Bug#985540: cloud-init logs sensitive password data to world-readable files

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#985540: cloud-init logs sensitive password data to world-readable files
From: Noah Meyerhans <noahm@debian.org>
Date: Fri, 19 Mar 2021 09:15:24 -0700
Message-id: <[🔎] 161617052483.146318.10266075816009888077.reportbug@doom.morgul.net>
Reply-to: Noah Meyerhans <noahm@debian.org>, 985540@bugs.debian.org

Package: cloud-init
Version: 20.4-1
Severity: grave
Tags: security upstream patch
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

cloud-init has the ability to generate and set a randomized password for
system users.  This functionality is enabled at runtime by passing
cloud-config data such as:

   chpasswd:
       list: |
           user1:RANDOM

When used this way, cloud-init logs the raw, unhashed password to a
world-readable local file.

This is fixed in upstream commit https://github.com/canonical/cloud-init/commit/b794d426b9ab43ea9d6371477466070d86e10668

This issue has been allocated CVE-2021-3429.

Reply to:

Follow-Ups:
- Bug#985540: marked as done (cloud-init logs sensitive password data to world-readable files)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#985540: marked as done (cloud-init logs sensitive password data to world-readable files)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Re: Update of buster64 and contrib-buster64 Vagrant images
Next by Date: Re: Update of buster64 and contrib-buster64 Vagrant images
Previous by thread: Re: Update of buster64 and contrib-buster64 Vagrant images
Next by thread: Bug#985540: marked as done (cloud-init logs sensitive password data to world-readable files)
Index(es):
- Date
- Thread