo4B6ReUqTuxUs=
=EdiY
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.