Hello community, here is the log from the commit of package python-azure-agent for openSUSE:Factory checked in at 2019-03-18 10:43:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-azure-agent (Old) and /work/SRC/openSUSE:Factory/.python-azure-agent.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-azure-agent" Mon Mar 18 10:43:02 2019 rev:10 rq:685775 version:2.2.36 Changes: -------- --- /work/SRC/openSUSE:Factory/python-azure-agent/python-azure-agent.changes 2018-08-02 14:56:47.960141996 +0200 +++ /work/SRC/openSUSE:Factory/.python-azure-agent.new.28833/python-azure-agent.changes 2019-03-18 10:43:07.623155084 +0100 @@ -1,0 +2,91 @@ +Thu Mar 7 18:21:15 UTC 2019 - Robert Schweikert <[email protected]> + +- Add paa_cve_2019-0804.patch (bsc#1127838) + - An issue with swapfile handling in the agent creates a data leak situation + that exposes system memory data. + +------------------------------------------------------------------- +Thu Feb 7 17:09:52 UTC 2019 - Robert Schweikert <[email protected]> + +- Update to 2.2.36 (bsc#1119542) + - Remove, included upstream + + paa_fix_driver_install_detect.patch + + paa_rdma_install_proper_driver.patch + + 0001-Obtain-platform-information-in-Python-version-depend.patch + + 0001-Detect-openSUSE-and-SLES.patch + + 0001-Handle-the-disapperance-of-net-tools.patch + + 0001-Properly-detect-SLES-15-for-rdma-support.patch + - Forward port agent-no-auto-update.patch + - [#1451] Do not utf-8 encode telemetry messages +- From 2.2.35 + + [#1434] Use files instead of pipes to capture stdout/stderr + + [#1431] Prevent multiple downloads of zips + + [#1418] Add main module to Python's egg + + [#1416] Fix UTF-8 encoding for telemetry payload + + [#1408] Honor the 'no_proxy' flag + + [#1391, #1401, #1441] Azure Stack improvements + + [#1384] Write status file in WALinuxAgent lib folder + + [#1375] Add support for Redhat + + [#1373] Handle different kernel builds on SUSE Linux Enterprise + + [#1365, #1385, #1389] Fixes for RDMA +- From 2.2.34 + + [#1397] Send events when extensions fail to complete operation + + [#1394/#1366] Fix the threshold telemetry issue + + [#1298] Implementing extension sequencing in azure Linux agent + + [#1340] Allow Clear Linux detection in python2 and python3 + + [#1345] FreeBSD swap issues fix (#1144) + + [#1349] Use append_file in Redhat6xOSUtil.openssl_to_openssh() + + [#1355] Ensure 'value' for authorized ssh keys end in "\n" + + [#1361] Remove main module +- From 2.2.32 + + [#1325] Enable cgroups by default on all distros + + [#1327, #1347] Allow enforcing of cgroups limits + + [#1337] Allow configuration for cgroups + + [#1333] Add support for NSBSD + + [#1319] Stream extension downloads to disk + (do not buffer the download in memory) + + [#1303] Fix to support custom DNS servers + + [#1306] Log extension stdout and stderr + + [#1302] Better of cloud-init configuration during deprovisioning + + [#1295] Fix to report the correct extension error code + + [#1289] Allow disabling the agent or extensions + + [#1290] Use the "ip route" command instead of the "route" comand + during network configuration + + [#1281] Delete JIT accounts + + [#1234] Fix for reading KVP values from host + + [#1287] Add UDEV rule in azure disk encryption +- From 2.2.31 +Upstream version jump + + [#1196] Health store integration + + [#1199] CGroups support + + [#1194] Use host for status reporting + + [#1188] Fix for sentinel and signal handlers + + [#1182] Telemetry updates + + [#1171] Add support for JIT + + [#1164] Fix for name resolution in Ubuntu 18.04 + + [#1154] Set connection close header + + [#1143] Remove extension packages after extraction +- From 2.2.26 + + Update Debian specific configuration and setup. +- From 2.2.25 + + Upstream version jump + + Revert extension manifest caching to prevent downgrade issues. +- From 2.2.20 + + This is a hotfix release for #945, details and mitigation are available + in the wiki. +- From 2.2.29 + + [#929] wire.py#update_goal_state does not handle out-of-date + GoalState errors + + [#908] Set Files to 0400 in /var/lib/waagent + + [#906] Hardcoded value for sshd's ClientAliveInterval (180) + + [#899] Improve HeartBeat Event + + [#898] Send dummy status if extension fails to write a #.status file + + [#897] 'Target handler state' wall of errors + + [#896] End of Line Comments are Not Supported nor Handled + + [#891] Create a Telemetry Event to Track Custom Data Execution + + [#884] Cleanup Old Goal State and Extension Cache + + [#876] The agent should use a scaling back-off when retrying HTTP requests + + [#869] The agent should report OS information in the correct JSON format. + + [#822] Update docs + +------------------------------------------------------------------- Old: ---- 0001-Detect-openSUSE-and-SLES.patch 0001-Handle-the-disapperance-of-net-tools.patch 0001-Obtain-platform-information-in-Python-version-depend.patch 0001-Properly-detect-SLES-15-for-rdma-support.patch WALinuxAgent-2.2.18.tar.gz paa_fix_driver_install_detect.patch paa_rdma_install_proper_driver.patch New: ---- WALinuxAgent-2.2.36.tar.gz paa_cve_2019-0804.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-azure-agent.spec ++++++ --- /var/tmp/diff_new_pack.XcNyuF/_old 2019-03-18 10:43:12.527152290 +0100 +++ /var/tmp/diff_new_pack.XcNyuF/_new 2019-03-18 10:43:12.555152274 +0100 @@ -1,7 +1,7 @@ # # spec file for package python-azure-agent # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -20,19 +20,14 @@ Summary: Microsoft Azure Linux Agent License: Apache-2.0 Group: System/Daemons -Version: 2.2.18 +Version: 2.2.36 Release: 0 Url: https://github.com/Azure/WALinuxAgent Source0: WALinuxAgent-%{version}.tar.gz Patch1: agent-no-auto-update.patch -Patch3: paa_fix_driver_install_detect.patch -Patch4: paa_rdma_install_proper_driver.patch -Patch5: 0001-Obtain-platform-information-in-Python-version-depend.patch Patch6: paa_force_py3_sle15.patch -Patch7: 0001-Detect-openSUSE-and-SLES.patch -Patch8: 0001-Handle-the-disapperance-of-net-tools.patch Patch9: paa_sudo_sle15_nopwd.patch -Patch10: 0001-Properly-detect-SLES-15-for-rdma-support.patch +Patch10: paa_cve_2019-0804.patch BuildRequires: dos2unix BuildRequires: distribution-release @@ -122,14 +117,9 @@ %prep %setup -qn WALinuxAgent-%{version} %patch1 -%patch3 -%patch4 -%patch5 -p1 %if 0%{?suse_version} && 0%{?suse_version} > 1315 %patch6 %endif -%patch7 -p1 -%patch8 -p1 %if 0%{?suse_version} && 0%{?suse_version} > 1315 %patch9 %endif @@ -209,7 +199,8 @@ %files %defattr(0644,root,root,0755) -%doc Changelog LICENSE.txt NOTICE README.md +%doc Changelog NOTICE README.md +%license LICENSE.txt %{_sbindir}/rcwaagent %attr(0755,root,root) %{_sbindir}/waagent %attr(0755,root,root) %{_sbindir}/waagent2.0 ++++++ WALinuxAgent-2.2.18.tar.gz -> WALinuxAgent-2.2.36.tar.gz ++++++ ++++ 25891 lines of diff (skipped) ++++++ agent-no-auto-update.patch ++++++ --- /var/tmp/diff_new_pack.XcNyuF/_old 2019-03-18 10:43:13.555151704 +0100 +++ /var/tmp/diff_new_pack.XcNyuF/_new 2019-03-18 10:43:13.575151693 +0100 @@ -1,7 +1,7 @@ --- config/suse/waagent.conf.orig +++ config/suse/waagent.conf -@@ -74,7 +74,7 @@ OS.OpensslPath=None - # OS.EnableRDMA=y +@@ -109,7 +109,7 @@ OS.SshDir=/etc/ssh + # OS.CheckRdmaDriver=y # Enable or disable goal state processing auto-update, default is enabled -# AutoUpdate.Enabled=y ++++++ paa_cve_2019-0804.patch ++++++ >From f9e292577be29a9490f62420c6bbed44dfc30a09 Mon Sep 17 00:00:00 2001 From: mbearup <[email protected]> Date: Tue, 26 Feb 2019 14:14:24 -0800 Subject: [PATCH] Add fixes for handling swap file --- .../daemon/resourcedisk/default.py | 35 ++++++++++++++----- .../daemon/resourcedisk/freebsd.py | 6 ++-- tests/distro/test_resourceDisk.py | 35 +++++++++++++++++-- 3 files changed, 61 insertions(+), 15 deletions(-) diff --git a/azurelinuxagent/daemon/resourcedisk/default.py b/azurelinuxagent/daemon/resourcedisk/default.py index 0f0925d..321c7bc 100644 --- a/azurelinuxagent/daemon/resourcedisk/default.py +++ b/azurelinuxagent/daemon/resourcedisk/default.py @@ -16,6 +16,7 @@ # import os +import stat import re import sys import threading @@ -245,16 +246,28 @@ def get_mount_string(mount_options, partition, mount_point): else: return 'mount {0} {1}'.format(partition, mount_point) + @staticmethod + def check_existing_swap_file(swapfile, size): + swaplist = shellutil.run_get_output("swapon -s")[1] + + if swapfile in swaplist and os.path.isfile(swapfile) and os.path.getsize(swapfile) == size: + logger.info("Swap already enabled") + # restrict access to owner (remove all access from group, others) + swapfile_mode = os.stat(swapfile).st_mode + if swapfile_mode & (stat.S_IRWXG | stat.S_IRWXO): + swapfile_mode = swapfile_mode & ~(stat.S_IRWXG | stat.S_IRWXO) + logger.info("Changing mode of {0} to {1:o}".format(swapfile, swapfile_mode)) + os.chmod(swapfile, swapfile_mode) + return True + + return False + def create_swap_space(self, mount_point, size_mb): size_kb = size_mb * 1024 size = size_kb * 1024 swapfile = os.path.join(mount_point, 'swapfile') - swaplist = shellutil.run_get_output("swapon -s")[1] - if swapfile in swaplist \ - and os.path.isfile(swapfile) \ - and os.path.getsize(swapfile) == size: - logger.info("Swap already enabled") + if self.check_existing_swap_file(swapfile, size): return if os.path.isfile(swapfile) and os.path.getsize(swapfile) != size: @@ -305,13 +318,18 @@ def mkfile(self, filename, nbytes): # Probable errors: # - OSError: Seen on Cygwin, libc notimpl? # - AttributeError: What if someone runs this under... + fd = None + try: - with open(filename, 'w') as f: - os.posix_fallocate(f.fileno(), 0, nbytes) - return 0 + fd = os.open(filename, os.O_CREAT | os.O_WRONLY, stat.S_IRUSR | stat.S_IWUSR) + os.posix_fallocate(fd, 0, nbytes) + return 0 except: # Not confident with this thing, just keep trying... pass + finally: + if fd is not None: + os.close(fd) # fallocate command ret = shellutil.run( @@ -340,3 +358,4 @@ def mkfile(self, filename, nbytes): logger.error("dd