Bug 1152980 - VUL-0: WALinuxAgent: swap file created world readable
VUL-0: WALinuxAgent: swap file created world readable
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/244004/
CVSSv3:SUSE:CVE-2019-0804:5.5:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-10-04 04:41 UTC by Johannes Segitz
Modified: 2022-04-14 13:45 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2019-10-04 04:41:23 UTC
UBUNTU:CVE-2019-0804

An information disclosure vulnerability exists in the way Azure
WaLinuxAgent creates swap files on resource disks, aka 'Azure Linux Agent
Information Disclosure Vulnerability'.

This has already been handled in bsc#1127838, but only for python-azure-agent. This code is also present in WALinuxAgent, which we have on 11 and 12. I don't want to reopen the existing workflow, so I create a new bug for this

waagent:
   560         if not os.path.isfile(mountpoint + "/swapfile"):
   561             Run("dd if=/dev/zero of=" + mountpoint + "/swapfile bs=1024 count=" + str(sizeKB))
   562             Run("mkswap " + mountpoint + "/swapfile")

References:
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-0804.html
Comment 2 Robert Schweikert 2020-06-16 11:49:24 UTC
WALinuxAgent was superseded by python-azure-agent in the SLE 12 code stream. The python-azure-agent package contains:

# Package renamed in SLE 12, do not remove Provides, Obsolete directives
# until after SLE 12 EOL
Provides:       WALinuxAgent = %{version}
Obsoletes:      WALinuxAgent < %{version}

In SLE 11 the package is, as in SLE 12 and SLE 15 in the Public Cloud module and there is not LTSS for packages in the Public Cloud module in SLE 11.
Comment 3 Gabriele Sonnu 2022-04-14 13:45:41 UTC
Done.