[AUTO-CHERRYPICK] [HIGH] Patch cloud-init for CVE-2024-6174 & [MEDIUM] CVE-2024-11584 - branch 3.0-dev (microsoft#14287)

Co-authored-by: Archana Shettigar <[email protected]>
Co-authored-by: jslobodzian <[email protected]>
Co-authored-by: aaruag <[email protected]>

Author: 4 people

SPECS/cloud-init/CVE-2024-11584.patch

@@ -0,0 +1,88 @@
+From ff05ded14b0555e8e7bc034bbe9c8fba35ed07bc Mon Sep 17 00:00:00 2001
+From: archana25-ms <[email protected]>
+Date: Fri, 27 Jun 2025 10:59:56 +0000
+Subject: [PATCH] Address CVE-2024-11584
+Upstream Patch Reference: https://github.com/canonical/cloud-init/pull/6265/commits/6e10240a7f0a2d6110b398640b3fd46cfa9a7cf3
+
+---
+ cloudinit/cmd/devel/logs.py         | 2 +-
+ systemd/cloud-init-hotplugd.service | 2 +-
+ systemd/cloud-init-hotplugd.socket  | 5 +++--
+ tools/cloud-init-hotplugd           | 2 +-
+ tools/hook-hotplug                  | 2 +-
+ 5 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/cloudinit/cmd/devel/logs.py b/cloudinit/cmd/devel/logs.py
+index f18bfbe..45a300a 100755
+--- a/cloudinit/cmd/devel/logs.py
++++ b/cloudinit/cmd/devel/logs.py
+@@ -295,7 +295,7 @@ def _get_run_dir(run_dir: pathlib.Path) -> Iterator[pathlib.Path]:
+     Note that this only globs the top-level directory as there are currently
+     no relevant files within subdirectories.
+     """
+-    return (p for p in run_dir.glob("*") if p.name != "hook-hotplug-cmd")
++    return run_dir.glob("*")
+ 
+ 
+ def _collect_logs_into_tmp_dir(
+diff --git a/systemd/cloud-init-hotplugd.service b/systemd/cloud-init-hotplugd.service
+index 2e552a0..5f4c8e8 100644
+--- a/systemd/cloud-init-hotplugd.service
++++ b/systemd/cloud-init-hotplugd.service
+@@ -1,5 +1,5 @@
+ # Paired with cloud-init-hotplugd.socket to read from the FIFO
+-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
++# hook-hotplug-cmd which is created during a udev network
+ # add or remove event as processed by 90-cloud-init-hook-hotplug.rules.
+ 
+ # On start, read args from the FIFO, process and provide structured arguments
+diff --git a/systemd/cloud-init-hotplugd.socket b/systemd/cloud-init-hotplugd.socket
+index 8300e71..8d6d07c 100644
+--- a/systemd/cloud-init-hotplugd.socket
++++ b/systemd/cloud-init-hotplugd.socket
+@@ -1,5 +1,5 @@
+ # cloud-init-hotplugd.socket listens on the FIFO file
+-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
++# hook-hotplug-cmd which is created during a udev network
+ # add or remove event as processed by 90-cloud-init-hook-hotplug.rules.
+ 
+ # Known bug with an enforcing SELinux policy: LP: #1936229
+@@ -11,7 +11,8 @@ ConditionKernelCommandLine=!cloud-init=disabled
+ ConditionEnvironment=!KERNEL_CMDLINE=cloud-init=disabled
+ 
+ [Socket]
+-ListenFIFO=/run/cloud-init/hook-hotplug-cmd
++ListenFIFO=/run/cloud-init/share/hook-hotplug-cmd
++SocketMode=0600
+ 
+ [Install]
+ WantedBy=cloud-config.target
+diff --git a/tools/cloud-init-hotplugd b/tools/cloud-init-hotplugd
+index 70977d4..3d56fff 100755
+--- a/tools/cloud-init-hotplugd
++++ b/tools/cloud-init-hotplugd
+@@ -9,7 +9,7 @@
+ # upon a network device event). Anything received via the pipe is then
+ # passed on via the "cloud-init devel hotplug-hook handle" command.
+ 
+-PIPE="/run/cloud-init/hook-hotplug-cmd"
++PIPE="/run/cloud-init/share/hook-hotplug-cmd"
+ 
+ mkfifo -m700 $PIPE
+ 
+diff --git a/tools/hook-hotplug b/tools/hook-hotplug
+index e3cd2a1..7bd2830 100755
+--- a/tools/hook-hotplug
++++ b/tools/hook-hotplug
+@@ -4,7 +4,7 @@
+ # This script checks if cloud-init has hotplug hooked and if
+ # cloud-init is ready; if so invoke cloud-init hotplug-hook
+ 
+-fifo=/run/cloud-init/hook-hotplug-cmd
++fifo=/run/cloud-init/share/hook-hotplug-cmd
+ 
+ should_run() {
+     if [ -d /run/systemd ]; then
+-- 
+2.45.3
+

SPECS/cloud-init/CVE-2024-6174.patch

@@ -0,0 +1,146 @@
+From 161590728c951b933885ef40e664b9db9e585566 Mon Sep 17 00:00:00 2001
+From: archana25-ms <[email protected]>
+Date: Fri, 27 Jun 2025 10:54:59 +0000
+Subject: [PATCH] Address CVE-2024-6174
+Upstream Patch Reference: https://github.com/canonical/cloud-init/commit/8c3ae1bb9f1d80fbf217b41a222ee434e7f58900
+
+---
+ doc/rtd/reference/breaking_changes.rst | 48 ++++++++++++++++++++++++++
+ tests/unittests/test_ds_identify.py    | 13 ++++---
+ tools/ds-identify                      |  8 ++---
+ 3 files changed, 58 insertions(+), 11 deletions(-)
+
+diff --git a/doc/rtd/reference/breaking_changes.rst b/doc/rtd/reference/breaking_changes.rst
+index 0eba443..6fab8e5 100644
+--- a/doc/rtd/reference/breaking_changes.rst
++++ b/doc/rtd/reference/breaking_changes.rst
+@@ -11,6 +11,54 @@ releases.
+     many operating system vendors patch out breaking changes in
+     cloud-init to ensure consistent behavior on their platform.
+ 
++24.3.1
++======
++
++Strict datasource identity before network
++-----------------------------------------
++Affects detection of Ec2, OpenStack or AltCloud datasources for non-x86
++architectures where DMI may not be accessible.
++
++Datasource detection provided by ds-identify in cloud-init now requires strict
++identification based on DMI platform information, kernel command line or
++`datasource_list:` system configuration in /etc/cloud/cloud.cfg.d.
++
++Prior to this change, ds-identify would allow non-x86 architectures without
++strict identifying platform information to run in a discovery mode which would
++attempt to reach out to well known static link-local IPs to attempt to
++retrieve configuration once system networking is up.
++
++To mitigate the potential of a bad-actor in a local network responding
++to such provisioning requests from cloud-init clients, ds-identify will no
++longer allow this late discovery mode for platforms unable to expose clear
++identifying characteristics of a known cloud-init datasource.
++
++The most likely affected cloud platforms are AltCloud, Ec2 and OpenStack for
++non-x86 architectures where DMI data is not exposed by the kernel.
++
++If your non-x86 architecture or images no longer detect the proper datasource,
++any of the following steps can ensure proper detection of cloud-init config:
++
++- Provide kernel commandline containing ``ds=<lowercase_datasource_name>``
++  which forces ds-identify to discover a specific datasource.
++- Image creators: provide a config file part such as
++  :file:`/etc/cloud/cloud.cfg.d/*.cfg` containing the
++  case-sensitive ``datasource_list: [ <datasource_name> ]`` to force cloud-init
++  to use a specific datasource without performing discovery.
++
++For example, to force OpenStack discovery in cloud-init any of the following
++approaches work:
++
++- OpenStack: `attach a ConfigDrive`_ as an alternative config source
++- Kernel command line containing ``ds=openstack``
++- Custom images provide :file:`/etc/cloud/cloud.cfg.d/91-set-datasource.cfg`
++  containing:
++
++.. code-block:: yaml
++
++   datasource_list: [ OpenStack ]
++
++
+ 24.3
+ ====
+ 
+diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py
+index d8f10c1..d2b0f87 100644
+--- a/tests/unittests/test_ds_identify.py
++++ b/tests/unittests/test_ds_identify.py
+@@ -208,9 +208,9 @@ system_info:
+ """
+ 
+ POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled"
+-POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=all,notfound=disabled"
+-DI_DEFAULT_POLICY = "search,found=all,maybe=all,notfound=disabled"
+-DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=all,notfound=enabled"
++POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled"
++DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled"
++DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled"
+ DI_EC2_STRICT_ID_DEFAULT = "true"
+ OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1"
+ 
+@@ -937,7 +937,7 @@ class TestDsIdentify(DsIdentifyBase):
+         self._test_ds_found("OpenStack-AssetTag-Compute")
+ 
+     def test_openstack_on_non_intel_is_maybe(self):
+-        """On non-Intel, openstack without dmi info is maybe.
++        """On non-Intel, openstack without dmi info is none.
+ 
+         nova does not identify itself on platforms other than intel.
+         https://bugs.launchpad.net/cloud-init/+bugs?field.tag=dsid-nova"""
+@@ -957,10 +957,9 @@ class TestDsIdentify(DsIdentifyBase):
+ 
+         # updating the uname to ppc64 though should get a maybe.
+         data.update({"mocks": [MOCK_VIRT_IS_KVM, MOCK_UNAME_IS_PPC64]})
+-        (_, _, err, _, _) = self._check_via_dict(
+-            data, RC_FOUND, dslist=["OpenStack", "None"]
+-        )
++        (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND)
+         self.assertIn("check for 'OpenStack' returned maybe", err)
++        self.assertIn("No ds found", err)
+ 
+     def test_default_ovf_is_found(self):
+         """OVF is identified found when ovf/ovf-env.xml seed file exists."""
+diff --git a/tools/ds-identify b/tools/ds-identify
+index 606be9c..bfc8db4 100755
+--- a/tools/ds-identify
++++ b/tools/ds-identify
+@@ -14,7 +14,7 @@
+ #   The format is:
+ #        <mode>,found=value,maybe=value,notfound=value
+ #   default setting is:
+-#     search,found=all,maybe=all,notfound=disabled
++#     search,found=all,maybe=none,notfound=disabled
+ #
+ #   kernel command line option: ci.di.policy=<policy>
+ #   example line in /etc/cloud/ds-identify.cfg:
+@@ -40,7 +40,7 @@
+ #         first: use the first found do no further checking
+ #         all: enable all DS_FOUND
+ #
+-#      maybe: (default=all)
++#      maybe: (default=none)
+ #       if nothing returned 'found', then how to handle maybe.
+ #       no network sources are allowed to return 'maybe'.
+ #         all: enable all DS_MAYBE
+@@ -100,8 +100,8 @@ DI_MAIN=${DI_MAIN:-main}
+ 
+ DI_BLKID_EXPORT_OUT=""
+ DI_GEOM_LABEL_STATUS_OUT=""
+-DI_DEFAULT_POLICY="search,found=all,maybe=all,notfound=${DI_DISABLED}"
+-DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=all,notfound=${DI_ENABLED}"
++DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}"
++DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}"
+ DI_DMI_BOARD_NAME=""
+ DI_DMI_CHASSIS_ASSET_TAG=""
+ DI_DMI_PRODUCT_NAME=""
+-- 
+2.45.3
+

SPECS/cloud-init/cloud-init.spec

@@ -1,7 +1,7 @@
 Summary:        Cloud instance init scripts
 Name:           cloud-init
 Version:        24.3.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv3
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -11,6 +11,8 @@ Source0:        https://github.com/canonical/%{name}/archive/refs/tags/%{version
 Source1:        10-azure-kvp.cfg
 Patch0:         Add-Network-Interface-Renaming-Support-for-CAPM3-Met.patch
 Patch1:         no-single-process.patch
+Patch2:         CVE-2024-6174.patch
+Patch3:         CVE-2024-11584.patch
 %define cl_services cloud-config.service cloud-config.target cloud-final.service cloud-init.service cloud-init.target cloud-init-local.service
 BuildRequires:  automake
 BuildRequires:  dbus
@@ -142,6 +144,9 @@ make check %{?_smp_mflags}
 %config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/10-azure-kvp.cfg
 
 %changelog
+* Fri Jun 27 2025 Archana Shettigar <[email protected]> - 24.3.1-2
+- Patch CVE-2024-6174 & CVE-2024-11584
+
 * Tue Oct 01 2024 Minghe Ren <[email protected]> - 24.3.1-1
 - Upgrade cloud-init to 24.3.1 to support azure-proxy-agent
 - Add upstream patch no-single-process.patch to revert a behavior change on cloud-init systemd