From 38b9d840a207d34078385faa868a5e83821d72d9 Mon Sep 17 00:00:00 2001
From: shaxiaoxiao <liu.xiangyu2@zte.com.cn>
Date: Fri, 30 May 2025 10:22:05 +0800
Subject: [PATCH] Fix CVE-2023-1786

---
 ...-data-sensitive-and-remove-log-permi.patch | 143 ++++++++++++++++++
 cloud-init.spec                               |   6 +-
 2 files changed, 148 insertions(+), 1 deletion(-)
 create mode 100644 0002-Make-user-vendor-data-sensitive-and-remove-log-permi.patch

diff --git a/0002-Make-user-vendor-data-sensitive-and-remove-log-permi.patch b/0002-Make-user-vendor-data-sensitive-and-remove-log-permi.patch
new file mode 100644
index 0000000..02079cb
--- /dev/null
+++ b/0002-Make-user-vendor-data-sensitive-and-remove-log-permi.patch
@@ -0,0 +1,143 @@
+From 42372a17d19fab9435cab2b87e5d370238dddb2d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=E5=88=98=E5=90=91=E9=9B=A810206134?=
+ <liu.xiangyu2@zte.com.cn>
+Date: Tue, 27 May 2025 11:03:00 +0800
+Subject: [PATCH] Make user/vendor data sensitive and remove log permissions
+
+ANBZ:7595
+
+commit a378b7e4f47375458651c0972e7cd813f6fe0a6b upstream.
+
+fix CVE: CVE-2023-1786
+
+Because user data and vendor data may contain sensitive information,
+this commit ensures that any user data or vendor data written to
+instance-data.json gets redacted and is only available to root user.
+
+Also, modify the permissions of cloud-init.log to be 640, so that
+sensitive data leaked to the log isn't world readable.
+Additionally, remove the logging of user data and vendor data to
+cloud-init.log from the Vultr datasource.
+
+LP: #2013967
+CVE: CVE-2023-1786
+
+Signed-off-by: James Falcon <james.falcon@canonical.com>
+Fixes: CVE-2023-1786
+---
+ cloudinit/sources/__init__.py        | 30 +++++++++++++++++++++++++---
+ cloudinit/sources/tests/test_init.py | 19 ++++++++++++++++--
+ cloudinit/stages.py                  |  4 +++-
+ 3 files changed, 47 insertions(+), 6 deletions(-)
+
+diff --git a/cloudinit/sources/__init__.py b/cloudinit/sources/__init__.py
+index e6966b3..f484a69 100644
+--- a/cloudinit/sources/__init__.py
++++ b/cloudinit/sources/__init__.py
+@@ -91,7 +91,10 @@ def process_instance_metadata(metadata, key_path='', sensitive_keys=()):
+             sub_key_path = key_path + '/' + key
+         else:
+             sub_key_path = key
+-        if key in sensitive_keys or sub_key_path in sensitive_keys:
++        if (
++            key.lower() in sensitive_keys
++            or sub_key_path.lower() in sensitive_keys
++        ):
+             md_copy['sensitive_keys'].append(sub_key_path)
+         if isinstance(val, str) and val.startswith('ci-b64:'):
+             md_copy['base64_encoded_keys'].append(sub_key_path)
+@@ -112,6 +115,12 @@ def redact_sensitive_keys(metadata, redact_value=REDACT_SENSITIVE_VALUE):
+ 
+     Replace any keys values listed in 'sensitive_keys' with redact_value.
+     """
++    # While 'sensitive_keys' should already sanitized to only include what
++    # is in metadata, it is possible keys will overlap. For example, if
++    # "merged_cfg" and "merged_cfg/ds/userdata" both match, it's possible that
++    # "merged_cfg" will get replaced first, meaning "merged_cfg/ds/userdata"
++    # no longer represents a valid key.
++    # Thus, we still need to do membership checks in this function.
+     if not metadata.get('sensitive_keys', []):
+         return metadata
+     md_copy = copy.deepcopy(metadata)
+@@ -119,7 +128,11 @@ def redact_sensitive_keys(metadata, redact_value=REDACT_SENSITIVE_VALUE):
+         path_parts = key_path.split('/')
+         obj = md_copy
+         for path in path_parts:
+-            if isinstance(obj[path], dict) and path != path_parts[-1]:
++            if (
++                path in obj
++                and isinstance(obj[path], dict)
++                and path != path_parts[-1]
++            ):
+                 obj = obj[path]
+         obj[path] = redact_value
+     return md_copy
+@@ -179,7 +192,18 @@ class DataSource(object):
+ 
+     # N-tuple of keypaths or keynames redact from instance-data.json for
+     # non-root users
+-    sensitive_metadata_keys = ('security-credentials',)
++    sensitive_metadata_keys = (
++        "merged_cfg",
++        "security-credentials",
++        "userdata",
++        "user-data",
++        "user_data",
++        "vendordata",
++        "vendor-data",
++        # Provide ds/vendor_data to avoid redacting top-level
++        #  "vendor_data": {enabled: True}
++        "ds/vendor_data",
++    )
+ 
+     def __init__(self, sys_cfg, distro, paths, ud_proc=None):
+         self.sys_cfg = sys_cfg
+diff --git a/cloudinit/sources/tests/test_init.py b/cloudinit/sources/tests/test_init.py
+index 6378e98..d6ad335 100644
+--- a/cloudinit/sources/tests/test_init.py
++++ b/cloudinit/sources/tests/test_init.py
+@@ -329,9 +329,24 @@ class TestDataSource(CiTestCase):
+                 'local-hostname': 'test-subclass-hostname',
+                 'region': 'myregion',
+                 'some': {'security-credentials': {
+-                    'cred1': 'sekret', 'cred2': 'othersekret'}}})
++                    'cred1': 'sekret', 'cred2': 'othersekret'
++                    }
++                },
++            },
++        )
+         self.assertEqual(
+-            ('security-credentials',), datasource.sensitive_metadata_keys)
++            (
++                "merged_cfg",
++                "security-credentials",
++                "userdata",
++                "user-data",
++                "user_data",
++                "vendordata",
++                "vendor-data",
++                "ds/vendor_data",
++            ),
++            datasource.sensitive_metadata_keys,
++        )
+         datasource.get_data()
+         json_file = self.tmp_path(INSTANCE_JSON_FILE, tmp)
+         sensitive_json_file = self.tmp_path(INSTANCE_JSON_SENSITIVE_FILE, tmp)
+diff --git a/cloudinit/stages.py b/cloudinit/stages.py
+index da7d349..9ab322a 100644
+--- a/cloudinit/stages.py
++++ b/cloudinit/stages.py
+@@ -149,7 +149,9 @@ class Init(object):
+         util.ensure_dirs(self._initial_subdirs())
+         log_file = util.get_cfg_option_str(self.cfg, 'def_log_file')
+         if log_file:
+-            util.ensure_file(log_file)
++            # At this point the log file should have already been created
++            # in the setupLogging function of log.py
++            util.ensure_file(log_file, mode=0o640)
+             perms = self.cfg.get('syslog_fix_perms')
+             if not perms:
+                 perms = {}
+-- 
+2.27.0
+
diff --git a/cloud-init.spec b/cloud-init.spec
index dd12c1a..380bc8c 100644
--- a/cloud-init.spec
+++ b/cloud-init.spec
@@ -1,4 +1,4 @@
-%define anolis_release 3
+%define anolis_release 4
 
 %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
 
@@ -21,6 +21,7 @@ Source0:        cloud-init-19.1.17.tgz
 
 Patch0:         Enable-ipv6-network-by-default.patch
 Patch1001:	0001-replace-deprecated-collections-Iterable-with-abc-replacement.patch
+Patch1002:	0002-Make-user-vendor-data-sensitive-and-remove-log-permi.patch
 
 BuildArch:      noarch
 BuildRoot:      %{_tmppath}
@@ -176,6 +177,9 @@ fi
 /usr/lib/cloud-init/write-ssh-key-fingerprints
 
 %changelog
+* Thu May 27 2025 shaxiaoxiao <liu.xiangyu2@zte.com.cn> - 19.1.17-5
+- Fix CVE-2023-1786
+
 * Mon Mar 11 2024 Bo Ren <rb01097748@alibaba-inc.com> - 19.1.17-3
 - Rebuild with python3.11
 
-- 
Gitee