Bug#926043: CVE-2019-0816
On 4/24/19 10:02 PM, Salvatore Bonaccorso wrote: > Hi Thomas, > > On Tue, Apr 02, 2019 at 10:29:33PM +0200, Moritz Mühlenhoff wrote: >> severity 926043 important >> thanks >> >> On Tue, Apr 02, 2019 at 01:56:35PM +0200, Thomas Goirand wrote: >>> On 4/2/19 12:46 PM, Moritz Muehlenhoff wrote: On Tue, Apr 02, 2019 at 12:33:10PM +0200, Thomas Goirand wrote: > On 4/1/19 11:44 PM, Moritz Mühlenhoff wrote: >> Instead of arguing over bug severities, can't we rather fix the bug? > > Sure. > >> Ubuntu fixed this already and their versions seems fairly close. > > That's the thing. I went into the launchpad bug report, and it's full of > small, incremental commits, from which it is very hard to figure out > which one is really fixing the issue. Also, the Ubuntu package is just > getting a snapshot from upstream, it's not integrating any patch. If > someone can point at the correct patch, I'll do the update work. Actually, given Bastian's reply, we can just close the bug, or am I missing something? Cheers, Moritz >>> >>> Well, not 100%. "we" don't support cloud-init provisioning yet. Though >>> someone running Debian, building their own image, cloud be affected by >>> the bug. Which is why I'd suggest downgrading the bug to important, as >>> it would only affect, only potentially, a very small subset of users. >> >> OK, I see! Downgrading makes total sense, then. Doing that now. >> >>> I still believe we should try to get this fixed in time for Buster, and >>> backport it to Stretch. >> >> Ack. > > Did you had a chance to look into this specifically for unstable and > possibly buster (still agreeing on the reasoning, but was looking > trough some pending mails and spotted the intend above). > > Regards, > Salvatore My appologies, I found the patch in the cloud-init Git, and it applies almost cleanly to the current Sid/Buster release of cloud-init (just a few offsets...). I'm uploading the fix then... Thanks for pushing me to do a better job! :) Cheers, Thomas Goirand (zigo)
Bug#926043: CVE-2019-0816
On 4/24/19 10:02 PM, Salvatore Bonaccorso wrote: > Hi Thomas, > > On Tue, Apr 02, 2019 at 10:29:33PM +0200, Moritz Mühlenhoff wrote: >> severity 926043 important >> thanks >> >> On Tue, Apr 02, 2019 at 01:56:35PM +0200, Thomas Goirand wrote: >>> On 4/2/19 12:46 PM, Moritz Muehlenhoff wrote: On Tue, Apr 02, 2019 at 12:33:10PM +0200, Thomas Goirand wrote: > On 4/1/19 11:44 PM, Moritz Mühlenhoff wrote: >> Instead of arguing over bug severities, can't we rather fix the bug? > > Sure. > >> Ubuntu fixed this already and their versions seems fairly close. > > That's the thing. I went into the launchpad bug report, and it's full of > small, incremental commits, from which it is very hard to figure out > which one is really fixing the issue. Also, the Ubuntu package is just > getting a snapshot from upstream, it's not integrating any patch. If > someone can point at the correct patch, I'll do the update work. Actually, given Bastian's reply, we can just close the bug, or am I missing something? Cheers, Moritz >>> >>> Well, not 100%. "we" don't support cloud-init provisioning yet. Though >>> someone running Debian, building their own image, cloud be affected by >>> the bug. Which is why I'd suggest downgrading the bug to important, as >>> it would only affect, only potentially, a very small subset of users. >> >> OK, I see! Downgrading makes total sense, then. Doing that now. >> >>> I still believe we should try to get this fixed in time for Buster, and >>> backport it to Stretch. >> >> Ack. > > Did you had a chance to look into this specifically for unstable and > possibly buster (still agreeing on the reasoning, but was looking > trough some pending mails and spotted the intend above). > > Regards, > Salvatore Hi, We are probably better off packaging the latest upstream release, as it's kind of hard to find out what commit fixes the issue. However, I'm really not sure if the release team is comfortable with it at this point. Your thoughts? Cheers, Thomas Goirand (zigo)
Bug#926043: CVE-2019-0816
Hi Thomas, On Tue, Apr 02, 2019 at 10:29:33PM +0200, Moritz Mühlenhoff wrote: > severity 926043 important > thanks > > On Tue, Apr 02, 2019 at 01:56:35PM +0200, Thomas Goirand wrote: > > On 4/2/19 12:46 PM, Moritz Muehlenhoff wrote: > > > On Tue, Apr 02, 2019 at 12:33:10PM +0200, Thomas Goirand wrote: > > >> On 4/1/19 11:44 PM, Moritz Mühlenhoff wrote: > > >>> Instead of arguing over bug severities, can't we rather fix the bug? > > >> > > >> Sure. > > >> > > >>> Ubuntu fixed this already and their versions seems fairly close. > > >> > > >> That's the thing. I went into the launchpad bug report, and it's full of > > >> small, incremental commits, from which it is very hard to figure out > > >> which one is really fixing the issue. Also, the Ubuntu package is just > > >> getting a snapshot from upstream, it's not integrating any patch. If > > >> someone can point at the correct patch, I'll do the update work. > > > > > > Actually, given Bastian's reply, we can just close the bug, or am I > > > missing > > > something? > > > > > > Cheers, > > > Moritz > > > > Well, not 100%. "we" don't support cloud-init provisioning yet. Though > > someone running Debian, building their own image, cloud be affected by > > the bug. Which is why I'd suggest downgrading the bug to important, as > > it would only affect, only potentially, a very small subset of users. > > OK, I see! Downgrading makes total sense, then. Doing that now. > > > I still believe we should try to get this fixed in time for Buster, and > > backport it to Stretch. > > Ack. Did you had a chance to look into this specifically for unstable and possibly buster (still agreeing on the reasoning, but was looking trough some pending mails and spotted the intend above). Regards, Salvatore
Bug#926043: CVE-2019-0816
severity 926043 important thanks On Tue, Apr 02, 2019 at 01:56:35PM +0200, Thomas Goirand wrote: > On 4/2/19 12:46 PM, Moritz Muehlenhoff wrote: > > On Tue, Apr 02, 2019 at 12:33:10PM +0200, Thomas Goirand wrote: > >> On 4/1/19 11:44 PM, Moritz Mühlenhoff wrote: > >>> Instead of arguing over bug severities, can't we rather fix the bug? > >> > >> Sure. > >> > >>> Ubuntu fixed this already and their versions seems fairly close. > >> > >> That's the thing. I went into the launchpad bug report, and it's full of > >> small, incremental commits, from which it is very hard to figure out > >> which one is really fixing the issue. Also, the Ubuntu package is just > >> getting a snapshot from upstream, it's not integrating any patch. If > >> someone can point at the correct patch, I'll do the update work. > > > > Actually, given Bastian's reply, we can just close the bug, or am I missing > > something? > > > > Cheers, > > Moritz > > Well, not 100%. "we" don't support cloud-init provisioning yet. Though > someone running Debian, building their own image, cloud be affected by > the bug. Which is why I'd suggest downgrading the bug to important, as > it would only affect, only potentially, a very small subset of users. OK, I see! Downgrading makes total sense, then. Doing that now. > I still believe we should try to get this fixed in time for Buster, and > backport it to Stretch. Ack. Cheers, Moritz
Bug#926043: CVE-2019-0816
On 4/2/19 12:46 PM, Moritz Muehlenhoff wrote: > On Tue, Apr 02, 2019 at 12:33:10PM +0200, Thomas Goirand wrote: >> On 4/1/19 11:44 PM, Moritz Mühlenhoff wrote: >>> Instead of arguing over bug severities, can't we rather fix the bug? >> >> Sure. >> >>> Ubuntu fixed this already and their versions seems fairly close. >> >> That's the thing. I went into the launchpad bug report, and it's full of >> small, incremental commits, from which it is very hard to figure out >> which one is really fixing the issue. Also, the Ubuntu package is just >> getting a snapshot from upstream, it's not integrating any patch. If >> someone can point at the correct patch, I'll do the update work. > > Actually, given Bastian's reply, we can just close the bug, or am I missing > something? > > Cheers, > Moritz Well, not 100%. "we" don't support cloud-init provisioning yet. Though someone running Debian, building their own image, cloud be affected by the bug. Which is why I'd suggest downgrading the bug to important, as it would only affect, only potentially, a very small subset of users. I still believe we should try to get this fixed in time for Buster, and backport it to Stretch. Cheers, Thomas Goirand (zigo)
Bug#926043: CVE-2019-0816
On Tue, Apr 02, 2019 at 12:33:10PM +0200, Thomas Goirand wrote: > On 4/1/19 11:44 PM, Moritz Mühlenhoff wrote: > > Instead of arguing over bug severities, can't we rather fix the bug? > > Sure. > > > Ubuntu fixed this already and their versions seems fairly close. > > That's the thing. I went into the launchpad bug report, and it's full of > small, incremental commits, from which it is very hard to figure out > which one is really fixing the issue. Also, the Ubuntu package is just > getting a snapshot from upstream, it's not integrating any patch. If > someone can point at the correct patch, I'll do the update work. Actually, given Bastian's reply, we can just close the bug, or am I missing something? Cheers, Moritz
Bug#926043: CVE-2019-0816
On 4/1/19 11:44 PM, Moritz Mühlenhoff wrote: > Instead of arguing over bug severities, can't we rather fix the bug? Sure. > Ubuntu fixed this already and their versions seems fairly close. That's the thing. I went into the launchpad bug report, and it's full of small, incremental commits, from which it is very hard to figure out which one is really fixing the issue. Also, the Ubuntu package is just getting a snapshot from upstream, it's not integrating any patch. If someone can point at the correct patch, I'll do the update work. Cheers, Thomas Goirand (zigo)
Bug#926043: CVE-2019-0816
On Sat, Mar 30, 2019 at 08:10:39PM +0100, Moritz Muehlenhoff wrote: > Is this something that affects cloud-init as shipped in Debian or in the way > we generate Debian > images for Azure? No, it is not affected as we don't support cloud-init based provisioning, yet. Regards, Bastian -- No one can guarantee the actions of another. -- Spock, "Day of the Dove", stardate unknown
Bug#926043: CVE-2019-0816
Hi Thomas, On Sun, Mar 31, 2019 at 12:33:45AM +0100, Thomas Goirand wrote: > If I understand well the problem, the issue is simply that some extra > Microsoft keys may end up being setup into an Azure Debian instance. I > don't see this as a very "grave" security issue because: > > 1/ Azure users must trust Azure anyways, otherwise, they should just > stop doing hosting there. It's still a big difference whether Microsoft has access during the provision phase vs. the running system (where it may contain sensitive data). Metaphorically speaking, I'm fine with builders having access to my house while it's under construction, but not with them having the keys once the house is built. > 2/ It only affects Azure users. But Azure is an official use case, isn't it? We only recently pushed a DSA for the Azure agent e.g. > I'm not even sure that our image is really using cloud-init to do the > ssh key provisioning, if I'm not mistaking, it's using the Azure agent > to do that (can Bastian confirm this?). I don't know, if it can be confirmed it doesn't affect Debian, when we can close the bug, ofc. > In any case, can we downgrade this bug to "important"? Or am I missing > something here? Instead of arguing over bug severities, can't we rather fix the bug? Ubuntu fixed this already and their versions seems fairly close. Cheers, Moritz
Bug#926043: CVE-2019-0816
On 3/30/19 8:10 PM, Moritz Muehlenhoff wrote: > Package: cloud-init > Severity: grave > Tags: security > > This was assigned CVE-2019-0816: > https://code.launchpad.net/~jasonzio/cloud-init/+git/cloud-init/+merge/363445 > https://support.microsoft.com/en-us/help/4491476/extraneous-ssh-public-keys-added-to-authorized-keys-file-on-linux-vm > > Is this something that affects cloud-init as shipped in Debian or in the way > we generate Debian > images for Azure? > > Cheers, > Moritz Hi Moritz, If I understand well the problem, the issue is simply that some extra Microsoft keys may end up being setup into an Azure Debian instance. I don't see this as a very "grave" security issue because: 1/ Azure users must trust Azure anyways, otherwise, they should just stop doing hosting there. 2/ It only affects Azure users. I'm not even sure that our image is really using cloud-init to do the ssh key provisioning, if I'm not mistaking, it's using the Azure agent to do that (can Bastian confirm this?). In any case, can we downgrade this bug to "important"? Or am I missing something here? Cheers, Thomas Goirand (zigo)
Bug#926043: CVE-2019-0816
Package: cloud-init Severity: grave Tags: security This was assigned CVE-2019-0816: https://code.launchpad.net/~jasonzio/cloud-init/+git/cloud-init/+merge/363445 https://support.microsoft.com/en-us/help/4491476/extraneous-ssh-public-keys-added-to-authorized-keys-file-on-linux-vm Is this something that affects cloud-init as shipped in Debian or in the way we generate Debian images for Azure? Cheers, Moritz