Bug#924461: unblock: waagent/2.2.34-3

[Bastian Blank <bastian.blank@credativ.de>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package waagent.  It fixes one security problem.

diff --git a/debian/changelog b/debian/changelog
index b1bc553..06df3b6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+waagent (2.2.34-3) unstable; urgency=medium
+
+  * Set proper access rights on swap file.
+    CVE-2019-0804
+
+ -- Bastian Blank <bastian.blank@credativ.de>  Tue, 12 Mar 2019 09:34:51 +0100
+
 waagent (2.2.34-2) unstable; urgency=medium
 
   * Disable all tests, they need a real system. (closes: #918943)
diff --git a/debian/patches/cve-2019-0804.patch b/debian/patches/cve-2019-0804.patch
new file mode 100644
index 0000000..3b2948d
--- /dev/null
+++ b/debian/patches/cve-2019-0804.patch
@@ -0,0 +1,149 @@
+From: Bastian Blank <bastian.blank@credativ.de>
+Date: Mon, 11 Mar 2019 13:18:04 +0000
+Subject: Set proper access rights on swap file
+
+CVE-2019-0804
+---
+ azurelinuxagent/daemon/resourcedisk/default.py | 31 ++++++++++++++++++++------
+ azurelinuxagent/daemon/resourcedisk/freebsd.py |  5 +----
+ tests/distro/test_resourceDisk.py              | 31 ++++++++++++++++++++++++++
+ 3 files changed, 56 insertions(+), 11 deletions(-)
+
+diff --git a/azurelinuxagent/daemon/resourcedisk/default.py b/azurelinuxagent/daemon/resourcedisk/default.py
+index ce1309c..3e879f4 100644
+--- a/azurelinuxagent/daemon/resourcedisk/default.py
++++ b/azurelinuxagent/daemon/resourcedisk/default.py
+@@ -16,6 +16,7 @@
+ #
+ 
+ import os
++import stat
+ import re
+ import subprocess
+ import sys
+@@ -214,16 +215,27 @@ class ResourceDiskHandler(object):
+         else:
+             return 'mount {0} {1}'.format(partition, mount_point)
+ 
++    @staticmethod
++    def check_existing_swap_file(swapfile, swaplist, size):
++        if swapfile in swaplist and os.path.isfile(swapfile) and os.path.getsize(swapfile) == size:
++            logger.info("Swap already enabled")
++            # restrict access to owner (remove all access from group, others)
++            swapfile_mode = os.stat(swapfile).st_mode
++            if swapfile_mode & (stat.S_IRWXG | stat.S_IRWXO):
++                swapfile_mode = swapfile_mode & ~(stat.S_IRWXG | stat.S_IRWXO)
++                logger.info("Changing mode of {0} to {1:o}".format(swapfile, swapfile_mode))
++                os.chmod(swapfile, swapfile_mode)
++            return True
++
++        return False
++
+     def create_swap_space(self, mount_point, size_mb):
+         size_kb = size_mb * 1024
+         size = size_kb * 1024
+         swapfile = os.path.join(mount_point, 'swapfile')
+         swaplist = shellutil.run_get_output("swapon -s")[1]
+ 
+-        if swapfile in swaplist \
+-                and os.path.isfile(swapfile) \
+-                and os.path.getsize(swapfile) == size:
+-            logger.info("Swap already enabled")
++        if self.check_existing_swap_file(swapfile, swaplist, size):
+             return
+ 
+         if os.path.isfile(swapfile) and os.path.getsize(swapfile) != size:
+@@ -274,13 +286,18 @@ class ResourceDiskHandler(object):
+                 # Probable errors:
+                 #  - OSError: Seen on Cygwin, libc notimpl?
+                 #  - AttributeError: What if someone runs this under...
++                fd = None
++
+                 try:
+-                    with open(filename, 'w') as f:
+-                        os.posix_fallocate(f.fileno(), 0, nbytes)
+-                        return 0
++                    fd = os.open(filename, os.O_CREAT | os.O_WRONLY | os.O_EXCL, stat.S_IRUSR | stat.S_IWUSR)
++                    os.posix_fallocate(fd, 0, nbytes)
++                    return 0
+                 except:
