Bug#924461: unblock: waagent/2.2.34-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package waagent. It fixes one security problem.
diff --git a/debian/changelog b/debian/changelog
index b1bc553..06df3b6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+waagent (2.2.34-3) unstable; urgency=medium
+
+ * Set proper access rights on swap file.
+ CVE-2019-0804
+
+ -- Bastian Blank <bastian.blank@credativ.de> Tue, 12 Mar 2019 09:34:51 +0100
+
waagent (2.2.34-2) unstable; urgency=medium
* Disable all tests, they need a real system. (closes: #918943)
diff --git a/debian/patches/cve-2019-0804.patch b/debian/patches/cve-2019-0804.patch
new file mode 100644
index 0000000..3b2948d
--- /dev/null
+++ b/debian/patches/cve-2019-0804.patch
@@ -0,0 +1,149 @@
+From: Bastian Blank <bastian.blank@credativ.de>
+Date: Mon, 11 Mar 2019 13:18:04 +0000
+Subject: Set proper access rights on swap file
+
+CVE-2019-0804
+---
+ azurelinuxagent/daemon/resourcedisk/default.py | 31 ++++++++++++++++++++------
+ azurelinuxagent/daemon/resourcedisk/freebsd.py | 5 +----
+ tests/distro/test_resourceDisk.py | 31 ++++++++++++++++++++++++++
+ 3 files changed, 56 insertions(+), 11 deletions(-)
+
+diff --git a/azurelinuxagent/daemon/resourcedisk/default.py b/azurelinuxagent/daemon/resourcedisk/default.py
+index ce1309c..3e879f4 100644
+--- a/azurelinuxagent/daemon/resourcedisk/default.py
++++ b/azurelinuxagent/daemon/resourcedisk/default.py
+@@ -16,6 +16,7 @@
+ #
+
+ import os
++import stat
+ import re
+ import subprocess
+ import sys
+@@ -214,16 +215,27 @@ class ResourceDiskHandler(object):
+ else:
+ return 'mount {0} {1}'.format(partition, mount_point)
+
++ @staticmethod
++ def check_existing_swap_file(swapfile, swaplist, size):
++ if swapfile in swaplist and os.path.isfile(swapfile) and os.path.getsize(swapfile) == size:
++ logger.info("Swap already enabled")
++ # restrict access to owner (remove all access from group, others)
++ swapfile_mode = os.stat(swapfile).st_mode
++ if swapfile_mode & (stat.S_IRWXG | stat.S_IRWXO):
++ swapfile_mode = swapfile_mode & ~(stat.S_IRWXG | stat.S_IRWXO)
++ logger.info("Changing mode of {0} to {1:o}".format(swapfile, swapfile_mode))
++ os.chmod(swapfile, swapfile_mode)
++ return True
++
++ return False
++
+ def create_swap_space(self, mount_point, size_mb):
+ size_kb = size_mb * 1024
+ size = size_kb * 1024
+ swapfile = os.path.join(mount_point, 'swapfile')
+ swaplist = shellutil.run_get_output("swapon -s")[1]
+
+- if swapfile in swaplist \
+- and os.path.isfile(swapfile) \
+- and os.path.getsize(swapfile) == size:
+- logger.info("Swap already enabled")
++ if self.check_existing_swap_file(swapfile, swaplist, size):
+ return
+
+ if os.path.isfile(swapfile) and os.path.getsize(swapfile) != size:
+@@ -274,13 +286,18 @@ class ResourceDiskHandler(object):
+ # Probable errors:
+ # - OSError: Seen on Cygwin, libc notimpl?
+ # - AttributeError: What if someone runs this under...
++ fd = None
++
+ try:
+- with open(filename, 'w') as f:
+- os.posix_fallocate(f.fileno(), 0, nbytes)
+- return 0
++ fd = os.open(filename, os.O_CREAT | os.O_WRONLY | os.O_EXCL, stat.S_IRUSR | stat.S_IWUSR)
++ os.posix_fallocate(fd, 0, nbytes)
++ return 0
+ except:
+ # Not confident with this thing, just keep trying...
+ pass
++ finally:
++ if fd is not None:
++ os.close(fd)
+
+ # fallocate command
+ ret = shellutil.run(
+diff --git a/azurelinuxagent/daemon/resourcedisk/freebsd.py b/azurelinuxagent/daemon/resourcedisk/freebsd.py
+index ece166b..3d37285 100644
+--- a/azurelinuxagent/daemon/resourcedisk/freebsd.py
++++ b/azurelinuxagent/daemon/resourcedisk/freebsd.py
+@@ -130,10 +130,7 @@ class FreeBSDResourceDiskHandler(ResourceDiskHandler):
+ swapfile = os.path.join(mount_point, 'swapfile')
+ swaplist = shellutil.run_get_output("swapctl -l")[1]
+
+- if swapfile in swaplist \
+- and os.path.isfile(swapfile) \
+- and os.path.getsize(swapfile) == size:
+- logger.info("Swap already enabled")
++ if self.check_existing_swap_file(swapfile, swaplist, size):
+ return
+
+ if os.path.isfile(swapfile) and os.path.getsize(swapfile) != size:
+diff --git a/tests/distro/test_resourceDisk.py b/tests/distro/test_resourceDisk.py
+index 4c185ee..3259836 100644
+--- a/tests/distro/test_resourceDisk.py
++++ b/tests/distro/test_resourceDisk.py
+@@ -19,6 +19,7 @@
+ # http://msdn.microsoft.com/en-us/library/cc227259%28PROT.13%29.aspx
+
+ import sys
++import stat
+ from azurelinuxagent.common.utils import shellutil
+ from azurelinuxagent.daemon.resourcedisk import get_resourcedisk_handler
+ from tests.tools import *
+@@ -38,6 +39,10 @@ class TestResourceDisk(AgentTestCase):
+ # assert
+ assert os.path.exists(test_file)
+
++ # only the owner should have access
++ mode = os.stat(test_file).st_mode & (stat.S_IRWXU | stat.S_IRWXG | stat.S_IRWXO)
++ assert mode == stat.S_IRUSR | stat.S_IWUSR
++
+ # cleanup
+ os.remove(test_file)
+
+@@ -83,6 +88,32 @@ class TestResourceDisk(AgentTestCase):
+ assert run_patch.call_count == 1
+ assert "dd if" in run_patch.call_args_list[0][0][0]
+
++ def test_check_existing_swap_file(self):
++ test_file = os.path.join(self.tmp_dir, 'test_swap_file')
++ file_size = 1024 * 128
++ if os.path.exists(test_file):
++ os.remove(test_file)
++
++ with open(test_file, "wb") as file:
++ file.write(bytes(file_size))
++
++ os.chmod(test_file, stat.S_ISUID | stat.S_ISGID | stat.S_IRUSR | stat.S_IWUSR | stat.S_IRWXG | stat.S_IRWXO) # 0o6677
++
++ def swap_on(_): # mimic the output of "swapon -s"
++ return [
++ "Filename Type Size Used Priority",
++ "{0} partition 16498684 0 -2".format(test_file)
++ ]
++
++ with patch.object(shellutil, "run_get_output", side_effect=swap_on):
++ get_resourcedisk_handler().check_existing_swap_file(test_file, test_file, file_size)
++
++ # it should remove access from group, others
++ mode = os.stat(test_file).st_mode & (stat.S_ISUID | stat.S_ISGID | stat.S_IRWXU | stat.S_IWUSR | stat.S_IRWXG | stat.S_IRWXO) # 0o6777
++ assert mode == stat.S_ISUID | stat.S_ISGID | stat.S_IRUSR | stat.S_IWUSR # 0o6600
++
++ os.remove(test_file)
++
+
+ if __name__ == '__main__':
+ unittest.main()
diff --git a/debian/patches/series b/debian/patches/series
index db11e62..a7d412a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ disable-bytecode-exthandler.patch
entry-points.patch
disable-auto-update.patch
ignore-tests.patch
+cve-2019-0804.patch
unblock waagent/2.2.34-3
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to: