Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: cloud-i...@packages.debian.org Control: affects -1 + src:cloud-init User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] The cloud team would like to publish an update to cloud-init in the next bookworm point release. It is needed in order to address two CVEs that aren't worth DSAs on their own. These changes have been addressed in sid (and approved for trixie) in version 25.1.4-1. [ Impact ] Bookworm users may be exposed to the following CVEs: - CVE-2024-6174: When in an environment that doesn't expose cloud information via DMI table values, cloud-init grants root access to a hardcoded url with a local IP address. Cloud-init itself and common cloud environments include protections against abuse of this address, so the exposure primarily impacts VMs launched directly with e.g. qemu. (Bug #1108403) - CVE-2024-11584: cloud-init includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands. (Bug #1108402) [ Tests ] The changes are covered by upstream's test suite, and have been manually validated on cloud VMs and local qemu VMs. [ Risks ] The fix for CVE-2024-6174 introduces a behavior change in certain rare configurations involving architectures that don't expose VM details in DMI. The primary risk is to riscv64 VMs, and since riscv64 isn't supported by bookworm and is not widly deployed in cloud environments, we consider this unlikely to impact users. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable
diff -Nru cloud-init-22.4.2/debian/changelog cloud-init-22.4.2/debian/changelog --- cloud-init-22.4.2/debian/changelog 2024-09-17 11:08:48.000000000 -0400 +++ cloud-init-22.4.2/debian/changelog 2025-07-10 15:07:51.000000000 -0400 @@ -1,3 +1,11 @@ +cloud-init (22.4.2-1+deb12u3) bookworm; urgency=medium + + * Import upstream fix for CVE-2024-6174 (Closes: #1108403) + * salsa-ci: build in bookworm + * Backport upstream fix for CVE-2024-11584 (Closes: #1108402) + + -- Noah Meyerhans <no...@debian.org> Thu, 10 Jul 2025 15:07:51 -0400 + cloud-init (22.4.2-1+deb12u2) bookworm; urgency=medium * networkd: Add support for multiple [Route] sections (Closes: #1052535) diff -Nru cloud-init-22.4.2/debian/patches/CVE-2024-11584.patch cloud-init-22.4.2/debian/patches/CVE-2024-11584.patch --- cloud-init-22.4.2/debian/patches/CVE-2024-11584.patch 1969-12-31 19:00:00.000000000 -0500 +++ cloud-init-22.4.2/debian/patches/CVE-2024-11584.patch 2025-07-10 15:07:51.000000000 -0400 @@ -0,0 +1,93 @@ +From 6e10240a7f0a2d6110b398640b3fd46cfa9a7cf3 Mon Sep 17 00:00:00 2001 +From: James Falcon <therealfal...@gmail.com> +Date: Wed, 11 Jun 2025 16:22:32 -0500 +Subject: [PATCH] fix: Make hotplug socket writable only by root (#25) + +The 'hook-hotplug-cmd' was writable by all users, allowing any user +to trigger the hotplug hook script. This script should only be run +by root via a udev trigger. + +Also move socket into 'share' directory and update references +accordingly. Since the 'share' directory is only readable by root, +this adds another layer of security while also being in a consistent +location with the other sockets used by cloud-init. + +CVE-2024-11584 + +[backported to 22.4.2 by no...@debian.org] + +--- + cloudinit/cmd/devel/logs.py | 2 +- + systemd/cloud-init-hotplugd.service | 2 +- + systemd/cloud-init-hotplugd.socket | 5 +++-- + tools/cloud-init-hotplugd | 2 +- + tools/hook-hotplug | 2 +- + 5 files changed, 7 insertions(+), 6 deletions(-) + +Origin: upstream, https://github.com/canonical/cloud-init/commit/6e10240a7f0a2d6110b398640b3fd46cfa9a7cf3.patch +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108402 +Index: cloud-init/cloudinit/cmd/devel/logs.py +=================================================================== +--- cloud-init.orig/cloudinit/cmd/devel/logs.py ++++ cloud-init/cloudinit/cmd/devel/logs.py +@@ -132,9 +132,7 @@ def get_parser(parser=None): + + def _copytree_rundir_ignore_files(curdir, files): + """Return a list of files to ignore for /run/cloud-init directory""" +- ignored_files = [ +- "hook-hotplug-cmd", # named pipe for hotplug +- ] ++ ignored_files = [] + if os.getuid() != 0: + # Ignore root-permissioned files + ignored_files.append(Paths({}).lookups["instance_data_sensitive"]) +Index: cloud-init/systemd/cloud-init-hotplugd.service +=================================================================== +--- cloud-init.orig/systemd/cloud-init-hotplugd.service ++++ cloud-init/systemd/cloud-init-hotplugd.service +@@ -1,6 +1,7 @@ + # Paired with cloud-init-hotplugd.socket to read from the FIFO +-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network +-# add or remove event as processed by 10-cloud-init-hook-hotplug.rules. ++# /run/cloud-init/share/hook-hotplug-cmd which is created during a ++# udev network add or remove event as processed by ++# 10-cloud-init-hook-hotplug.rules. + + # On start, read args from the FIFO, process and provide structured arguments + # to `cloud-init devel hotplug-hook` which will setup or teardown network +Index: cloud-init/systemd/cloud-init-hotplugd.socket +=================================================================== +--- cloud-init.orig/systemd/cloud-init-hotplugd.socket ++++ cloud-init/systemd/cloud-init-hotplugd.socket +@@ -1,13 +1,15 @@ + # cloud-init-hotplugd.socket listens on the FIFO file +-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network +-# add or remove event as processed by 10-cloud-init-hook-hotplug.rules. ++# /run/cloud-init/share/hook-hotplug-cmd which is created during a ++# udev network add or remove event as processed by ++# 10-cloud-init-hook-hotplug.rules. + + # Known bug with an enforcing SELinux policy: LP: #1936229 + [Unit] + Description=cloud-init hotplug hook socket + + [Socket] +-ListenFIFO=/run/cloud-init/hook-hotplug-cmd ++ListenFIFO=/run/cloud-init/share/hook-hotplug-cmd ++SocketMode=0600 + + [Install] + WantedBy=cloud-init.target +Index: cloud-init/tools/hook-hotplug +=================================================================== +--- cloud-init.orig/tools/hook-hotplug ++++ cloud-init/tools/hook-hotplug +@@ -10,7 +10,7 @@ is_finished() { + + if is_finished; then + # open cloud-init's hotplug-hook fifo rw +- exec 3<>/run/cloud-init/hook-hotplug-cmd ++ exec 3<>/run/cloud-init/share/hook-hotplug-cmd + env_params=( + --subsystem="${SUBSYSTEM}" + handle diff -Nru cloud-init-22.4.2/debian/patches/CVE-2024-6174.patch cloud-init-22.4.2/debian/patches/CVE-2024-6174.patch --- cloud-init-22.4.2/debian/patches/CVE-2024-6174.patch 1969-12-31 19:00:00.000000000 -0500 +++ cloud-init-22.4.2/debian/patches/CVE-2024-6174.patch 2025-07-10 15:07:51.000000000 -0400 @@ -0,0 +1,99 @@ +From: Brett Holman <brett.hol...@canonical.com> +Date: Thu, 22 Aug 2024 16:54:53 -0600 +Subject: [PATCH] fix: Don't attempt to identify non-x86 OpenStack instances + +This causes cloud-init to attempt to reach out to the OpenStack Nova +datasource in non-Nova deployments on non-x86 architectures. + +Change default policy of ds-identify to disallow discovery of datasources +without strict identifiable artifacts in either kernel cmdline, DMI +platform information or system configuration files. This prevents +cloud-init from attempting to reach out to well-known hard-codded link-local +IP addresses for configuration information unless the platform strictly +identifies as a specific datasource. + +CVE-2024-6174 +LP: #2069607 +BREAKING_CHANGE: This may break non-x86 OpenStack Nova users. Affected users + may wish to use ConfigDrive as a workaround. +--- + doc/rtd/reference/breaking_changes.rst | 49 ++++++++++++++++++++++++++ + tests/unittests/test_ds_identify.py | 13 ++++--- + tools/ds-identify | 8 ++--- + 3 files changed, 59 insertions(+), 11 deletions(-) + +Origin: upstream, https://github.com/canonical/cloud-init/commit/f43937f0b462734eb9c76700491c18fe4133c8e1.patch +Bug: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2069607 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108403 +Index: cloud-init/tests/unittests/test_ds_identify.py +=================================================================== +--- cloud-init.orig/tests/unittests/test_ds_identify.py ++++ cloud-init/tests/unittests/test_ds_identify.py +@@ -58,9 +58,9 @@ BLKID_UEFI_UBUNTU = [ + + + POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled" +-POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=all,notfound=disabled" +-DI_DEFAULT_POLICY = "search,found=all,maybe=all,notfound=disabled" +-DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=all,notfound=enabled" ++POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled" ++DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled" ++DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled" + DI_EC2_STRICT_ID_DEFAULT = "true" + OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1"; + +@@ -570,7 +570,7 @@ class TestDsIdentify(DsIdentifyBase): + self._test_ds_found("OpenStack-AssetTag-Compute") + + def test_openstack_on_non_intel_is_maybe(self): +- """On non-Intel, openstack without dmi info is maybe. ++ """On non-Intel, openstack without dmi info is none. + + nova does not identify itself on platforms other than intel. + https://bugs.launchpad.net/cloud-init/+bugs?field.tag=dsid-nova"""; +@@ -590,10 +590,9 @@ class TestDsIdentify(DsIdentifyBase): + + # updating the uname to ppc64 though should get a maybe. + data.update({"mocks": [MOCK_VIRT_IS_KVM, MOCK_UNAME_IS_PPC64]}) +- (_, _, err, _, _) = self._check_via_dict( +- data, RC_FOUND, dslist=["OpenStack", "None"] +- ) ++ (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND) + self.assertIn("check for 'OpenStack' returned maybe", err) ++ self.assertIn("No ds found", err) + + def test_default_ovf_is_found(self): + """OVF is identified found when ovf/ovf-env.xml seed file exists.""" +Index: cloud-init/tools/ds-identify +=================================================================== +--- cloud-init.orig/tools/ds-identify ++++ cloud-init/tools/ds-identify +@@ -14,7 +14,7 @@ + # The format is: + # <mode>,found=value,maybe=value,notfound=value + # default setting is: +-# search,found=all,maybe=all,notfound=disabled ++# search,found=all,maybe=none,notfound=disabled + # + # kernel command line option: ci.di.policy=<policy> + # example line in /etc/cloud/ds-identify.cfg: +@@ -40,7 +40,7 @@ + # first: use the first found do no further checking + # all: enable all DS_FOUND + # +-# maybe: (default=all) ++# maybe: (default=none) + # if nothing returned 'found', then how to handle maybe. + # no network sources are allowed to return 'maybe'. + # all: enable all DS_MAYBE +@@ -94,8 +94,8 @@ DI_MAIN=${DI_MAIN:-main} + + DI_BLKID_EXPORT_OUT="" + DI_GEOM_LABEL_STATUS_OUT="" +-DI_DEFAULT_POLICY="search,found=all,maybe=all,notfound=${DI_DISABLED}" +-DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=all,notfound=${DI_ENABLED}" ++DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}" ++DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}" + DI_DMI_BOARD_NAME="" + DI_DMI_CHASSIS_ASSET_TAG="" + DI_DMI_PRODUCT_NAME="" diff -Nru cloud-init-22.4.2/debian/patches/series cloud-init-22.4.2/debian/patches/series --- cloud-init-22.4.2/debian/patches/series 2024-09-17 11:08:48.000000000 -0400 +++ cloud-init-22.4.2/debian/patches/series 2025-07-10 15:07:51.000000000 -0400 @@ -4,3 +4,5 @@ 0012-Fix-message-when-a-local-is-missing.patch 0001-config-Support-APT-automated-mirror-selection.patch networkd_Add_support_for_multiple_Route_sections.patch +CVE-2024-6174.patch +CVE-2024-11584.patch diff -Nru cloud-init-22.4.2/debian/salsa-ci.yml cloud-init-22.4.2/debian/salsa-ci.yml --- cloud-init-22.4.2/debian/salsa-ci.yml 2024-09-12 15:55:08.000000000 -0400 +++ cloud-init-22.4.2/debian/salsa-ci.yml 2025-07-10 15:07:51.000000000 -0400 @@ -4,3 +4,5 @@ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml reprotest: allow_failure: true +variables: + RELEASE: 'bookworm'
