cc_set_passwords is too short for RANDOM

Bug #1860795 reported by Dimitri John Ledkov on 2020-01-24
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init (Ubuntu)

Bug Description

PW_SET = (''.join([x for x in ascii_letters + digits
                   if x not in 'loLOI01']))

def rand_user_password(pwlen=9):
    return util.rand_str(pwlen, select_from=PW_SET)

len(PW_SET) is 55

log_2(55^20) is 115 bits, which is above 112, which matches the default OpenSSL SECLEVEL=2 setting in focal fossa.

Please bump PW_SET to 20, as 9 is crackable (provides 52 bits of security which is less than SECLEVEL 0).

As I'm about to use this on a mainframe, which by definition can crack that.

CVE References

Dan Watkins (oddbloke) wrote :
Changed in cloud-init (Ubuntu):
status: New → Fix Committed
Seth Arnold (seth-arnold) wrote :

Hello, did I read this correctly, that Python's random.choice() is used for these passwords?

"However, being completely deterministic, it is not suitable for all purposes, and is completely unsuitable for cryptographic purposes."

"However, being completely deterministic, it is not suitable for all purposes, and is completely unsuitable for cryptographic purposes."


Changed in cloud-init (Ubuntu):
status: Fix Committed → In Progress
Ryan Harper (raharper) wrote :

Please open a separate bug for the random.choice() discussion.

Changed in cloud-init (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 19.4-56-g06e324ff-0ubuntu1

cloud-init (19.4-56-g06e324ff-0ubuntu1) focal; urgency=medium

  * New upstream snapshot.
    - sysconfig: distro-specific config rendering for BOOTPROTO option (#162)
      [Robert Schweikert] (LP: #1800854)
    - cloudinit: replace "from six import X" imports (except in (#183)
    - run-container: use 'test -n' instead of 'test ! -z' (#202)
      [Paride Legovini]
    - net/cmdline: correctly handle static ip= config (#201)
      [Dimitri John Ledkov] (LP: #1861412)
    - Replace mock library with unittest.mock (#186)
    - HACKING.rst: update CLA link (#199)
    - Scaleway: Fix DatasourceScaleway to avoid backtrace (#128)
      [Louis Bouchard]
    - cloudinit/cmd/devel/ add missing space (#191)
    - tools/run-container: drop support for python2 (#192) [Paride Legovini]
    - Print ssh key fingerprints using sha256 hash (#188) (LP: #1860789)
    - Make the RPM build use Python 3 (#190) [Paride Legovini]
    - cc_set_password: increase random pwlength from 9 to 20 (#189)
      (LP: #1860795) (CVE-2020-8632)
    - .travis.yml: use correct Python version for xenial tests (#185)
    - cloudinit: remove ImportError handling for mock imports (#182)
    - Do not use fallocate in swap file creation on xfs. (#70)
      [Eduardo Otubo] (LP: #1781781)
    - .readthedocs.yaml: install cloud-init when building docs (#181)
      (LP: #1860450)
    - Introduce an RTD config file, and pin the Sphinx version to the RTD
      default (#180)
    - Drop most of the remaining use of six (#179)
    - Start removing dependency on six (#178)
    - Add Rootbox & HyperOne to list of cloud in README (#176) [Adam Dobrawy]
    - docs: add proposed SRU testing procedure (#167)
    - util: rename get_architecture to get_dpkg_architecture (#173)
    - Ensure util.get_architecture() runs only once (#172)

 -- Chad Smith <email address hidden> Wed, 05 Feb 2020 13:56:17 -0700

Changed in cloud-init (Ubuntu):
status: Fix Committed → Fix Released

This bug is believed to be fixed in cloud-init in version 20.1. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers