Re: Bug#926043: CVE-2019-0816

To: Moritz Muehlenhoff <jmm@debian.org>, 926043@bugs.debian.org, security@debian.org, "debian-cloud@lists.debian.org" <debian-cloud@lists.debian.org>
Subject: Re: Bug#926043: CVE-2019-0816
From: Thomas Goirand <zigo@debian.org>
Date: Sun, 31 Mar 2019 00:33:45 +0100
Message-id: <[🔎] 3710e7cd-6144-4110-6d24-6584ffd7fb16@debian.org>
In-reply-to: <[🔎] 155397303933.13043.2382207774820610132.reportbug@hullmann.westfalen.local>
References: <[🔎] 155397303933.13043.2382207774820610132.reportbug@hullmann.westfalen.local>

On 3/30/19 8:10 PM, Moritz Muehlenhoff wrote:
> Package: cloud-init
> Severity: grave
> Tags: security
> 
> This was assigned CVE-2019-0816:
> https://code.launchpad.net/~jasonzio/cloud-init/+git/cloud-init/+merge/363445
> https://support.microsoft.com/en-us/help/4491476/extraneous-ssh-public-keys-added-to-authorized-keys-file-on-linux-vm
> 
> Is this something that affects cloud-init as shipped in Debian or in the way we generate Debian
> images for Azure?
> 
> Cheers,
>         Moritz

Hi Moritz,

If I understand well the problem, the issue is simply that some extra
Microsoft keys may end up being setup into an Azure Debian instance. I
don't see this as a very "grave" security issue because:

1/ Azure users must trust Azure anyways, otherwise, they should just
stop doing hosting there.
2/ It only affects Azure users.

I'm not even sure that our image is really using cloud-init to do the
ssh key provisioning, if I'm not mistaking, it's using the Azure agent
to do that (can Bastian confirm this?).

In any case, can we downgrade this bug to "important"? Or am I missing
something here?

Cheers,

Thomas Goirand (zigo)

Reply to:

References:
- Bug#926043: CVE-2019-0816
  - From: Moritz Muehlenhoff <jmm@debian.org>

Prev by Date: Bug#926043: CVE-2019-0816
Next by Date: Processed: found 926043 in 18.3-5
Previous by thread: Bug#926043: CVE-2019-0816
Next by thread: Processed: found 926043 in 18.3-5
Index(es):
- Date
- Thread