Bug 28991 - cloud-init new security issue CVE-2021-3429
Summary: cloud-init new security issue CVE-2021-3429
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-28 22:32 CEST by David Walser
Modified: 2021-07-19 23:07 CEST (History)
4 users (show)

See Also:
Source RPM: cloud-init-20.2-2.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-05-28 22:32:49 CEST
Debian-LTS has issued an advisory on March 20:
https://www.debian.org/lts/security/2021/dla-2601

The issue is fixed upstream in 21.2:
https://github.com/canonical/cloud-init/releases/tag/21.2

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-28 22:33:18 CEST

CC: (none) => mageia
Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Fixed upstream in 21.2

Comment 1 Lewis Smith 2021-05-29 20:52:14 CEST
This has been maintained by various people, so assigning the bug globally. CC'ing the registered maintainer Joseph.

Assignee: bugsquad => pkg-bugs
CC: (none) => joequant

Comment 2 Nicolas Salguero 2021-06-02 13:32:00 CEST
Hi,

For Cauldron and Mageia 8, I added a patch from Debian for that CVE and pushed cloud-init-20.2-2.1.mga8 and cloud-init-20.2-4.mga9 to the BS.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Nicolas Salguero 2021-06-02 13:32:15 CEST

Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 3 David Walser 2021-06-02 23:06:26 CEST
We have 0.7.5 in Mageia 7, so Debian's patch for 0.7.9 might work for us.
Comment 4 David Walser 2021-07-01 18:53:58 CEST
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Assigning to QA as an update for Mageia 8 has been built.  Still needs advisory.

Status comment: Fixed upstream in 21.2 => (none)
Whiteboard: MGA7TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 5 Aurelien Oudelet 2021-07-19 23:07:54 CEST
Advisory:
========================

Updated cloud-init package fixes a security vulnerability:

cloud-init has the ability to generate and set a randomized password for system users. This functionality is enabled at runtime by passing cloud-config data such as: 'chpasswd: list: | user1:RANDOM'

When instructing cloud-init to set a random password for a new user account, versions before 21.1.19 would write that password to the world-readable log file /var/log/cloud-init-output.log. This could allow a local user to log in as another user (CVE--2021-3429).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=28991
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3429
 - https://www.debian.org/lts/security/2021/dla-2601
 - https://github.com/canonical/cloud-init/releases/tag/21.2
========================

Updated package in core/updates_testing:
========================
cloud-init-20.2-2.1.mga8

from SRPM:
cloud-init-20.2-2.1.mga8.src.rpm

CC: (none) => ouaurelien


Note You need to log in before you can comment on or make changes to this bug.