[3.13] community/cloud-init: fix CVE-2021-3429

community/cloud-init/APKBUILD

@@ -3,7 +3,7 @@
 # Maintainer: Dermot Bradley <dermot_bradley@yahoo.com>
 pkgname=cloud-init
 pkgver=20.4.1
-pkgrel=0
+pkgrel=1
 pkgdesc="Cloud instance init scripts"
 url="https://cloud-init.io"
 # Dependant package "cloud-utils-growpart" is not available for mips,
@@ -33,12 +33,17 @@ subpackages="$pkgname-doc $pkgname-bash-completion $pkgname-openrc"
 source="cloud-init-$pkgver.tar.gz::https://github.com/canonical/cloud-init/archive/$pkgver.tar.gz
 	01-oauthlib-remove.patch
 	02-hosts-template-fix.patch
+	CVE-2021-3429.patch
 	interfaces
 	setup-cloud-init
 	README.Alpine
 	"
 install="$pkgname.post-install"
 
+# secfixes:
+#   20.4.1-r1:
+#     - CVE-2021-3429
+
 prepare() {
 	default_prepare
 }
@@ -92,6 +97,7 @@ package() {
 sha512sums="7d30c5540a793202889a9e7d891323cfb782d807542f7eac0e53a497b72785d0f4d33d3fe6cfc01704aba30e7246d4b3179b95c5f2ddf79b264479247f305289  cloud-init-20.4.1.tar.gz
 c14ce3b27c55d1c381e27b2898bb73da8a74c53480d496bdfc87318b69fb612678205ab5a686c1ce703ef5c2c7a8529f629c8f908aeff39524d36870a83c1929  01-oauthlib-remove.patch
 444b15f0d81138f7f3767bc10b0bee29ff10fa8b74dfc3542e1abe20d745f09bb2e36cb30ef8035a677ba81af80743207fbd9973d7cb4f33ca37891ae7493916  02-hosts-template-fix.patch
+469be5ef480ebfc0856e265822d5f43f28f6ae5fe2cbb7e5c240660fc24c31cb7a3c84178c2e3594fa13b6362048fdbb6a3632865868f4dcb4463a346b19759a  CVE-2021-3429.patch
 48b25ec4457c2b3772a7d210033551d041749a0d1869818d888030e6df7fd9bbc13a38b95cf465de3d46d96881a722f94a337584ce48f280c4a52b819586563a  interfaces
 f32b90f26d1df0d88fbea7a1a9ab6704a20babdb750b933484bb7c4e91cc19a587d4bfbc95489a354003ecd00795d1592e71b4b93eccd41e392bb7170bfebb0e  setup-cloud-init
 2a491afea3ea979d0910f0b21739ee3bfb902ddfe66a8162eb1dd477475c4185ac85afc6522e979015d966f4b984b151cb4b6515aec6ce6eaf7e13ac7def1b5f  README.Alpine"

community/cloud-init/CVE-2021-3429.patch

+Write passwords only to serial console, lock down cloud-init-output.log
+
+Fixes CVE-2021-3429.
+
+Prior to this commit, when a user specified configuration which would
+generate random passwords for users, cloud-init would cause those
+passwords to be written to the serial console by emitting them on
+stderr. In the default configuration, any stdout or stderr emitted by
+cloud-init is also written to /var/log/cloud-init-output.log. This
+file is world-readable, meaning that those randomly-generated passwords
+were available to be read by any user with access to the system. This
+presents an obvious security issue.
+
+Upstream: Yes
+
+---
+
+diff -aur a/cloudinit/config/cc_set_passwords.py b/cloudinit/config/cc_set_passwords.py
+--- a/cloudinit/config/cc_set_passwords.py
++++ b/cloudinit/config/cc_set_passwords.py
+@@ -78,7 +78,6 @@
+ """
+ 
+ import re
+-import sys
+ 
+ from cloudinit.distros import ug_util
+ from cloudinit import log as logging
+@@ -214,7 +213,9 @@
+         if len(randlist):
+             blurb = ("Set the following 'random' passwords\n",
+                      '\n'.join(randlist))
+-            sys.stderr.write("%s\n%s\n" % blurb)
++            util.multi_log(
++                "%s\n%s\n" % blurb, stderr=False, fallback_to_stdout=False
++            )
+ 
+         if expire:
+             expired_users = []
+diff -aur a/cloudinit/util.py b/cloudinit/util.py
+--- a/cloudinit/util.py
++++ b/cloudinit/util.py
+@@ -359,7 +359,7 @@
+ 
+ 
+ def multi_log(text, console=True, stderr=True,
+-              log=None, log_level=logging.DEBUG):
++              log=None, log_level=logging.DEBUG, fallback_to_stdout=True):
+     if stderr:
+         sys.stderr.write(text)
+     if console:
+@@ -368,7 +368,7 @@
+             with open(conpath, 'w') as wfh:
+                 wfh.write(text)
+                 wfh.flush()
+-        else:
++        elif fallback_to_stdout:
+             # A container may lack /dev/console (arguably a container bug).  If
+             # it does not exist, then write output to stdout.  this will result
+             # in duplicate stderr and stdout messages if stderr was True.
+@@ -623,6 +623,26 @@
+     if not o_err:
+         o_err = sys.stderr
+ 
++    # pylint: disable=subprocess-popen-preexec-fn
++    def set_subprocess_umask_and_gid():
++        """Reconfigure umask and group ID to create output files securely.
++
++        This is passed to subprocess.Popen as preexec_fn, so it is executed in
++        the context of the newly-created process.  It:
++
++        * sets the umask of the process so created files aren't world-readable
++        * if an adm group exists in the system, sets that as the process' GID
++          (so that the created file(s) are owned by root:adm)
++        """
++        os.umask(0o037)
++        try:
++            group_id = grp.getgrnam("adm").gr_gid
++        except KeyError:
++            # No adm group, don't set a group
++            pass
++        else:
++            os.setgid(group_id)
++
+     if outfmt:
+         LOG.debug("Redirecting %s to %s", o_out, outfmt)
+         (mode, arg) = outfmt.split(" ", 1)
+@@ -632,7 +652,12 @@
+                 owith = "wb"
+             new_fp = open(arg, owith)
+         elif mode == "|":
+-            proc = subprocess.Popen(arg, shell=True, stdin=subprocess.PIPE)
++            proc = subprocess.Popen(
++                arg,
++                shell=True,
++                stdin=subprocess.PIPE,
++                preexec_fn=set_subprocess_umask_and_gid,
++            )
+             new_fp = proc.stdin
+         else:
+             raise TypeError("Invalid type for output format: %s" % outfmt)
+@@ -654,7 +679,12 @@
+                 owith = "wb"
+             new_fp = open(arg, owith)
+         elif mode == "|":
+-            proc = subprocess.Popen(arg, shell=True, stdin=subprocess.PIPE)
++            proc = subprocess.Popen(
++                arg,
++                shell=True,
++                stdin=subprocess.PIPE,
++                preexec_fn=set_subprocess_umask_and_gid,
++            )
+             new_fp = proc.stdin
+         else:
+             raise TypeError("Invalid type for error format: %s" % errfmt)