[PATCH 1/1] image-accounts: directly pass arguments to openssl instead of shell
8 views
Skip to first unread message
Felix Moessbauer
Jun 12, 2025, 11:56:37 AMJun 12
to isar-...@googlegroups.com, jan.k...@siemens.com, Felix Moessbauer, Clara Kowalsky
When hashing the password, the whole openssl command was passed as a
shell string instead of directly passing the individual arguments as-is.
Further, the arguments were not shell escaped. By that, passwords
containing a string were split into two individual arguments, breaking
the command (or silently set a different password if the remainder
itself was a valid argument).
We fix this by passing the arguments as-is (as list) to bb.process.run.
Fixes: 6144daf9 ("image-account-extension: Avoid deprecated crypt...")
Reported-by: Clara Kowalsky <clara.k...@siemens.com>
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
meta/classes/image-account-extension.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass
index 3c461b1a..25288e76 100644
--- a/meta/classes/image-account-extension.bbclass
+++ b/meta/classes/image-account-extension.bbclass
@@ -133,7 +133,7 @@ def image_create_users(d: "DataSmart") -> None:
source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
command.append("-e")
salt = hashlib.sha256("{}\n".format(source_date_epoch).encode()).hexdigest()[0:15]
- password = bb.process.run('openssl passwd -6 --salt {} {}'.format(salt, password))[0].strip()
+ password = bb.process.run(['openssl', 'passwd', '-6', '--salt', salt, password])[0].strip()
else:
command.append("-e")
--
2.49.0
shell string instead of directly passing the individual arguments as-is.
Further, the arguments were not shell escaped. By that, passwords
containing a string were split into two individual arguments, breaking
the command (or silently set a different password if the remainder
itself was a valid argument).
We fix this by passing the arguments as-is (as list) to bb.process.run.
Fixes: 6144daf9 ("image-account-extension: Avoid deprecated crypt...")
Reported-by: Clara Kowalsky <clara.k...@siemens.com>
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
meta/classes/image-account-extension.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass
index 3c461b1a..25288e76 100644
--- a/meta/classes/image-account-extension.bbclass
+++ b/meta/classes/image-account-extension.bbclass
@@ -133,7 +133,7 @@ def image_create_users(d: "DataSmart") -> None:
source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
command.append("-e")
salt = hashlib.sha256("{}\n".format(source_date_epoch).encode()).hexdigest()[0:15]
- password = bb.process.run('openssl passwd -6 --salt {} {}'.format(salt, password))[0].strip()
+ password = bb.process.run(['openssl', 'passwd', '-6', '--salt', salt, password])[0].strip()
else:
command.append("-e")
--
2.49.0
Baurzhan Ismagulov
Aug 7, 2025, 9:47:29 AMAug 7
to isar-...@googlegroups.com
On 2025-06-12 17:56, 'Felix Moessbauer' via isar-users wrote:
> When hashing the password, the whole openssl command was passed as a
> shell string instead of directly passing the individual arguments as-is.
> Further, the arguments were not shell escaped. By that, passwords
> containing a string were split into two individual arguments, breaking
> the command (or silently set a different password if the remainder
> itself was a valid argument).
>
> We fix this by passing the arguments as-is (as list) to bb.process.run.
Applied to next, thanks.
> When hashing the password, the whole openssl command was passed as a
> shell string instead of directly passing the individual arguments as-is.
> Further, the arguments were not shell escaped. By that, passwords
> containing a string were split into two individual arguments, breaking
> the command (or silently set a different password if the remainder
> itself was a valid argument).
>
> We fix this by passing the arguments as-is (as list) to bb.process.run.
With kind regards,
Baurzhan
Reply all
Reply to author
Forward
0 new messages