From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: vanusuri@mvista.com
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization][kirkstone][PATCH] cloud-init: Fix CVE-2024-11584
Date: Wed, 19 Nov 2025 18:29:09 -0500 [thread overview]
Message-ID: <aR5SxVG6P97W+3pD@gmail.com> (raw)
In-Reply-To: <20251113142617.2403672-1-vanusuri@mvista.com>
merged.
Bruce
In message: [meta-virtualization][kirkstone][PATCH] cloud-init: Fix CVE-2024-11584
on 13/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote:
> From: Vijay Anusuri <vanusuri@mvista.com>
>
> import patch from debian to fix
> CVE-2024-11584
>
> Upstream-Status: Backport [import from debian 22.4.2-1+deb12u3
> Upstream commit
> https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2]
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
> .../cloud-init/CVE-2024-11584.patch | 95 +++++++++++++++++++
> .../cloud-init/cloud-init_21.4.bb | 1 +
> 2 files changed, 96 insertions(+)
> create mode 100644 recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
>
> diff --git a/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
> new file mode 100644
> index 00000000..aba34a0a
> --- /dev/null
> +++ b/recipes-extended/cloud-init/cloud-init/CVE-2024-11584.patch
> @@ -0,0 +1,95 @@
> +From 4839736429e9057a309ccd835cb3159fb51b1353 Mon Sep 17 00:00:00 2001
> +From: James Falcon <therealfalcon@gmail.com>
> +Date: Wed, 11 Jun 2025 16:22:32 -0500
> +Subject: [PATCH] fix: Make hotplug socket writable only by root (#25)
> +
> +The 'hook-hotplug-cmd' was writable by all users, allowing any user
> +to trigger the hotplug hook script. This script should only be run
> +by root via a udev trigger.
> +
> +Also move socket into 'share' directory and update references
> +accordingly. Since the 'share' directory is only readable by root,
> +this adds another layer of security while also being in a consistent
> +location with the other sockets used by cloud-init.
> +
> +CVE-2024-11584
> +
> +Upstream-Status: Backport [import from debain 22.4.2-1+deb12u3
> +Upstream commit https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2]
> +CVE: CVE-2024-11584
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + cloudinit/cmd/devel/logs.py | 4 +---
> + systemd/cloud-init-hotplugd.service | 5 +++--
> + systemd/cloud-init-hotplugd.socket | 8 +++++---
> + tools/hook-hotplug | 2 +-
> + 4 files changed, 10 insertions(+), 9 deletions(-)
> +
> +diff --git a/cloudinit/cmd/devel/logs.py b/cloudinit/cmd/devel/logs.py
> +index d54b809ac..0830610d4 100644
> +--- a/cloudinit/cmd/devel/logs.py
> ++++ b/cloudinit/cmd/devel/logs.py
> +@@ -67,9 +67,7 @@ def get_parser(parser=None):
> +
> + def _copytree_rundir_ignore_files(curdir, files):
> + """Return a list of files to ignore for /run/cloud-init directory"""
> +- ignored_files = [
> +- "hook-hotplug-cmd", # named pipe for hotplug
> +- ]
> ++ ignored_files = []
> + if os.getuid() != 0:
> + # Ignore root-permissioned files
> + ignored_files.append(INSTANCE_JSON_SENSITIVE_FILE)
> +diff --git a/systemd/cloud-init-hotplugd.service b/systemd/cloud-init-hotplugd.service
> +index b64632efe..65243ff16 100644
> +--- a/systemd/cloud-init-hotplugd.service
> ++++ b/systemd/cloud-init-hotplugd.service
> +@@ -1,6 +1,7 @@
> + # Paired with cloud-init-hotplugd.socket to read from the FIFO
> +-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
> +-# add or remove event as processed by 10-cloud-init-hook-hotplug.rules.
> ++# /run/cloud-init/share/hook-hotplug-cmd which is created during a
> ++# udev network add or remove event as processed by
> ++# 10-cloud-init-hook-hotplug.rules.
> +
> + # On start, read args from the FIFO, process and provide structured arguments
> + # to `cloud-init devel hotplug-hook` which will setup or teardown network
> +diff --git a/systemd/cloud-init-hotplugd.socket b/systemd/cloud-init-hotplugd.socket
> +index aa0930163..db83a65b2 100644
> +--- a/systemd/cloud-init-hotplugd.socket
> ++++ b/systemd/cloud-init-hotplugd.socket
> +@@ -1,13 +1,15 @@
> + # cloud-init-hotplugd.socket listens on the FIFO file
> +-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
> +-# add or remove event as processed by 10-cloud-init-hook-hotplug.rules.
> ++# /run/cloud-init/share/hook-hotplug-cmd which is created during a
> ++# udev network add or remove event as processed by
> ++# 10-cloud-init-hook-hotplug.rules.
> +
> + # Known bug with an enforcing SELinux policy: LP: #1936229
> + [Unit]
> + Description=cloud-init hotplug hook socket
> +
> + [Socket]
> +-ListenFIFO=/run/cloud-init/hook-hotplug-cmd
> ++ListenFIFO=/run/cloud-init/share/hook-hotplug-cmd
> ++SocketMode=0600
> +
> + [Install]
> + WantedBy=cloud-init.target
> +diff --git a/tools/hook-hotplug b/tools/hook-hotplug
> +index 35bd3da27..2a2ed4813 100755
> +--- a/tools/hook-hotplug
> ++++ b/tools/hook-hotplug
> +@@ -10,7 +10,7 @@ is_finished() {
> +
> + if is_finished; then
> + # open cloud-init's hotplug-hook fifo rw
> +- exec 3<>/run/cloud-init/hook-hotplug-cmd
> ++ exec 3<>/run/cloud-init/share/hook-hotplug-cmd
> + env_params=(
> + --subsystem="${SUBSYSTEM}"
> + handle
> +--
> +2.25.1
> +
> diff --git a/recipes-extended/cloud-init/cloud-init_21.4.bb b/recipes-extended/cloud-init/cloud-init_21.4.bb
> index 02a89a58..46c0d29a 100644
> --- a/recipes-extended/cloud-init/cloud-init_21.4.bb
> +++ b/recipes-extended/cloud-init/cloud-init_21.4.bb
> @@ -10,6 +10,7 @@ SRC_URI = "git://github.com/canonical/cloud-init;branch=main;protocol=https \
> file://0001-setup.py-check-for-install-anywhere-in-args.patch \
> file://0001-setup.py-respect-udevdir-variable.patch \
> file://CVE-2024-6174.patch \
> + file://CVE-2024-11584.patch \
> "
>
> S = "${WORKDIR}/git"
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9439): https://lists.yoctoproject.org/g/meta-virtualization/message/9439
> Mute This Topic: https://lists.yoctoproject.org/mt/116274711/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
prev parent reply other threads:[~2025-11-19 23:29 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-13 14:26 [meta-virtualization][kirkstone][PATCH] cloud-init: Fix CVE-2024-11584 vanusuri
2025-11-19 23:29 ` Bruce Ashfield [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aR5SxVG6P97W+3pD@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=meta-virtualization@lists.yoctoproject.org \
--cc=vanusuri@mvista.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox