cloud-init: Fix CVE-2024-11584

import patch from debian to fix
 CVE-2024-11584

Upstream-Status: Backport [import from debian 22.4.2-1+deb12u3
Upstream commit
https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

2 files changed, 105 insertions, 0 deletions

diff --git a/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
new file mode 100644
index 00000000..fa94ff53
--- /dev/null
+++ b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
@@ -0,0 +1,104 @@
+From 8b45006c4765fd75f20ce244571b563dbc49d4f2 Mon Sep 17 00:00:00 2001
+From: James Falcon <therealfalcon@gmail.com>
+Date: Wed, 11 Jun 2025 16:22:32 -0500
+Subject: [PATCH] fix: Make hotplug socket writable only by root (#25)
+
+The 'hook-hotplug-cmd' was writable by all users, allowing any user
+to trigger the hotplug hook script. This script should only be run
+by root via a udev trigger.
+
+Also move socket into 'share' directory and update references
+accordingly. Since the 'share' directory is only readable by root,
+this adds another layer of security while also being in a consistent
+location with the other sockets used by cloud-init.
+
+CVE-2024-11584
+
+Upstream-Status: Backport [import from debain 22.4.2-1+deb12u3
+Upstream commit https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2]
+CVE: CVE-2024-11584
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ cloudinit/cmd/devel/logs.py         | 4 +---
+ systemd/cloud-init-hotplugd.service | 2 +-
+ systemd/cloud-init-hotplugd.socket  | 5 +++--
+ tools/cloud-init-hotplugd           | 2 +-
+ tools/hook-hotplug                  | 2 +-
+ 5 files changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/cloudinit/cmd/devel/logs.py b/cloudinit/cmd/devel/logs.py
+index 83f574c10..f59e8047c 100755
+--- a/cloudinit/cmd/devel/logs.py
++++ b/cloudinit/cmd/devel/logs.py
+@@ -139,9 +139,7 @@ def get_parser(parser=None):
+ 
+ def _copytree_rundir_ignore_files(curdir, files):
+     """Return a list of files to ignore for /run/cloud-init directory"""
+-    ignored_files = [
+-        "hook-hotplug-cmd",  # named pipe for hotplug
+-    ]
++    ignored_files = []
+     if os.getuid() != 0:
+         # Ignore root-permissioned files
+         ignored_files.append(Paths({}).lookups["instance_data_sensitive"])
+diff --git a/systemd/cloud-init-hotplugd.service b/systemd/cloud-init-hotplugd.service
+index 0aeeeaff5..e3a5a74d9 100644
+--- a/systemd/cloud-init-hotplugd.service
++++ b/systemd/cloud-init-hotplugd.service
+@@ -1,5 +1,5 @@
+ # Paired with cloud-init-hotplugd.socket to read from the FIFO
+-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
++# hook-hotplug-cmd which is created during a udev network
+ # add or remove event as processed by 90-cloud-init-hook-hotplug.rules.
+ 
+ # On start, read args from the FIFO, process and provide structured arguments
+diff --git a/systemd/cloud-init-hotplugd.socket b/systemd/cloud-init-hotplugd.socket
+index acf53f12c..00ad5dead 100644
+--- a/systemd/cloud-init-hotplugd.socket
++++ b/systemd/cloud-init-hotplugd.socket
+@@ -1,5 +1,5 @@
+ # cloud-init-hotplugd.socket listens on the FIFO file
+-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
++# hook-hotplug-cmd which is created during a udev network
+ # add or remove event as processed by 90-cloud-init-hook-hotplug.rules.
+ 
+ # Known bug with an enforcing SELinux policy: LP: #1936229
+@@ -7,7 +7,8 @@
+ Description=cloud-init hotplug hook socket
+ 
+ [Socket]
+-ListenFIFO=/run/cloud-init/hook-hotplug-cmd
++ListenFIFO=/run/cloud-init/share/hook-hotplug-cmd
++SocketMode=0600
+ 
+ [Install]
+ WantedBy=cloud-init.target
+diff --git a/tools/cloud-init-hotplugd b/tools/cloud-init-hotplugd
+index 70977d48e..3d56fffa7 100755
+--- a/tools/cloud-init-hotplugd
++++ b/tools/cloud-init-hotplugd
+@@ -9,7 +9,7 @@
+ # upon a network device event). Anything received via the pipe is then
+ # passed on via the "cloud-init devel hotplug-hook handle" command.
+ 
+-PIPE="/run/cloud-init/hook-hotplug-cmd"
++PIPE="/run/cloud-init/share/hook-hotplug-cmd"
+ 
+ mkfifo -m700 $PIPE
+ 
+diff --git a/tools/hook-hotplug b/tools/hook-hotplug
+index 3085ba86d..f7d530d1c 100755
+--- a/tools/hook-hotplug
++++ b/tools/hook-hotplug
+@@ -10,7 +10,7 @@ is_finished() {
+ 
+ if is_finished; then
+     # open cloud-init's hotplug-hook fifo rw
+-    exec 3<>/run/cloud-init/hook-hotplug-cmd
++    exec 3<>/run/cloud-init/share/hook-hotplug-cmd
+     env_params=" \
+         --subsystem=${SUBSYSTEM} \
+         handle \
+-- 
+2.43.0
+
diff --git a/recipes-extended/cloud-init/cloud-init_git.bb b/recipes-extended/cloud-init/cloud-init_git.bb
index 4cf74efd..66462a51 100644
--- a/recipes-extended/cloud-init/cloud-init_git.bb
+++ b/recipes-extended/cloud-init/cloud-init_git.bb
@@ -12,6 +12,7 @@ SRC_URI = "git://github.com/canonical/cloud-init;branch=24.1.x;protocol=https \
     file://cloud-init-source-local-lsb-functions.patch \
     file://0001-setup.py-check-for-install-anywhere-in-args.patch \
     file://CVE-2024-6174.patch \
+    file://CVE-2024-11584.patch \
 "
 
 PV = "v23.4.1+git"