2 files changed, 96 insertions, 0 deletions
diff --git a/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
new file mode 100644
index 00000000..aba34a0a
--- /dev/null
+++ b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
@@ -0,0 +1,95 @@
+From 4839736429e9057a309ccd835cb3159fb51b1353 Mon Sep 17 00:00:00 2001
+From: James Falcon <therealfalcon@gmail.com>
+Date: Wed, 11 Jun 2025 16:22:32 -0500
+Subject: [PATCH] fix: Make hotplug socket writable only by root (#25)
+The 'hook-hotplug-cmd' was writable by all users, allowing any user
+to trigger the hotplug hook script. This script should only be run
+by root via a udev trigger.
+Also move socket into 'share' directory and update references
+accordingly. Since the 'share' directory is only readable by root,
+this adds another layer of security while also being in a consistent
+location with the other sockets used by cloud-init.
+CVE-2024-11584
+Upstream-Status: Backport [import from debain 22.4.2-1+deb12u3
+Upstream commit https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2]
+CVE: CVE-2024-11584
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ cloudinit/cmd/devel/logs.py         | 4 +---
+ systemd/cloud-init-hotplugd.service | 5 +++--
+ systemd/cloud-init-hotplugd.socket  | 8 +++++---
+ tools/hook-hotplug                  | 2 +-
+ 4 files changed, 10 insertions(+), 9 deletions(-)
+diff --git a/cloudinit/cmd/devel/logs.py b/cloudinit/cmd/devel/logs.py
+index d54b809ac..0830610d4 100644
+--- a/cloudinit/cmd/devel/logs.py
+++ b/cloudinit/cmd/devel/logs.py
+@@ -67,9 +67,7 @@ def get_parser(parser=None):
+ 
+ def _copytree_rundir_ignore_files(curdir, files):
+     """Return a list of files to ignore for /run/cloud-init directory"""
+-    ignored_files = [
+-        "hook-hotplug-cmd",  # named pipe for hotplug
+-    ]
+    ignored_files = []
+     if os.getuid() != 0:
+         # Ignore root-permissioned files
+         ignored_files.append(INSTANCE_JSON_SENSITIVE_FILE)
+diff --git a/systemd/cloud-init-hotplugd.service b/systemd/cloud-init-hotplugd.service
+index b64632efe..65243ff16 100644
+--- a/systemd/cloud-init-hotplugd.service
+++ b/systemd/cloud-init-hotplugd.service
+@@ -1,6 +1,7 @@
+ # Paired with cloud-init-hotplugd.socket to read from the FIFO
+-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
+-# add or remove event as processed by 10-cloud-init-hook-hotplug.rules.
+# /run/cloud-init/share/hook-hotplug-cmd which is created during a
+# udev network add or remove event as processed by
+# 10-cloud-init-hook-hotplug.rules.
+ 
+ # On start, read args from the FIFO, process and provide structured arguments
+ # to `cloud-init devel hotplug-hook` which will setup or teardown network
+diff --git a/systemd/cloud-init-hotplugd.socket b/systemd/cloud-init-hotplugd.socket
+index aa0930163..db83a65b2 100644
+--- a/systemd/cloud-init-hotplugd.socket
+++ b/systemd/cloud-init-hotplugd.socket
+@@ -1,13 +1,15 @@
+ # cloud-init-hotplugd.socket listens on the FIFO file
+-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
+-# add or remove event as processed by 10-cloud-init-hook-hotplug.rules.
+# /run/cloud-init/share/hook-hotplug-cmd which is created during a
+# udev network add or remove event as processed by
+# 10-cloud-init-hook-hotplug.rules.
+ 
+ # Known bug with an enforcing SELinux policy: LP: #1936229
+ [Unit]
+ Description=cloud-init hotplug hook socket
+ 
+ [Socket]
+-ListenFIFO=/run/cloud-init/hook-hotplug-cmd
+ListenFIFO=/run/cloud-init/share/hook-hotplug-cmd
+SocketMode=0600
+ 
+ [Install]
+ WantedBy=cloud-init.target
+diff --git a/tools/hook-hotplug b/tools/hook-hotplug
+index 35bd3da27..2a2ed4813 100755
+--- a/tools/hook-hotplug
+++ b/tools/hook-hotplug
+@@ -10,7 +10,7 @@ is_finished() {
+ 
+ if is_finished; then
+     # open cloud-init's hotplug-hook fifo rw
+-    exec 3<>/run/cloud-init/hook-hotplug-cmd
+    exec 3<>/run/cloud-init/share/hook-hotplug-cmd
+     env_params=(
+         --subsystem="${SUBSYSTEM}"
+         handle
+-- 
+2.25.1
diff --git a/recipes-extended/cloud-init/cloud-init_21.4.bb b/recipes-extended/cloud-init/cloud-init_21.4.bb
index 02a89a58..46c0d29a 100644
--- a/recipes-extended/cloud-init/cloud-init_21.4.bb
+++ b/recipes-extended/cloud-init/cloud-init_21.4.bb
@@ -10,6 +10,7 @@ SRC_URI = "git://github.com/canonical/cloud-init;branch=main;protocol=https \
    file://0001-setup.py-check-for-install-anywhere-in-args.patch \
    file://0001-setup.py-respect-udevdir-variable.patch \
    file://CVE-2024-6174.patch \
+    file://CVE-2024-11584.patch \
 "
 S = "${WORKDIR}/git"

diff --git a/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch new file mode 100644 index 00000000..aba34a0a --- /dev/null +++ b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
@@ -0,0 +1,95 @@
		1	From 4839736429e9057a309ccd835cb3159fb51b1353 Mon Sep 17 00:00:00 2001
		2	From: James Falcon <therealfalcon@gmail.com>
		3	Date: Wed, 11 Jun 2025 16:22:32 -0500
		4	Subject: [PATCH] fix: Make hotplug socket writable only by root (#25)
		5
		6	The 'hook-hotplug-cmd' was writable by all users, allowing any user
		7	to trigger the hotplug hook script. This script should only be run
		8	by root via a udev trigger.
		9
		10	Also move socket into 'share' directory and update references
		11	accordingly. Since the 'share' directory is only readable by root,
		12	this adds another layer of security while also being in a consistent
		13	location with the other sockets used by cloud-init.
		14
		15	CVE-2024-11584
		16
		17	Upstream-Status: Backport [import from debain 22.4.2-1+deb12u3
		18	Upstream commit https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2]
		19	CVE: CVE-2024-11584
		20	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		21	---
		22	cloudinit/cmd/devel/logs.py \| 4 +---
		23	systemd/cloud-init-hotplugd.service \| 5 +++--
		24	systemd/cloud-init-hotplugd.socket \| 8 +++++---
		25	tools/hook-hotplug \| 2 +-
		26	4 files changed, 10 insertions(+), 9 deletions(-)
		27
		28	diff --git a/cloudinit/cmd/devel/logs.py b/cloudinit/cmd/devel/logs.py
		29	index d54b809ac..0830610d4 100644
		30	--- a/cloudinit/cmd/devel/logs.py
		31	+++ b/cloudinit/cmd/devel/logs.py
		32	@@ -67,9 +67,7 @@ def get_parser(parser=None):
		33
		34	def _copytree_rundir_ignore_files(curdir, files):
		35	"""Return a list of files to ignore for /run/cloud-init directory"""
		36	- ignored_files = [
		37	- "hook-hotplug-cmd", # named pipe for hotplug
		38	- ]
		39	+ ignored_files = []
		40	if os.getuid() != 0:
		41	# Ignore root-permissioned files
		42	ignored_files.append(INSTANCE_JSON_SENSITIVE_FILE)
		43	diff --git a/systemd/cloud-init-hotplugd.service b/systemd/cloud-init-hotplugd.service
		44	index b64632efe..65243ff16 100644
		45	--- a/systemd/cloud-init-hotplugd.service
		46	+++ b/systemd/cloud-init-hotplugd.service
		47	@@ -1,6 +1,7 @@
		48	# Paired with cloud-init-hotplugd.socket to read from the FIFO
		49	-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
		50	-# add or remove event as processed by 10-cloud-init-hook-hotplug.rules.
		51	+# /run/cloud-init/share/hook-hotplug-cmd which is created during a
		52	+# udev network add or remove event as processed by
		53	+# 10-cloud-init-hook-hotplug.rules.
		54
		55	# On start, read args from the FIFO, process and provide structured arguments
		56	# to `cloud-init devel hotplug-hook` which will setup or teardown network
		57	diff --git a/systemd/cloud-init-hotplugd.socket b/systemd/cloud-init-hotplugd.socket
		58	index aa0930163..db83a65b2 100644
		59	--- a/systemd/cloud-init-hotplugd.socket
		60	+++ b/systemd/cloud-init-hotplugd.socket
		61	@@ -1,13 +1,15 @@
		62	# cloud-init-hotplugd.socket listens on the FIFO file
		63	-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
		64	-# add or remove event as processed by 10-cloud-init-hook-hotplug.rules.
		65	+# /run/cloud-init/share/hook-hotplug-cmd which is created during a
		66	+# udev network add or remove event as processed by
		67	+# 10-cloud-init-hook-hotplug.rules.
		68
		69	# Known bug with an enforcing SELinux policy: LP: #1936229
		70	[Unit]
		71	Description=cloud-init hotplug hook socket
		72
		73	[Socket]
		74	-ListenFIFO=/run/cloud-init/hook-hotplug-cmd
		75	+ListenFIFO=/run/cloud-init/share/hook-hotplug-cmd
		76	+SocketMode=0600
		77
		78	[Install]
		79	WantedBy=cloud-init.target
		80	diff --git a/tools/hook-hotplug b/tools/hook-hotplug
		81	index 35bd3da27..2a2ed4813 100755
		82	--- a/tools/hook-hotplug
		83	+++ b/tools/hook-hotplug
		84	@@ -10,7 +10,7 @@ is_finished() {
		85
		86	if is_finished; then
		87	# open cloud-init's hotplug-hook fifo rw
		88	- exec 3<>/run/cloud-init/hook-hotplug-cmd
		89	+ exec 3<>/run/cloud-init/share/hook-hotplug-cmd
		90	env_params=(
		91	--subsystem="${SUBSYSTEM}"
		92	handle
		93	--
		94	2.25.1
		95


diff --git a/recipes-extended/cloud-init/cloud-init_21.4.bb b/recipes-extended/cloud-init/cloud-init_21.4.bb index 02a89a58..46c0d29a 100644 --- a/recipes-extended/cloud-init/cloud-init_21.4.bb +++ b/recipes-extended/cloud-init/cloud-init_21.4.bb
@@ -10,6 +10,7 @@ SRC_URI = "git://github.com/canonical/cloud-init;branch=main;protocol=https \
10	file://0001-setup.py-check-for-install-anywhere-in-args.patch \	10	file://0001-setup.py-check-for-install-anywhere-in-args.patch \
11	file://0001-setup.py-respect-udevdir-variable.patch \	11	file://0001-setup.py-respect-udevdir-variable.patch \
12	file://CVE-2024-6174.patch \	12	file://CVE-2024-6174.patch \
		13	file://CVE-2024-11584.patch \
13	"	14	"
14		15
15	S = "${WORKDIR}/git"	16	S = "${WORKDIR}/git"