unsuccessful") return ret + diff --git a/azurelinuxagent/daemon/resourcedisk/freebsd.py b/azurelinuxagent/daemon/resourcedisk/freebsd.py index ece166b..f1a5d91 100644 --- a/azurelinuxagent/daemon/resourcedisk/freebsd.py +++ b/azurelinuxagent/daemon/resourcedisk/freebsd.py @@ -130,10 +130,7 @@ def create_swap_space(self, mount_point, size_mb): swapfile = os.path.join(mount_point, 'swapfile') swaplist = shellutil.run_get_output("swapctl -l")[1] - if swapfile in swaplist \ - and os.path.isfile(swapfile) \ - and os.path.getsize(swapfile) == size: - logger.info("Swap already enabled") + if self.check_existing_swap_file(swapfile, size): return if os.path.isfile(swapfile) and os.path.getsize(swapfile) != size: @@ -161,3 +158,4 @@ def create_swap_space(self, mount_point, size_mb): if shellutil.run("swapon /dev/{0}".format(mddevice)): raise ResourceDiskError("/dev/{0}".format(mddevice)) logger.info("Enabled {0}KB of swap at /dev/{1} ({2})".format(size_kb, mddevice, swapfile)) + diff --git a/tests/distro/test_resourceDisk.py b/tests/distro/test_resourceDisk.py index d2ce6e1..9b27ade 100644 --- a/tests/distro/test_resourceDisk.py +++ b/tests/distro/test_resourceDisk.py @@ -18,12 +18,11 @@ # http://msdn.microsoft.com/en-us/library/cc227282%28PROT.10%29.aspx # http://msdn.microsoft.com/en-us/library/cc227259%28PROT.13%29.aspx -import sys +import stat from azurelinuxagent.common.utils import shellutil from azurelinuxagent.daemon.resourcedisk import get_resourcedisk_handler from tests.tools import * - class TestResourceDisk(AgentTestCase): def test_mkfile(self): # setup @@ -38,6 +37,10 @@ def test_mkfile(self): # assert assert os.path.exists(test_file) + # only the owner should have access + mode = os.stat(test_file).st_mode & (stat.S_IRWXU | stat.S_IRWXG | stat.S_IRWXO) + assert mode == stat.S_IRUSR | stat.S_IWUSR + # cleanup os.remove(test_file) @@ -83,7 +86,6 @@ def test_mkfile_xfs_fs(self): assert run_patch.call_count == 1 assert "dd if" in run_patch.call_args_list[0][0][0] - def test_change_partition_type(self): resource_handler = get_resourcedisk_handler() # test when sfdisk --part-type does not exist @@ -105,6 +107,33 @@ def test_change_partition_type(self): assert run_patch.call_count == 1 assert "sfdisk --part-type" in run_patch.call_args_list[0][0][0] + def test_check_existing_swap_file(self): + test_file = os.path.join(self.tmp_dir, 'test_swap_file') + file_size = 1024 * 128 + if os.path.exists(test_file): + os.remove(test_file) + + with open(test_file, "wb") as file: + file.write(bytes(file_size)) + + os.chmod(test_file, stat.S_ISUID | stat.S_ISGID | stat.S_IRUSR | stat.S_IWUSR | stat.S_IRWXG | stat.S_IRWXO) # 0o6677 + + def swap_on(_): # mimic the output of "swapon -s" + return [ + "Filename Type Size Used Priority", + "{0} partition 16498684 0 -2".format(test_file) + ] + + with patch.object(shellutil, "run_get_output", side_effect=swap_on): + get_resourcedisk_handler().check_existing_swap_file(test_file, file_size) + + # it should remove access from group, others + mode = os.stat(test_file).st_mode & (stat.S_ISUID | stat.S_ISGID | stat.S_IRWXU | stat.S_IWUSR | stat.S_IRWXG | stat.S_IRWXO) # 0o6777 + assert mode == stat.S_ISUID | stat.S_ISGID | stat.S_IRUSR | stat.S_IWUSR # 0o6600 + + os.remove(test_file) + if __name__ == '__main__': unittest.main() +
