From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: vanusuri@mvista.com
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization] [meta-vitualization][scarthgap][patch] cloud-init: Fix CVE-2024-11584
Date: Wed, 19 Nov 2025 18:27:33 -0500 [thread overview]
Message-ID: <aR5SZfdYLYwGp+Jq@gmail.com> (raw)
In-Reply-To: <20251111084102.149727-1-vanusuri@mvista.com>
merged.
Bruce
In message: [meta-virtualization] [meta-vitualization][scarthgap][patch] cloud-init: Fix CVE-2024-11584
on 11/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote:
> import patch from debian to fix
> CVE-2024-11584
>
> Upstream-Status: Backport [import from debian 22.4.2-1+deb12u3
> Upstream commit
> https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2]
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
> .../cloud-init/CVE-2024-11584.patch | 104 ++++++++++++++++++
> recipes-extended/cloud-init/cloud-init_git.bb | 1 +
> 2 files changed, 105 insertions(+)
> create mode 100644 recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
>
> diff --git a/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
> new file mode 100644
> index 00000000..fa94ff53
> --- /dev/null
> +++ b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
> @@ -0,0 +1,104 @@
> +From 8b45006c4765fd75f20ce244571b563dbc49d4f2 Mon Sep 17 00:00:00 2001
> +From: James Falcon <therealfalcon@gmail.com>
> +Date: Wed, 11 Jun 2025 16:22:32 -0500
> +Subject: [PATCH] fix: Make hotplug socket writable only by root (#25)
> +
> +The 'hook-hotplug-cmd' was writable by all users, allowing any user
> +to trigger the hotplug hook script. This script should only be run
> +by root via a udev trigger.
> +
> +Also move socket into 'share' directory and update references
> +accordingly. Since the 'share' directory is only readable by root,
> +this adds another layer of security while also being in a consistent
> +location with the other sockets used by cloud-init.
> +
> +CVE-2024-11584
> +
> +Upstream-Status: Backport [import from debain 22.4.2-1+deb12u3
> +Upstream commit https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2]
> +CVE: CVE-2024-11584
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + cloudinit/cmd/devel/logs.py | 4 +---
> + systemd/cloud-init-hotplugd.service | 2 +-
> + systemd/cloud-init-hotplugd.socket | 5 +++--
> + tools/cloud-init-hotplugd | 2 +-
> + tools/hook-hotplug | 2 +-
> + 5 files changed, 7 insertions(+), 8 deletions(-)
> +
> +diff --git a/cloudinit/cmd/devel/logs.py b/cloudinit/cmd/devel/logs.py
> +index 83f574c10..f59e8047c 100755
> +--- a/cloudinit/cmd/devel/logs.py
> ++++ b/cloudinit/cmd/devel/logs.py
> +@@ -139,9 +139,7 @@ def get_parser(parser=None):
> +
> + def _copytree_rundir_ignore_files(curdir, files):
> + """Return a list of files to ignore for /run/cloud-init directory"""
> +- ignored_files = [
> +- "hook-hotplug-cmd", # named pipe for hotplug
> +- ]
> ++ ignored_files = []
> + if os.getuid() != 0:
> + # Ignore root-permissioned files
> + ignored_files.append(Paths({}).lookups["instance_data_sensitive"])
> +diff --git a/systemd/cloud-init-hotplugd.service b/systemd/cloud-init-hotplugd.service
> +index 0aeeeaff5..e3a5a74d9 100644
> +--- a/systemd/cloud-init-hotplugd.service
> ++++ b/systemd/cloud-init-hotplugd.service
> +@@ -1,5 +1,5 @@
> + # Paired with cloud-init-hotplugd.socket to read from the FIFO
> +-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
> ++# hook-hotplug-cmd which is created during a udev network
> + # add or remove event as processed by 90-cloud-init-hook-hotplug.rules.
> +
> + # On start, read args from the FIFO, process and provide structured arguments
> +diff --git a/systemd/cloud-init-hotplugd.socket b/systemd/cloud-init-hotplugd.socket
> +index acf53f12c..00ad5dead 100644
> +--- a/systemd/cloud-init-hotplugd.socket
> ++++ b/systemd/cloud-init-hotplugd.socket
> +@@ -1,5 +1,5 @@
> + # cloud-init-hotplugd.socket listens on the FIFO file
> +-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
> ++# hook-hotplug-cmd which is created during a udev network
> + # add or remove event as processed by 90-cloud-init-hook-hotplug.rules.
> +
> + # Known bug with an enforcing SELinux policy: LP: #1936229
> +@@ -7,7 +7,8 @@
> + Description=cloud-init hotplug hook socket
> +
> + [Socket]
> +-ListenFIFO=/run/cloud-init/hook-hotplug-cmd
> ++ListenFIFO=/run/cloud-init/share/hook-hotplug-cmd
> ++SocketMode=0600
> +
> + [Install]
> + WantedBy=cloud-init.target
> +diff --git a/tools/cloud-init-hotplugd b/tools/cloud-init-hotplugd
> +index 70977d48e..3d56fffa7 100755
> +--- a/tools/cloud-init-hotplugd
> ++++ b/tools/cloud-init-hotplugd
> +@@ -9,7 +9,7 @@
> + # upon a network device event). Anything received via the pipe is then
> + # passed on via the "cloud-init devel hotplug-hook handle" command.
> +
> +-PIPE="/run/cloud-init/hook-hotplug-cmd"
> ++PIPE="/run/cloud-init/share/hook-hotplug-cmd"
> +
> + mkfifo -m700 $PIPE
> +
> +diff --git a/tools/hook-hotplug b/tools/hook-hotplug
> +index 3085ba86d..f7d530d1c 100755
> +--- a/tools/hook-hotplug
> ++++ b/tools/hook-hotplug
> +@@ -10,7 +10,7 @@ is_finished() {
> +
> + if is_finished; then
> + # open cloud-init's hotplug-hook fifo rw
> +- exec 3<>/run/cloud-init/hook-hotplug-cmd
> ++ exec 3<>/run/cloud-init/share/hook-hotplug-cmd
> + env_params=" \
> + --subsystem=${SUBSYSTEM} \
> + handle \
> +--
> +2.43.0
> +
> diff --git a/recipes-extended/cloud-init/cloud-init_git.bb b/recipes-extended/cloud-init/cloud-init_git.bb
> index 4cf74efd..66462a51 100644
> --- a/recipes-extended/cloud-init/cloud-init_git.bb
> +++ b/recipes-extended/cloud-init/cloud-init_git.bb
> @@ -12,6 +12,7 @@ SRC_URI = "git://github.com/canonical/cloud-init;branch=24.1.x;protocol=https \
> file://cloud-init-source-local-lsb-functions.patch \
> file://0001-setup.py-check-for-install-anywhere-in-args.patch \
> file://CVE-2024-6174.patch \
> + file://CVE-2024-11584.patch \
> "
>
> PV = "v23.4.1+git"
> --
> 2.43.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9438): https://lists.yoctoproject.org/g/meta-virtualization/message/9438
> Mute This Topic: https://lists.yoctoproject.org/mt/116235519/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
prev parent reply other threads:[~2025-11-19 23:27 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-11 8:41 [meta-vitualization][scarthgap][patch] cloud-init: Fix CVE-2024-11584 Vijay Anusuri
2025-11-19 23:27 ` Bruce Ashfield [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aR5SZfdYLYwGp+Jq@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=meta-virtualization@lists.yoctoproject.org \
--cc=vanusuri@mvista.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox