[meta-vitualization][scarthgap][patch] cloud-init: Fix CVE-2024-11584

[meta-vitualization][scarthgap][patch] cloud-init: Fix CVE-2024-11584

[Vijay Anusuri]

import patch from debian to fix
 CVE-2024-11584

Upstream-Status: Backport [import from debian 22.4.2-1+deb12u3
Upstream commit
https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../cloud-init/CVE-2024-11584.patch           | 104 ++++++++++++++++++
 recipes-extended/cloud-init/cloud-init_git.bb |   1 +
 2 files changed, 105 insertions(+)
 create mode 100644 recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch

diff --git a/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
new file mode 100644
index 00000000..fa94ff53
--- /dev/null
+++ b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
@@ -0,0 +1,104 @@
+From 8b45006c4765fd75f20ce244571b563dbc49d4f2 Mon Sep 17 00:00:00 2001
+From: James Falcon <therealfalcon@gmail.com>
+Date: Wed, 11 Jun 2025 16:22:32 -0500
+Subject: [PATCH] fix: Make hotplug socket writable only by root (#25)
+
+The 'hook-hotplug-cmd' was writable by all users, allowing any user
+to trigger the hotplug hook script. This script should only be run
+by root via a udev trigger.
+
+Also move socket into 'share' directory and update references
+accordingly. Since the 'share' directory is only readable by root,
+this adds another layer of security while also being in a consistent
+location with the other sockets used by cloud-init.
+
+CVE-2024-11584
+
+Upstream-Status: Backport [import from debain 22.4.2-1+deb12u3
+Upstream commit https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2]
+CVE: CVE-2024-11584
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ cloudinit/cmd/devel/logs.py         | 4 +---
+ systemd/cloud-init-hotplugd.service | 2 +-
+ systemd/cloud-init-hotplugd.socket  | 5 +++--
+ tools/cloud-init-hotplugd           | 2 +-
+ tools/hook-hotplug                  | 2 +-
+ 5 files changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/cloudinit/cmd/devel/logs.py b/cloudinit/cmd/devel/logs.py
+index 83f574c10..f59e8047c 100755
+--- a/cloudinit/cmd/devel/logs.py
++++ b/cloudinit/cmd/devel/logs.py
+@@ -139,9 +139,7 @@ def get_parser(parser=None):
+ 
+ def _copytree_rundir_ignore_files(curdir, files):
+     """Return a list of files to ignore for /run/cloud-init directory"""
+-    ignored_files = [
+-        "hook-hotplug-cmd",  # named pipe for hotplug
+-    ]
++    ignored_files = []
+     if os.getuid() != 0:
+         # Ignore root-permissioned files
+         ignored_files.append(Paths({}).lookups["instance_data_sensitive"])
+diff --git a/systemd/cloud-init-hotplugd.service b/systemd/cloud-init-hotplugd.service
+index 0aeeeaff5..e3a5a74d9 100644
+--- a/systemd/cloud-init-hotplugd.service
++++ b/systemd/cloud-init-hotplugd.service
+@@ -1,5 +1,5 @@
+ # Paired with cloud-init-hotplugd.socket to read from the FIFO
+-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
++# hook-hotplug-cmd which is created during a udev network
+ # add or remove event as processed by 90-cloud-init-hook-hotplug.rules.
+ 
+ # On start, read args from the FIFO, process and provide structured arguments
+diff --git a/systemd/cloud-init-hotplugd.socket b/systemd/cloud-init-hotplugd.socket
+index acf53f12c..00ad5dead 100644
+--- a/systemd/cloud-init-hotplugd.socket
++++ b/systemd/cloud-init-hotplugd.socket
+@@ -1,5 +1,5 @@
+ # cloud-init-hotplugd.socket listens on the FIFO file
+-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
++# hook-hotplug-cmd which is created during a udev network
+ # add or remove event as processed by 90-cloud-init-hook-hotplug.rules.
+ 
+ # Known bug with an enforcing SELinux policy: LP: #1936229
+@@ -7,7 +7,8 @@
+ Description=cloud-init hotplug hook socket
+ 
+ [Socket]
+-ListenFIFO=/run/cloud-init/hook-hotplug-cmd
++ListenFIFO=/run/cloud-init/share/hook-hotplug-cmd
++SocketMode=0600
+ 
+ [Install]
+ WantedBy=cloud-init.target
+diff --git a/tools/cloud-init-hotplugd b/tools/cloud-init-hotplugd
+index 70977d48e..3d56fffa7 100755
+--- a/tools/cloud-init-hotplugd
++++ b/tools/cloud-init-hotplugd
+@@ -9,7 +9,7 @@
+ # upon a network device event). Anything received via the pipe is then
+ # passed on via the "cloud-init devel hotplug-hook handle" command.
+ 
+-PIPE="/run/cloud-init/hook-hotplug-cmd"
++PIPE="/run/cloud-init/share/hook-hotplug-cmd"
+ 
+ mkfifo -m700 $PIPE
+ 
+diff --git a/tools/hook-hotplug b/tools/hook-hotplug
+index 3085ba86d..f7d530d1c 100755
+--- a/tools/hook-hotplug
++++ b/tools/hook-hotplug
+@@ -10,7 +10,7 @@ is_finished() {
+ 
+ if is_finished; then
+     # open cloud-init's hotplug-hook fifo rw
+-    exec 3<>/run/cloud-init/hook-hotplug-cmd
++    exec 3<>/run/cloud-init/share/hook-hotplug-cmd
+     env_params=" \
+         --subsystem=${SUBSYSTEM} \
+         handle \
+-- 
+2.43.0
+
diff --git a/recipes-extended/cloud-init/cloud-init_git.bb b/recipes-extended/cloud-init/cloud-init_git.bb
index 4cf74efd..66462a51 100644
--- a/recipes-extended/cloud-init/cloud-init_git.bb
+++ b/recipes-extended/cloud-init/cloud-init_git.bb
@@ -12,6 +12,7 @@ SRC_URI = "git://github.com/canonical/cloud-init;branch=24.1.x;protocol=https \
     file://cloud-init-source-local-lsb-functions.patch \
     file://0001-setup.py-check-for-install-anywhere-in-args.patch \
     file://CVE-2024-6174.patch \
+    file://CVE-2024-11584.patch \
 "
 
 PV = "v23.4.1+git"
-- 
2.43.0

Re: [meta-virtualization] [meta-vitualization][scarthgap][patch] cloud-init: Fix CVE-2024-11584

[Bruce Ashfield]

merged.

Bruce

In message: [meta-virtualization] [meta-vitualization][scarthgap][patch] cloud-init: Fix CVE-2024-11584
on 11/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote:

> import patch from debian to fix
>  CVE-2024-11584
> 
> Upstream-Status: Backport [import from debian 22.4.2-1+deb12u3
> Upstream commit
> https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2]
> 
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
>  .../cloud-init/CVE-2024-11584.patch           | 104 ++++++++++++++++++
>  recipes-extended/cloud-init/cloud-init_git.bb |   1 +
>  2 files changed, 105 insertions(+)
>  create mode 100644 recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
> 
> diff --git a/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
> new file mode 100644
> index 00000000..fa94ff53
> --- /dev/null
> +++ b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
> @@ -0,0 +1,104 @@
> +From 8b45006c4765fd75f20ce244571b563dbc49d4f2 Mon Sep 17 00:00:00 2001
> +From: James Falcon <therealfalcon@gmail.com>
> +Date: Wed, 11 Jun 2025 16:22:32 -0500
> +Subject: [PATCH] fix: Make hotplug socket writable only by root (#25)
> +
> +The 'hook-hotplug-cmd' was writable by all users, allowing any user
> +to trigger the hotplug hook script. This script should only be run
> +by root via a udev trigger.
> +
> +Also move socket into 'share' directory and update references
> +accordingly. Since the 'share' directory is only readable by root,
> +this adds another layer of security while also being in a consistent
> +location with the other sockets used by cloud-init.
> +
> +CVE-2024-11584
> +
> +Upstream-Status: Backport [import from debain 22.4.2-1+deb12u3
> +Upstream commit https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2]
> +CVE: CVE-2024-11584
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + cloudinit/cmd/devel/logs.py         | 4 +---
> + systemd/cloud-init-hotplugd.service | 2 +-
> + systemd/cloud-init-hotplugd.socket  | 5 +++--
> + tools/cloud-init-hotplugd           | 2 +-
> + tools/hook-hotplug                  | 2 +-
> + 5 files changed, 7 insertions(+), 8 deletions(-)
> +
> +diff --git a/cloudinit/cmd/devel/logs.py b/cloudinit/cmd/devel/logs.py
> +index 83f574c10..f59e8047c 100755
> +--- a/cloudinit/cmd/devel/logs.py
> ++++ b/cloudinit/cmd/devel/logs.py
> +@@ -139,9 +139,7 @@ def get_parser(parser=None):
> + 
> + def _copytree_rundir_ignore_files(curdir, files):
> +     """Return a list of files to ignore for /run/cloud-init directory"""
> +-    ignored_files = [
> +-        "hook-hotplug-cmd",  # named pipe for hotplug
> +-    ]
> ++    ignored_files = []
> +     if os.getuid() != 0:
> +         # Ignore root-permissioned files
> +         ignored_files.append(Paths({}).lookups["instance_data_sensitive"])
> +diff --git a/systemd/cloud-init-hotplugd.service b/systemd/cloud-init-hotplugd.service
> +index 0aeeeaff5..e3a5a74d9 100644
> +--- a/systemd/cloud-init-hotplugd.service
> ++++ b/systemd/cloud-init-hotplugd.service
> +@@ -1,5 +1,5 @@
> + # Paired with cloud-init-hotplugd.socket to read from the FIFO
> +-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
> ++# hook-hotplug-cmd which is created during a udev network
> + # add or remove event as processed by 90-cloud-init-hook-hotplug.rules.
> + 
> + # On start, read args from the FIFO, process and provide structured arguments
> +diff --git a/systemd/cloud-init-hotplugd.socket b/systemd/cloud-init-hotplugd.socket
> +index acf53f12c..00ad5dead 100644
> +--- a/systemd/cloud-init-hotplugd.socket
> ++++ b/systemd/cloud-init-hotplugd.socket
> +@@ -1,5 +1,5 @@
> + # cloud-init-hotplugd.socket listens on the FIFO file
> +-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
> ++# hook-hotplug-cmd which is created during a udev network
> + # add or remove event as processed by 90-cloud-init-hook-hotplug.rules.
> + 
> + # Known bug with an enforcing SELinux policy: LP: #1936229
> +@@ -7,7 +7,8 @@
> + Description=cloud-init hotplug hook socket
> + 
> + [Socket]
> +-ListenFIFO=/run/cloud-init/hook-hotplug-cmd
> ++ListenFIFO=/run/cloud-init/share/hook-hotplug-cmd
> ++SocketMode=0600
> + 
> + [Install]
> + WantedBy=cloud-init.target
> +diff --git a/tools/cloud-init-hotplugd b/tools/cloud-init-hotplugd
> +index 70977d48e..3d56fffa7 100755
> +--- a/tools/cloud-init-hotplugd
> ++++ b/tools/cloud-init-hotplugd
> +@@ -9,7 +9,7 @@
> + # upon a network device event). Anything received via the pipe is then
> + # passed on via the "cloud-init devel hotplug-hook handle" command.
> + 
> +-PIPE="/run/cloud-init/hook-hotplug-cmd"
> ++PIPE="/run/cloud-init/share/hook-hotplug-cmd"
> + 
> + mkfifo -m700 $PIPE
> + 
> +diff --git a/tools/hook-hotplug b/tools/hook-hotplug
> +index 3085ba86d..f7d530d1c 100755
> +--- a/tools/hook-hotplug
> ++++ b/tools/hook-hotplug
> +@@ -10,7 +10,7 @@ is_finished() {
> + 
> + if is_finished; then
> +     # open cloud-init's hotplug-hook fifo rw
> +-    exec 3<>/run/cloud-init/hook-hotplug-cmd
> ++    exec 3<>/run/cloud-init/share/hook-hotplug-cmd
> +     env_params=" \
> +         --subsystem=${SUBSYSTEM} \
> +         handle \
> +-- 
> +2.43.0
> +
> diff --git a/recipes-extended/cloud-init/cloud-init_git.bb b/recipes-extended/cloud-init/cloud-init_git.bb
> index 4cf74efd..66462a51 100644
> --- a/recipes-extended/cloud-init/cloud-init_git.bb
> +++ b/recipes-extended/cloud-init/cloud-init_git.bb
> @@ -12,6 +12,7 @@ SRC_URI = "git://github.com/canonical/cloud-init;branch=24.1.x;protocol=https \
>      file://cloud-init-source-local-lsb-functions.patch \
>      file://0001-setup.py-check-for-install-anywhere-in-args.patch \
>      file://CVE-2024-6174.patch \
> +    file://CVE-2024-11584.patch \
>  "
>  
>  PV = "v23.4.1+git"
> -- 
> 2.43.0
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9438): https://lists.yoctoproject.org/g/meta-virtualization/message/9438
> Mute This Topic: https://lists.yoctoproject.org/mt/116235519/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>