[meta-virtualization][kirkstone][PATCH] cloud-init: fix for CVE-2024-6174

[meta-virtualization][kirkstone][PATCH] cloud-init: fix for CVE-2024-6174

[Hitendra Prajapati]

Upstream-Status: Backport from https://github.com/canonical/cloud-init/commit/f43937f0b462734eb9c76700491c18fe4133c8e1

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 .../cloud-init/cloud-init/CVE-2024-6174.patch | 103 ++++++++++++++++++
 .../cloud-init/cloud-init_21.4.bb             |   1 +
 2 files changed, 104 insertions(+)
 create mode 100644 recipes-extended/cloud-init/cloud-init/CVE-2024-6174.patch

diff --git a/recipes-extended/cloud-init/cloud-init/CVE-2024-6174.patch b/recipes-extended/cloud-init/cloud-init/CVE-2024-6174.patch
new file mode 100644
index 00000000..797155ce
--- /dev/null
+++ b/recipes-extended/cloud-init/cloud-init/CVE-2024-6174.patch
@@ -0,0 +1,103 @@
+From f43937f0b462734eb9c76700491c18fe4133c8e1 Mon Sep 17 00:00:00 2001
+From: Brett Holman <brett.holman@canonical.com>
+Date: Thu, 22 Aug 2024 16:54:53 -0600
+Subject: [PATCH] fix: Don't attempt to identify non-x86 OpenStack instances
+
+This causes cloud-init to attempt to reach out to the OpenStack Nova
+datasource in non-Nova deployments on non-x86 architectures.
+
+Change default policy of ds-identify to disallow discovery of datasources
+without strict identifiable artifacts in either kernel cmdline, DMI
+platform information or system configuration files. This prevents
+cloud-init from attempting to reach out to well-known hard-codded link-local
+IP addresses for configuration information unless the platform strictly
+identifies as a specific datasource.
+
+CVE-2024-6174
+LP: #2069607
+BREAKING_CHANGE: This may break non-x86 OpenStack Nova users. Affected users
+    may wish to use ConfigDrive as a workaround.
+
+CVE: CVE-2024-6174
+Upstream-Status: Backport [https://github.com/canonical/cloud-init/commit/f43937f0b462734eb9c76700491c18fe4133c8e1]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tests/unittests/test_ds_identify.py | 13 ++++++-------
+ tools/ds-identify                   |  8 ++++----
+ 2 files changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py
+index f2d2b4949..aaa6999e1 100644
+--- a/tests/unittests/test_ds_identify.py
++++ b/tests/unittests/test_ds_identify.py
+@@ -57,9 +57,9 @@ BLKID_UEFI_UBUNTU = [
+ 
+ 
+ POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled"
+-POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=all,notfound=disabled"
+-DI_DEFAULT_POLICY = "search,found=all,maybe=all,notfound=disabled"
+-DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=all,notfound=enabled"
++POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled"
++DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled"
++DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled"
+ DI_EC2_STRICT_ID_DEFAULT = "true"
+ OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1"
+ 
+@@ -533,7 +533,7 @@ class TestDsIdentify(DsIdentifyBase):
+         self._test_ds_found("OpenStack-AssetTag-Compute")
+ 
+     def test_openstack_on_non_intel_is_maybe(self):
+-        """On non-Intel, openstack without dmi info is maybe.
++        """On non-Intel, openstack without dmi info is none.
+ 
+         nova does not identify itself on platforms other than intel.
+            https://bugs.launchpad.net/cloud-init/+bugs?field.tag=dsid-nova"""
+@@ -553,10 +553,9 @@ class TestDsIdentify(DsIdentifyBase):
+ 
+         # updating the uname to ppc64 though should get a maybe.
+         data.update({"mocks": [MOCK_VIRT_IS_KVM, MOCK_UNAME_IS_PPC64]})
+-        (_, _, err, _, _) = self._check_via_dict(
+-            data, RC_FOUND, dslist=["OpenStack", "None"]
+-        )
++        (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND)
+         self.assertIn("check for 'OpenStack' returned maybe", err)
++        self.assertIn("No ds found", err)
+ 
+     def test_default_ovf_is_found(self):
+         """OVF is identified found when ovf/ovf-env.xml seed file exists."""
+diff --git a/tools/ds-identify b/tools/ds-identify
+index 30d4b0f65..4dd0b5fcf 100755
+--- a/tools/ds-identify
++++ b/tools/ds-identify
+@@ -14,7 +14,7 @@
+ #   The format is:
+ #        <mode>,found=value,maybe=value,notfound=value
+ #   default setting is:
+-#     search,found=all,maybe=all,notfound=disabled
++#     search,found=all,maybe=none,notfound=disabled
+ #
+ #   kernel command line option: ci.di.policy=<policy>
+ #   example line in /etc/cloud/ds-identify.cfg:
+@@ -40,7 +40,7 @@
+ #         first: use the first found do no further checking
+ #         all: enable all DS_FOUND
+ #
+-#      maybe: (default=all)
++#      maybe: (default=none)
+ #       if nothing returned 'found', then how to handle maybe.
+ #       no network sources are allowed to return 'maybe'.
+ #         all: enable all DS_MAYBE
+@@ -94,8 +94,8 @@ DI_MAIN=${DI_MAIN:-main}
+ 
+ DI_BLKID_EXPORT_OUT=""
+ DI_GEOM_LABEL_STATUS_OUT=""
+-DI_DEFAULT_POLICY="search,found=all,maybe=all,notfound=${DI_DISABLED}"
+-DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=all,notfound=${DI_ENABLED}"
++DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}"
++DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}"
+ DI_DMI_CHASSIS_ASSET_TAG=""
+ DI_DMI_PRODUCT_NAME=""
+ DI_DMI_SYS_VENDOR=""
+-- 
+2.50.1
+
diff --git a/recipes-extended/cloud-init/cloud-init_21.4.bb b/recipes-extended/cloud-init/cloud-init_21.4.bb
index 5cb62272..02a89a58 100644
--- a/recipes-extended/cloud-init/cloud-init_21.4.bb
+++ b/recipes-extended/cloud-init/cloud-init_21.4.bb
@@ -9,6 +9,7 @@ SRC_URI = "git://github.com/canonical/cloud-init;branch=main;protocol=https \
     file://cloud-init-source-local-lsb-functions.patch \
     file://0001-setup.py-check-for-install-anywhere-in-args.patch \
     file://0001-setup.py-respect-udevdir-variable.patch \
+    file://CVE-2024-6174.patch \
 "
 
 S = "${WORKDIR}/git"
-- 
2.50.1

Re: [meta-virtualization][kirkstone][PATCH] cloud-init: fix for CVE-2024-6174

[Bruce Ashfield]

merged.

Bruce

In message: [meta-virtualization][kirkstone][PATCH] cloud-init: fix for CVE-2024-6174
on 20/08/2025 Hitendra Prajapati via lists.yoctoproject.org wrote:

> Upstream-Status: Backport from https://github.com/canonical/cloud-init/commit/f43937f0b462734eb9c76700491c18fe4133c8e1
> 
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
>  .../cloud-init/cloud-init/CVE-2024-6174.patch | 103 ++++++++++++++++++
>  .../cloud-init/cloud-init_21.4.bb             |   1 +
>  2 files changed, 104 insertions(+)
>  create mode 100644 recipes-extended/cloud-init/cloud-init/CVE-2024-6174.patch
> 
> diff --git a/recipes-extended/cloud-init/cloud-init/CVE-2024-6174.patch b/recipes-extended/cloud-init/cloud-init/CVE-2024-6174.patch
> new file mode 100644
> index 00000000..797155ce
> --- /dev/null
> +++ b/recipes-extended/cloud-init/cloud-init/CVE-2024-6174.patch
> @@ -0,0 +1,103 @@
> +From f43937f0b462734eb9c76700491c18fe4133c8e1 Mon Sep 17 00:00:00 2001
> +From: Brett Holman <brett.holman@canonical.com>
> +Date: Thu, 22 Aug 2024 16:54:53 -0600
> +Subject: [PATCH] fix: Don't attempt to identify non-x86 OpenStack instances
> +
> +This causes cloud-init to attempt to reach out to the OpenStack Nova
> +datasource in non-Nova deployments on non-x86 architectures.
> +
> +Change default policy of ds-identify to disallow discovery of datasources
> +without strict identifiable artifacts in either kernel cmdline, DMI
> +platform information or system configuration files. This prevents
> +cloud-init from attempting to reach out to well-known hard-codded link-local
> +IP addresses for configuration information unless the platform strictly
> +identifies as a specific datasource.
> +
> +CVE-2024-6174
> +LP: #2069607
> +BREAKING_CHANGE: This may break non-x86 OpenStack Nova users. Affected users
> +    may wish to use ConfigDrive as a workaround.
> +
> +CVE: CVE-2024-6174
> +Upstream-Status: Backport [https://github.com/canonical/cloud-init/commit/f43937f0b462734eb9c76700491c18fe4133c8e1]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + tests/unittests/test_ds_identify.py | 13 ++++++-------
> + tools/ds-identify                   |  8 ++++----
> + 2 files changed, 10 insertions(+), 11 deletions(-)
> +
> +diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py
> +index f2d2b4949..aaa6999e1 100644
> +--- a/tests/unittests/test_ds_identify.py
> ++++ b/tests/unittests/test_ds_identify.py
> +@@ -57,9 +57,9 @@ BLKID_UEFI_UBUNTU = [
> + 
> + 
> + POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled"
> +-POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=all,notfound=disabled"
> +-DI_DEFAULT_POLICY = "search,found=all,maybe=all,notfound=disabled"
> +-DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=all,notfound=enabled"
> ++POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled"
> ++DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled"
> ++DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled"
> + DI_EC2_STRICT_ID_DEFAULT = "true"
> + OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1"
> + 
> +@@ -533,7 +533,7 @@ class TestDsIdentify(DsIdentifyBase):
> +         self._test_ds_found("OpenStack-AssetTag-Compute")
> + 
> +     def test_openstack_on_non_intel_is_maybe(self):
> +-        """On non-Intel, openstack without dmi info is maybe.
> ++        """On non-Intel, openstack without dmi info is none.
> + 
> +         nova does not identify itself on platforms other than intel.
> +            https://bugs.launchpad.net/cloud-init/+bugs?field.tag=dsid-nova"""
> +@@ -553,10 +553,9 @@ class TestDsIdentify(DsIdentifyBase):
> + 
> +         # updating the uname to ppc64 though should get a maybe.
> +         data.update({"mocks": [MOCK_VIRT_IS_KVM, MOCK_UNAME_IS_PPC64]})
> +-        (_, _, err, _, _) = self._check_via_dict(
> +-            data, RC_FOUND, dslist=["OpenStack", "None"]
> +-        )
> ++        (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND)
> +         self.assertIn("check for 'OpenStack' returned maybe", err)
> ++        self.assertIn("No ds found", err)
> + 
> +     def test_default_ovf_is_found(self):
> +         """OVF is identified found when ovf/ovf-env.xml seed file exists."""
> +diff --git a/tools/ds-identify b/tools/ds-identify
> +index 30d4b0f65..4dd0b5fcf 100755
> +--- a/tools/ds-identify
> ++++ b/tools/ds-identify
> +@@ -14,7 +14,7 @@
> + #   The format is:
> + #        <mode>,found=value,maybe=value,notfound=value
> + #   default setting is:
> +-#     search,found=all,maybe=all,notfound=disabled
> ++#     search,found=all,maybe=none,notfound=disabled
> + #
> + #   kernel command line option: ci.di.policy=<policy>
> + #   example line in /etc/cloud/ds-identify.cfg:
> +@@ -40,7 +40,7 @@
> + #         first: use the first found do no further checking
> + #         all: enable all DS_FOUND
> + #
> +-#      maybe: (default=all)
> ++#      maybe: (default=none)
> + #       if nothing returned 'found', then how to handle maybe.
> + #       no network sources are allowed to return 'maybe'.
> + #         all: enable all DS_MAYBE
> +@@ -94,8 +94,8 @@ DI_MAIN=${DI_MAIN:-main}
> + 
> + DI_BLKID_EXPORT_OUT=""
> + DI_GEOM_LABEL_STATUS_OUT=""
> +-DI_DEFAULT_POLICY="search,found=all,maybe=all,notfound=${DI_DISABLED}"
> +-DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=all,notfound=${DI_ENABLED}"
> ++DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}"
> ++DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}"
> + DI_DMI_CHASSIS_ASSET_TAG=""
> + DI_DMI_PRODUCT_NAME=""
> + DI_DMI_SYS_VENDOR=""
> +-- 
> +2.50.1
> +
> diff --git a/recipes-extended/cloud-init/cloud-init_21.4.bb b/recipes-extended/cloud-init/cloud-init_21.4.bb
> index 5cb62272..02a89a58 100644
> --- a/recipes-extended/cloud-init/cloud-init_21.4.bb
> +++ b/recipes-extended/cloud-init/cloud-init_21.4.bb
> @@ -9,6 +9,7 @@ SRC_URI = "git://github.com/canonical/cloud-init;branch=main;protocol=https \
>      file://cloud-init-source-local-lsb-functions.patch \
>      file://0001-setup.py-check-for-install-anywhere-in-args.patch \
>      file://0001-setup.py-respect-udevdir-variable.patch \
> +    file://CVE-2024-6174.patch \
>  "
>  
>  S = "${WORKDIR}/git"
> -- 
> 2.50.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9352): https://lists.yoctoproject.org/g/meta-virtualization/message/9352
> Mute This Topic: https://lists.yoctoproject.org/mt/114795944/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>