All of lore.kernel.org
 help / color / mirror / Atom feed
* [meta-virtualization][kirkstone][PATCH] cloud-init: Fix CVE-2024-11584
@ 2025-11-13 14:26 vanusuri
  2025-11-19 23:29 ` Bruce Ashfield
  0 siblings, 1 reply; 2+ messages in thread
From: vanusuri @ 2025-11-13 14:26 UTC (permalink / raw)
  To: meta-virtualization; +Cc: Vijay Anusuri

From: Vijay Anusuri <vanusuri@mvista.com>

import patch from debian to fix
 CVE-2024-11584

Upstream-Status: Backport [import from debian 22.4.2-1+deb12u3
Upstream commit
https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../cloud-init/CVE-2024-11584.patch           | 95 +++++++++++++++++++
 .../cloud-init/cloud-init_21.4.bb             |  1 +
 2 files changed, 96 insertions(+)
 create mode 100644 recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch

diff --git a/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
new file mode 100644
index 00000000..aba34a0a
--- /dev/null
+++ b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
@@ -0,0 +1,95 @@
+From 4839736429e9057a309ccd835cb3159fb51b1353 Mon Sep 17 00:00:00 2001
+From: James Falcon <therealfalcon@gmail.com>
+Date: Wed, 11 Jun 2025 16:22:32 -0500
+Subject: [PATCH] fix: Make hotplug socket writable only by root (#25)
+
+The 'hook-hotplug-cmd' was writable by all users, allowing any user
+to trigger the hotplug hook script. This script should only be run
+by root via a udev trigger.
+
+Also move socket into 'share' directory and update references
+accordingly. Since the 'share' directory is only readable by root,
+this adds another layer of security while also being in a consistent
+location with the other sockets used by cloud-init.
+
+CVE-2024-11584
+
+Upstream-Status: Backport [import from debain 22.4.2-1+deb12u3
+Upstream commit https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2]
+CVE: CVE-2024-11584
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ cloudinit/cmd/devel/logs.py         | 4 +---
+ systemd/cloud-init-hotplugd.service | 5 +++--
+ systemd/cloud-init-hotplugd.socket  | 8 +++++---
+ tools/hook-hotplug                  | 2 +-
+ 4 files changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/cloudinit/cmd/devel/logs.py b/cloudinit/cmd/devel/logs.py
+index d54b809ac..0830610d4 100644
+--- a/cloudinit/cmd/devel/logs.py
++++ b/cloudinit/cmd/devel/logs.py
+@@ -67,9 +67,7 @@ def get_parser(parser=None):
+ 
+ def _copytree_rundir_ignore_files(curdir, files):
+     """Return a list of files to ignore for /run/cloud-init directory"""
+-    ignored_files = [
+-        "hook-hotplug-cmd",  # named pipe for hotplug
+-    ]
++    ignored_files = []
+     if os.getuid() != 0:
+         # Ignore root-permissioned files
+         ignored_files.append(INSTANCE_JSON_SENSITIVE_FILE)
+diff --git a/systemd/cloud-init-hotplugd.service b/systemd/cloud-init-hotplugd.service
+index b64632efe..65243ff16 100644
+--- a/systemd/cloud-init-hotplugd.service
++++ b/systemd/cloud-init-hotplugd.service
+@@ -1,6 +1,7 @@
+ # Paired with cloud-init-hotplugd.socket to read from the FIFO
+-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
+-# add or remove event as processed by 10-cloud-init-hook-hotplug.rules.
++# /run/cloud-init/share/hook-hotplug-cmd which is created during a
++# udev network add or remove event as processed by
++# 10-cloud-init-hook-hotplug.rules.
+ 
+ # On start, read args from the FIFO, process and provide structured arguments
+ # to `cloud-init devel hotplug-hook` which will setup or teardown network
+diff --git a/systemd/cloud-init-hotplugd.socket b/systemd/cloud-init-hotplugd.socket
+index aa0930163..db83a65b2 100644
+--- a/systemd/cloud-init-hotplugd.socket
++++ b/systemd/cloud-init-hotplugd.socket
+@@ -1,13 +1,15 @@
+ # cloud-init-hotplugd.socket listens on the FIFO file
+-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
+-# add or remove event as processed by 10-cloud-init-hook-hotplug.rules.
++# /run/cloud-init/share/hook-hotplug-cmd which is created during a
++# udev network add or remove event as processed by
++# 10-cloud-init-hook-hotplug.rules.
+ 
+ # Known bug with an enforcing SELinux policy: LP: #1936229
+ [Unit]
+ Description=cloud-init hotplug hook socket
+ 
+ [Socket]
+-ListenFIFO=/run/cloud-init/hook-hotplug-cmd
++ListenFIFO=/run/cloud-init/share/hook-hotplug-cmd
++SocketMode=0600
+ 
+ [Install]
+ WantedBy=cloud-init.target
+diff --git a/tools/hook-hotplug b/tools/hook-hotplug
+index 35bd3da27..2a2ed4813 100755
+--- a/tools/hook-hotplug
++++ b/tools/hook-hotplug
+@@ -10,7 +10,7 @@ is_finished() {
+ 
+ if is_finished; then
+     # open cloud-init's hotplug-hook fifo rw
+-    exec 3<>/run/cloud-init/hook-hotplug-cmd
++    exec 3<>/run/cloud-init/share/hook-hotplug-cmd
+     env_params=(
+         --subsystem="${SUBSYSTEM}"
+         handle
+-- 
+2.25.1
+
diff --git a/recipes-extended/cloud-init/cloud-init_21.4.bb b/recipes-extended/cloud-init/cloud-init_21.4.bb
index 02a89a58..46c0d29a 100644
--- a/recipes-extended/cloud-init/cloud-init_21.4.bb
+++ b/recipes-extended/cloud-init/cloud-init_21.4.bb
@@ -10,6 +10,7 @@ SRC_URI = "git://github.com/canonical/cloud-init;branch=main;protocol=https \
     file://0001-setup.py-check-for-install-anywhere-in-args.patch \
     file://0001-setup.py-respect-udevdir-variable.patch \
     file://CVE-2024-6174.patch \
+    file://CVE-2024-11584.patch \
 "
 
 S = "${WORKDIR}/git"
-- 
2.25.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-11-19 23:29 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-13 14:26 [meta-virtualization][kirkstone][PATCH] cloud-init: Fix CVE-2024-11584 vanusuri
2025-11-19 23:29 ` Bruce Ashfield

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.