summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVijay Anusuri <vanusuri@mvista.com>2025-11-13 19:56:17 +0530
committerBruce Ashfield <bruce.ashfield@gmail.com>2025-11-19 18:28:22 -0500
commit2cb05ca093c2c09bfab836e782c527f88a935a05 (patch)
tree7f469c19a0e4b5f58c9d528e17cc9a80ab4e6426
parent4da521b4440f57b10ba70091ee0e31b1085e665e (diff)
downloadmeta-virtualization-2cb05ca093c2c09bfab836e782c527f88a935a05.tar.gz
cloud-init: Fix CVE-2024-11584
import patch from debian to fix CVE-2024-11584 Upstream-Status: Backport [import from debian 22.4.2-1+deb12u3 Upstream commit https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2] Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Diffstat
-rw-r--r--recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch95
-rw-r--r--recipes-extended/cloud-init/cloud-init_21.4.bb1
2 files changed, 96 insertions, 0 deletions
diff --git a/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
new file mode 100644
index 00000000..aba34a0a
--- /dev/null
+++ b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
@@ -0,0 +1,95 @@
1From 4839736429e9057a309ccd835cb3159fb51b1353 Mon Sep 17 00:00:00 2001
2From: James Falcon <therealfalcon@gmail.com>
3Date: Wed, 11 Jun 2025 16:22:32 -0500
4Subject: [PATCH] fix: Make hotplug socket writable only by root (#25)
5
6The 'hook-hotplug-cmd' was writable by all users, allowing any user
7to trigger the hotplug hook script. This script should only be run
8by root via a udev trigger.
9
10Also move socket into 'share' directory and update references
11accordingly. Since the 'share' directory is only readable by root,
12this adds another layer of security while also being in a consistent
13location with the other sockets used by cloud-init.
14
15CVE-2024-11584
16
17Upstream-Status: Backport [import from debain 22.4.2-1+deb12u3
18Upstream commit https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2]
19CVE: CVE-2024-11584
20Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
21---
22 cloudinit/cmd/devel/logs.py | 4 +---
23 systemd/cloud-init-hotplugd.service | 5 +++--
24 systemd/cloud-init-hotplugd.socket | 8 +++++---
25 tools/hook-hotplug | 2 +-
26 4 files changed, 10 insertions(+), 9 deletions(-)
27
28diff --git a/cloudinit/cmd/devel/logs.py b/cloudinit/cmd/devel/logs.py
29index d54b809ac..0830610d4 100644
30--- a/cloudinit/cmd/devel/logs.py
31+++ b/cloudinit/cmd/devel/logs.py
32@@ -67,9 +67,7 @@ def get_parser(parser=None):
33
34 def _copytree_rundir_ignore_files(curdir, files):
35 """Return a list of files to ignore for /run/cloud-init directory"""
36- ignored_files = [
37- "hook-hotplug-cmd", # named pipe for hotplug
38- ]
39+ ignored_files = []
40 if os.getuid() != 0:
41 # Ignore root-permissioned files
42 ignored_files.append(INSTANCE_JSON_SENSITIVE_FILE)
43diff --git a/systemd/cloud-init-hotplugd.service b/systemd/cloud-init-hotplugd.service
44index b64632efe..65243ff16 100644
45--- a/systemd/cloud-init-hotplugd.service
46+++ b/systemd/cloud-init-hotplugd.service
47@@ -1,6 +1,7 @@
48 # Paired with cloud-init-hotplugd.socket to read from the FIFO
49-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
50-# add or remove event as processed by 10-cloud-init-hook-hotplug.rules.
51+# /run/cloud-init/share/hook-hotplug-cmd which is created during a
52+# udev network add or remove event as processed by
53+# 10-cloud-init-hook-hotplug.rules.
54
55 # On start, read args from the FIFO, process and provide structured arguments
56 # to `cloud-init devel hotplug-hook` which will setup or teardown network
57diff --git a/systemd/cloud-init-hotplugd.socket b/systemd/cloud-init-hotplugd.socket
58index aa0930163..db83a65b2 100644
59--- a/systemd/cloud-init-hotplugd.socket
60+++ b/systemd/cloud-init-hotplugd.socket
61@@ -1,13 +1,15 @@
62 # cloud-init-hotplugd.socket listens on the FIFO file
63-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
64-# add or remove event as processed by 10-cloud-init-hook-hotplug.rules.
65+# /run/cloud-init/share/hook-hotplug-cmd which is created during a
66+# udev network add or remove event as processed by
67+# 10-cloud-init-hook-hotplug.rules.
68
69 # Known bug with an enforcing SELinux policy: LP: #1936229
70 [Unit]
71 Description=cloud-init hotplug hook socket
72
73 [Socket]
74-ListenFIFO=/run/cloud-init/hook-hotplug-cmd
75+ListenFIFO=/run/cloud-init/share/hook-hotplug-cmd
76+SocketMode=0600
77
78 [Install]
79 WantedBy=cloud-init.target
80diff --git a/tools/hook-hotplug b/tools/hook-hotplug
81index 35bd3da27..2a2ed4813 100755
82--- a/tools/hook-hotplug
83+++ b/tools/hook-hotplug
84@@ -10,7 +10,7 @@ is_finished() {
85
86 if is_finished; then
87 # open cloud-init's hotplug-hook fifo rw
88- exec 3<>/run/cloud-init/hook-hotplug-cmd
89+ exec 3<>/run/cloud-init/share/hook-hotplug-cmd
90 env_params=(
91 --subsystem="${SUBSYSTEM}"
92 handle
93--
942.25.1
95
diff --git a/recipes-extended/cloud-init/cloud-init_21.4.bb b/recipes-extended/cloud-init/cloud-init_21.4.bb
index 02a89a58..46c0d29a 100644
--- a/recipes-extended/cloud-init/cloud-init_21.4.bb
+++ b/recipes-extended/cloud-init/cloud-init_21.4.bb
@@ -10,6 +10,7 @@ SRC_URI = "git://github.com/canonical/cloud-init;branch=main;protocol=https \
10 file://0001-setup.py-check-for-install-anywhere-in-args.patch \ 10 file://0001-setup.py-check-for-install-anywhere-in-args.patch \
11 file://0001-setup.py-respect-udevdir-variable.patch \ 11 file://0001-setup.py-respect-udevdir-variable.patch \
12 file://CVE-2024-6174.patch \ 12 file://CVE-2024-6174.patch \
13 file://CVE-2024-11584.patch \
13" 14"
14 15
15S = "${WORKDIR}/git" 16S = "${WORKDIR}/git"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-12-02 14:39:51 +0000