+                     # Not confident with this thing, just keep trying...
+                     pass
++                finally:
++                    if fd is not None:
++                        os.close(fd)
+ 
+             # fallocate command
+             ret = shellutil.run(
+diff --git a/azurelinuxagent/daemon/resourcedisk/freebsd.py b/azurelinuxagent/daemon/resourcedisk/freebsd.py
+index ece166b..3d37285 100644
+--- a/azurelinuxagent/daemon/resourcedisk/freebsd.py
++++ b/azurelinuxagent/daemon/resourcedisk/freebsd.py
+@@ -130,10 +130,7 @@ class FreeBSDResourceDiskHandler(ResourceDiskHandler):
+         swapfile = os.path.join(mount_point, 'swapfile')
+         swaplist = shellutil.run_get_output("swapctl -l")[1]
+ 
+-        if swapfile in swaplist \
+-                and os.path.isfile(swapfile) \
+-                and os.path.getsize(swapfile) == size:
+-            logger.info("Swap already enabled")
++        if self.check_existing_swap_file(swapfile, swaplist, size):
+             return
+ 
+         if os.path.isfile(swapfile) and os.path.getsize(swapfile) != size:
+diff --git a/tests/distro/test_resourceDisk.py b/tests/distro/test_resourceDisk.py
+index 4c185ee..3259836 100644
+--- a/tests/distro/test_resourceDisk.py
++++ b/tests/distro/test_resourceDisk.py
+@@ -19,6 +19,7 @@
+ # http://msdn.microsoft.com/en-us/library/cc227259%28PROT.13%29.aspx
+ 
+ import sys
++import stat
+ from azurelinuxagent.common.utils import shellutil
+ from azurelinuxagent.daemon.resourcedisk import get_resourcedisk_handler
+ from tests.tools import *
+@@ -38,6 +39,10 @@ class TestResourceDisk(AgentTestCase):
+         # assert
+         assert os.path.exists(test_file)
+ 
++        # only the owner should have access
++        mode = os.stat(test_file).st_mode & (stat.S_IRWXU | stat.S_IRWXG | stat.S_IRWXO)
++        assert mode == stat.S_IRUSR | stat.S_IWUSR
++
+         # cleanup
+         os.remove(test_file)
+ 
+@@ -83,6 +88,32 @@ class TestResourceDisk(AgentTestCase):
+             assert run_patch.call_count == 1
+             assert "dd if" in run_patch.call_args_list[0][0][0]
+ 
++    def test_check_existing_swap_file(self):
++        test_file = os.path.join(self.tmp_dir, 'test_swap_file')
++        file_size = 1024 * 128
++        if os.path.exists(test_file):
++            os.remove(test_file)
++
++        with open(test_file, "wb") as file:
++            file.write(bytes(file_size))
++
++        os.chmod(test_file,  stat.S_ISUID | stat.S_ISGID | stat.S_IRUSR | stat.S_IWUSR | stat.S_IRWXG | stat.S_IRWXO)  # 0o6677
++
++        def swap_on(_):   # mimic the output of "swapon -s"
++            return [
++                "Filename   Type        Size      Used  Priority",
++                "{0}        partition	16498684  0     -2".format(test_file)
++            ]
++
++        with patch.object(shellutil, "run_get_output", side_effect=swap_on):
++            get_resourcedisk_handler().check_existing_swap_file(test_file, test_file, file_size)
++
++        # it should remove access from group, others
++        mode = os.stat(test_file).st_mode & (stat.S_ISUID | stat.S_ISGID | stat.S_IRWXU | stat.S_IWUSR | stat.S_IRWXG | stat.S_IRWXO)  # 0o6777
++        assert mode == stat.S_ISUID | stat.S_ISGID | stat.S_IRUSR | stat.S_IWUSR  # 0o6600
++
++        os.remove(test_file)
++
+ 
+ if __name__ == '__main__':
+     unittest.main()
diff --git a/debian/patches/series b/debian/patches/series
index db11e62..a7d412a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ disable-bytecode-exthandler.patch
 entry-points.patch
 disable-auto-update.patch
 ignore-tests.patch
+cve-2019-0804.patch

unblock waagent/2.2.34-3

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled