Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package waagent. It fixes one security problem. diff --git a/debian/changelog b/debian/changelog index b1bc553..06df3b6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +waagent (2.2.34-3) unstable; urgency=medium + + * Set proper access rights on swap file. + CVE-2019-0804 + + -- Bastian Blank <bastian.bl...@credativ.de> Tue, 12 Mar 2019 09:34:51 +0100 + waagent (2.2.34-2) unstable; urgency=medium * Disable all tests, they need a real system. (closes: #918943) diff --git a/debian/patches/cve-2019-0804.patch b/debian/patches/cve-2019-0804.patch new file mode 100644 index 0000000..3b2948d --- /dev/null +++ b/debian/patches/cve-2019-0804.patch @@ -0,0 +1,149 @@ +From: Bastian Blank <bastian.bl...@credativ.de> +Date: Mon, 11 Mar 2019 13:18:04 +0000 +Subject: Set proper access rights on swap file + +CVE-2019-0804 +--- + azurelinuxagent/daemon/resourcedisk/default.py | 31 ++++++++++++++++++++------ + azurelinuxagent/daemon/resourcedisk/freebsd.py | 5 +---- + tests/distro/test_resourceDisk.py | 31 ++++++++++++++++++++++++++ + 3 files changed, 56 insertions(+), 11 deletions(-) + +diff --git a/azurelinuxagent/daemon/resourcedisk/default.py b/azurelinuxagent/daemon/resourcedisk/default.py +index ce1309c..3e879f4 100644 +--- a/azurelinuxagent/daemon/resourcedisk/default.py ++++ b/azurelinuxagent/daemon/resourcedisk/default.py +@@ -16,6 +16,7 @@ + # + + import os ++import stat + import re + import subprocess + import sys +@@ -214,16 +215,27 @@ class ResourceDiskHandler(object): + else: + return 'mount {0} {1}'.format(partition, mount_point) + ++ @staticmethod ++ def check_existing_swap_file(swapfile, swaplist, size): ++ if swapfile in swaplist and os.path.isfile(swapfile) and os.path.getsize(swapfile) == size: ++ logger.info("Swap already enabled") ++ # restrict access to owner (remove all access from group, others) ++ swapfile_mode = os.stat(swapfile).st_mode ++ if swapfile_mode & (stat.S_IRWXG | stat.S_IRWXO): ++ swapfile_mode = swapfile_mode & ~(stat.S_IRWXG | stat.S_IRWXO) ++ logger.info("Changing mode of {0} to {1:o}".format(swapfile, swapfile_mode)) ++ os.chmod(swapfile, swapfile_mode) ++ return True ++ ++ return False ++ + def create_swap_space(self, mount_point, size_mb): + size_kb = size_mb * 1024 + size = size_kb * 1024 + swapfile = os.path.join(mount_point, 'swapfile') + swaplist = shellutil.run_get_output("swapon -s")[1] + +- if swapfile in swaplist \ +- and os.path.isfile(swapfile) \ +- and os.path.getsize(swapfile) == size: +- logger.info("Swap already enabled") ++ if self.check_existing_swap_file(swapfile, swaplist, size): + return + + if os.path.isfile(swapfile) and os.path.getsize(swapfile) != size: +@@ -274,13 +286,18 @@ class ResourceDiskHandler(object): + # Probable errors: + # - OSError: Seen on Cygwin, libc notimpl? + # - AttributeError: What if someone runs this under... ++ fd = None ++ + try: +- with open(filename, 'w') as f: +- os.posix_fallocate(f.fileno(), 0, nbytes) +- return 0 ++ fd = os.open(filename, os.O_CREAT | os.O_WRONLY | os.O_EXCL, stat.S_IRUSR | stat.S_IWUSR) ++ os.posix_fallocate(fd, 0, nbytes) ++ return 0 + except: + # Not confident with this thing, just keep trying... + pass ++ finally: ++ if fd is not None: ++ os.close(fd) + + # fallocate command + ret = shellutil.run( +diff --git a/azurelinuxagent/daemon/resourcedisk/freebsd.py b/azurelinuxagent/daemon/resourcedisk/freebsd.py +index ece166b..3d37285 100644 +--- a/azurelinuxagent/daemon/resourcedisk/freebsd.py ++++ b/azurelinuxagent/daemon/resourcedisk/freebsd.py +@@ -130,10 +130,7 @@ class FreeBSDResourceDiskHandler(ResourceDiskHandler): + swapfile = os.path.join(mount_point, 'swapfile') + swaplist = shellutil.run_get_output("swapctl -l")[1] + +- if swapfile in swaplist \ +- and os.path.isfile(swapfile) \ +- and os.path.getsize(swapfile) == size: +- logger.info("Swap already enabled") ++ if self.check_existing_swap_file(swapfile, swaplist, size): + return + + if os.path.isfile(swapfile) and os.path.getsize(swapfile) != size: +diff --git a/tests/distro/test_resourceDisk.py b/tests/distro/test_resourceDisk.py +index 4c185ee..3259836 100644 +--- a/tests/distro/test_resourceDisk.py ++++ b/tests/distro/test_resourceDisk.py +@@ -19,6 +19,7 @@ + # http://msdn.microsoft.com/en-us/library/cc227259%28PROT.13%29.aspx + + import sys ++import stat + from azurelinuxagent.common.utils import shellutil + from azurelinuxagent.daemon.resourcedisk import get_resourcedisk_handler + from tests.tools import * +@@ -38,6 +39,10 @@ class TestResourceDisk(AgentTestCase): + # assert + assert os.path.exists(test_file) + ++ # only the owner should have access ++ mode = os.stat(test_file).st_mode & (stat.S_IRWXU | stat.S_IRWXG | stat.S_IRWXO) ++ assert mode == stat.S_IRUSR | stat.S_IWUSR ++ + # cleanup + os.remove(test_file) + +@@ -83,6 +88,32 @@ class TestResourceDisk(AgentTestCase): + assert run_patch.call_count == 1 + assert "dd if" in run_patch.call_args_list[0][0][0] + ++ def test_check_existing_swap_file(self): ++ test_file = os.path.join(self.tmp_dir, 'test_swap_file') ++ file_size = 1024 * 128 ++ if os.path.exists(test_file): ++ os.remove(test_file) ++ ++ with open(test_file, "wb") as file: ++ file.write(bytes(file_size)) ++ ++ os.chmod(test_file, stat.S_ISUID | stat.S_ISGID | stat.S_IRUSR | stat.S_IWUSR | stat.S_IRWXG | stat.S_IRWXO) # 0o6677 ++ ++ def swap_on(_): # mimic the output of "swapon -s" ++ return [ ++ "Filename Type Size Used Priority", ++ "{0} partition 16498684 0 -2".format(test_file) ++ ] ++ ++ with patch.object(shellutil, "run_get_output", side_effect=swap_on): ++ get_resourcedisk_handler().check_existing_swap_file(test_file, test_file, file_size) ++ ++ # it should remove access from group, others ++ mode = os.stat(test_file).st_mode & (stat.S_ISUID | stat.S_ISGID | stat.S_IRWXU | stat.S_IWUSR | stat.S_IRWXG | stat.S_IRWXO) # 0o6777 ++ assert mode == stat.S_ISUID | stat.S_ISGID | stat.S_IRUSR | stat.S_IWUSR # 0o6600 ++ ++ os.remove(test_file) ++ + + if __name__ == '__main__': + unittest.main() diff --git a/debian/patches/series b/debian/patches/series index db11e62..a7d412a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ disable-bytecode-exthandler.patch entry-points.patch disable-auto-update.patch ignore-tests.patch +cve-2019-0804.patch unblock waagent/2.2.34-3 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled