diff --git a/0001-replace-deprecated-collections-Iterable-with-abc-replacement.patch b/0001-replace-deprecated-collections-Iterable-with-abc-replacement.patch deleted file mode 100644 index 3722a3b17208a3606d3ad955881cf873b83b12b2..0000000000000000000000000000000000000000 --- a/0001-replace-deprecated-collections-Iterable-with-abc-replacement.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 31eb954bf463f221e6c5ca234bd290b1441b90f8 Mon Sep 17 00:00:00 2001 -From: "jinkangkang.jkk" -Date: Wed, 23 Mar 2022 19:16:16 +0800 -Subject: [PATCH] Replace deprecated collections.Iterable with abc replacement - ---- - cloudinit/log.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/cloudinit/log.py b/cloudinit/log.py -index 5ae312b..82d4257 100644 ---- a/cloudinit/log.py -+++ b/cloudinit/log.py -@@ -12,7 +12,7 @@ import logging - import logging.config - import logging.handlers - --import collections -+import collections.abc - import os - import sys - -@@ -82,7 +82,7 @@ def setupLogging(cfg=None): - for a_cfg in cfg['log_cfgs']: - if isinstance(a_cfg, six.string_types): - log_cfgs.append(a_cfg) -- elif isinstance(a_cfg, (collections.Iterable)): -+ elif isinstance(a_cfg, (collections.abc.Iterable)): - cfg_str = [str(c) for c in a_cfg] - log_cfgs.append('\n'.join(cfg_str)) - else: --- -2.30.1 (Apple Git-130) \ No newline at end of file diff --git a/0002-Make-user-vendor-data-sensitive-and-remove-log-permi.patch b/0002-Make-user-vendor-data-sensitive-and-remove-log-permi.patch deleted file mode 100644 index 02079cb93bd8ca10c22c0ccdcc0604ea17cc8e23..0000000000000000000000000000000000000000 --- a/0002-Make-user-vendor-data-sensitive-and-remove-log-permi.patch +++ /dev/null @@ -1,143 +0,0 @@ -From 42372a17d19fab9435cab2b87e5d370238dddb2d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?=E5=88=98=E5=90=91=E9=9B=A810206134?= - -Date: Tue, 27 May 2025 11:03:00 +0800 -Subject: [PATCH] Make user/vendor data sensitive and remove log permissions - -ANBZ:7595 - -commit a378b7e4f47375458651c0972e7cd813f6fe0a6b upstream. - -fix CVE: CVE-2023-1786 - -Because user data and vendor data may contain sensitive information, -this commit ensures that any user data or vendor data written to -instance-data.json gets redacted and is only available to root user. - -Also, modify the permissions of cloud-init.log to be 640, so that -sensitive data leaked to the log isn't world readable. -Additionally, remove the logging of user data and vendor data to -cloud-init.log from the Vultr datasource. - -LP: #2013967 -CVE: CVE-2023-1786 - -Signed-off-by: James Falcon -Fixes: CVE-2023-1786 ---- - cloudinit/sources/__init__.py | 30 +++++++++++++++++++++++++--- - cloudinit/sources/tests/test_init.py | 19 ++++++++++++++++-- - cloudinit/stages.py | 4 +++- - 3 files changed, 47 insertions(+), 6 deletions(-) - -diff --git a/cloudinit/sources/__init__.py b/cloudinit/sources/__init__.py -index e6966b3..f484a69 100644 ---- a/cloudinit/sources/__init__.py -+++ b/cloudinit/sources/__init__.py -@@ -91,7 +91,10 @@ def process_instance_metadata(metadata, key_path='', sensitive_keys=()): - sub_key_path = key_path + '/' + key - else: - sub_key_path = key -- if key in sensitive_keys or sub_key_path in sensitive_keys: -+ if ( -+ key.lower() in sensitive_keys -+ or sub_key_path.lower() in sensitive_keys -+ ): - md_copy['sensitive_keys'].append(sub_key_path) - if isinstance(val, str) and val.startswith('ci-b64:'): - md_copy['base64_encoded_keys'].append(sub_key_path) -@@ -112,6 +115,12 @@ def redact_sensitive_keys(metadata, redact_value=REDACT_SENSITIVE_VALUE): - - Replace any keys values listed in 'sensitive_keys' with redact_value. - """ -+ # While 'sensitive_keys' should already sanitized to only include what -+ # is in metadata, it is possible keys will overlap. For example, if -+ # "merged_cfg" and "merged_cfg/ds/userdata" both match, it's possible that -+ # "merged_cfg" will get replaced first, meaning "merged_cfg/ds/userdata" -+ # no longer represents a valid key. -+ # Thus, we still need to do membership checks in this function. - if not metadata.get('sensitive_keys', []): - return metadata - md_copy = copy.deepcopy(metadata) -@@ -119,7 +128,11 @@ def redact_sensitive_keys(metadata, redact_value=REDACT_SENSITIVE_VALUE): - path_parts = key_path.split('/') - obj = md_copy - for path in path_parts: -- if isinstance(obj[path], dict) and path != path_parts[-1]: -+ if ( -+ path in obj -+ and isinstance(obj[path], dict) -+ and path != path_parts[-1] -+ ): - obj = obj[path] - obj[path] = redact_value - return md_copy -@@ -179,7 +192,18 @@ class DataSource(object): - - # N-tuple of keypaths or keynames redact from instance-data.json for - # non-root users -- sensitive_metadata_keys = ('security-credentials',) -+ sensitive_metadata_keys = ( -+ "merged_cfg", -+ "security-credentials", -+ "userdata", -+ "user-data", -+ "user_data", -+ "vendordata", -+ "vendor-data", -+ # Provide ds/vendor_data to avoid redacting top-level -+ # "vendor_data": {enabled: True} -+ "ds/vendor_data", -+ ) - - def __init__(self, sys_cfg, distro, paths, ud_proc=None): - self.sys_cfg = sys_cfg -diff --git a/cloudinit/sources/tests/test_init.py b/cloudinit/sources/tests/test_init.py -index 6378e98..d6ad335 100644 ---- a/cloudinit/sources/tests/test_init.py -+++ b/cloudinit/sources/tests/test_init.py -@@ -329,9 +329,24 @@ class TestDataSource(CiTestCase): - 'local-hostname': 'test-subclass-hostname', - 'region': 'myregion', - 'some': {'security-credentials': { -- 'cred1': 'sekret', 'cred2': 'othersekret'}}}) -+ 'cred1': 'sekret', 'cred2': 'othersekret' -+ } -+ }, -+ }, -+ ) - self.assertEqual( -- ('security-credentials',), datasource.sensitive_metadata_keys) -+ ( -+ "merged_cfg", -+ "security-credentials", -+ "userdata", -+ "user-data", -+ "user_data", -+ "vendordata", -+ "vendor-data", -+ "ds/vendor_data", -+ ), -+ datasource.sensitive_metadata_keys, -+ ) - datasource.get_data() - json_file = self.tmp_path(INSTANCE_JSON_FILE, tmp) - sensitive_json_file = self.tmp_path(INSTANCE_JSON_SENSITIVE_FILE, tmp) -diff --git a/cloudinit/stages.py b/cloudinit/stages.py -index da7d349..9ab322a 100644 ---- a/cloudinit/stages.py -+++ b/cloudinit/stages.py -@@ -149,7 +149,9 @@ class Init(object): - util.ensure_dirs(self._initial_subdirs()) - log_file = util.get_cfg_option_str(self.cfg, 'def_log_file') - if log_file: -- util.ensure_file(log_file) -+ # At this point the log file should have already been created -+ # in the setupLogging function of log.py -+ util.ensure_file(log_file, mode=0o640) - perms = self.cfg.get('syslog_fix_perms') - if not perms: - perms = {} --- -2.27.0 - diff --git a/1000-support-anolis.patch b/1000-support-anolis.patch new file mode 100644 index 0000000000000000000000000000000000000000..271f77556a2e7f984e5982f42e71dd02f5b1d74d --- /dev/null +++ b/1000-support-anolis.patch @@ -0,0 +1,24 @@ +From 8801f88fc472d828154f09786f8111872b622751 Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Wed, 30 Jul 2025 17:15:04 +0800 +Subject: [PATCH 1/1] support anolis + +--- + tools/render-cloudcfg | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/render-cloudcfg b/tools/render-cloudcfg +index 6551875..dc20313 100755 +--- a/tools/render-cloudcfg ++++ b/tools/render-cloudcfg +@@ -36,6 +36,7 @@ def main(): + "ubuntu", + "unknown", + "virtuozzo", ++ "anolis", + ] + parser = argparse.ArgumentParser() + platform = util.system_info() +-- +2.47.3 + diff --git a/1001-fix-CVE-2024-6174.patch b/1001-fix-CVE-2024-6174.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc9a9434e7e8eb7e81e458cf215c0f0186155227 --- /dev/null +++ b/1001-fix-CVE-2024-6174.patch @@ -0,0 +1,85 @@ +From 79175ba008cbe90ae6e3443c0d6d54daed7ba2a6 Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Wed, 30 Jul 2025 17:24:06 +0800 +Subject: [PATCH 1/1] fix CVE-2024-6174 + +--- + tests/unittests/test_ds_identify.py | 13 ++++++------- + tools/ds-identify | 8 ++++---- + 2 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py +index cc75209..eaefcf7 100644 +--- a/tests/unittests/test_ds_identify.py ++++ b/tests/unittests/test_ds_identify.py +@@ -58,9 +58,9 @@ BLKID_UEFI_UBUNTU = [ + + + POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled" +-POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=all,notfound=disabled" +-DI_DEFAULT_POLICY = "search,found=all,maybe=all,notfound=disabled" +-DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=all,notfound=enabled" ++POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled" ++DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled" ++DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled" + DI_EC2_STRICT_ID_DEFAULT = "true" + OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1" + +@@ -570,7 +570,7 @@ class TestDsIdentify(DsIdentifyBase): + self._test_ds_found("OpenStack-AssetTag-Compute") + + def test_openstack_on_non_intel_is_maybe(self): +- """On non-Intel, openstack without dmi info is maybe. ++ """On non-Intel, openstack without dmi info is none. + + nova does not identify itself on platforms other than intel. + https://bugs.launchpad.net/cloud-init/+bugs?field.tag=dsid-nova""" +@@ -590,10 +590,9 @@ class TestDsIdentify(DsIdentifyBase): + + # updating the uname to ppc64 though should get a maybe. + data.update({"mocks": [MOCK_VIRT_IS_KVM, MOCK_UNAME_IS_PPC64]}) +- (_, _, err, _, _) = self._check_via_dict( +- data, RC_FOUND, dslist=["OpenStack", "None"] +- ) ++ (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND) + self.assertIn("check for 'OpenStack' returned maybe", err) ++ self.assertIn("No ds found", err) + + def test_default_ovf_is_found(self): + """OVF is identified found when ovf/ovf-env.xml seed file exists.""" +diff --git a/tools/ds-identify b/tools/ds-identify +index 90c8dd7..9385019 100755 +--- a/tools/ds-identify ++++ b/tools/ds-identify +@@ -14,7 +14,7 @@ + # The format is: + # ,found=value,maybe=value,notfound=value + # default setting is: +-# search,found=all,maybe=all,notfound=disabled ++# search,found=all,maybe=none,notfound=disabled + # + # kernel command line option: ci.di.policy= + # example line in /etc/cloud/ds-identify.cfg: +@@ -40,7 +40,7 @@ + # first: use the first found do no further checking + # all: enable all DS_FOUND + # +-# maybe: (default=all) ++# maybe: (default=none) + # if nothing returned 'found', then how to handle maybe. + # no network sources are allowed to return 'maybe'. + # all: enable all DS_MAYBE +@@ -94,8 +94,8 @@ DI_MAIN=${DI_MAIN:-main} + + DI_BLKID_EXPORT_OUT="" + DI_GEOM_LABEL_STATUS_OUT="" +-DI_DEFAULT_POLICY="search,found=all,maybe=all,notfound=${DI_DISABLED}" +-DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=all,notfound=${DI_ENABLED}" ++DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}" ++DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}" + DI_DMI_BOARD_NAME="" + DI_DMI_CHASSIS_ASSET_TAG="" + DI_DMI_PRODUCT_NAME="" +-- +2.47.3 + diff --git a/1002-fix-CVE-2024-11584.patch b/1002-fix-CVE-2024-11584.patch new file mode 100644 index 0000000000000000000000000000000000000000..71073789a71584e6538987de69c53735fa4b1999 --- /dev/null +++ b/1002-fix-CVE-2024-11584.patch @@ -0,0 +1,59 @@ +From 38783e3f0669cf139c8bc7068d021fc7bdeb80e6 Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Wed, 30 Jul 2025 18:30:30 +0800 +Subject: [PATCH 1/1] fix CVE-2024-11584 + +--- + systemd/cloud-init-hotplugd.service | 2 +- + systemd/cloud-init-hotplugd.socket | 5 +++-- + tools/hook-hotplug | 2 +- + 3 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/systemd/cloud-init-hotplugd.service b/systemd/cloud-init-hotplugd.service +index 598c647..a6f41d1 100644 +--- a/systemd/cloud-init-hotplugd.service ++++ b/systemd/cloud-init-hotplugd.service +@@ -1,5 +1,5 @@ + # Paired with cloud-init-hotplugd.socket to read from the FIFO +-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network ++# hook-hotplug-cmd which is created during a udev network + # add or remove event as processed by 10-cloud-init-hook-hotplug.rules. + + # On start, read args from the FIFO, process and provide structured arguments +diff --git a/systemd/cloud-init-hotplugd.socket b/systemd/cloud-init-hotplugd.socket +index aa09301..80386ca 100644 +--- a/systemd/cloud-init-hotplugd.socket ++++ b/systemd/cloud-init-hotplugd.socket +@@ -1,5 +1,5 @@ + # cloud-init-hotplugd.socket listens on the FIFO file +-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network ++# hook-hotplug-cmd which is created during a udev network + # add or remove event as processed by 10-cloud-init-hook-hotplug.rules. + + # Known bug with an enforcing SELinux policy: LP: #1936229 +@@ -7,7 +7,8 @@ + Description=cloud-init hotplug hook socket + + [Socket] +-ListenFIFO=/run/cloud-init/hook-hotplug-cmd ++ListenFIFO=/run/cloud-init/share/hook-hotplug-cmd ++SocketMode=0600 + + [Install] + WantedBy=cloud-init.target +diff --git a/tools/hook-hotplug b/tools/hook-hotplug +index 35bd3da..2a2ed48 100755 +--- a/tools/hook-hotplug ++++ b/tools/hook-hotplug +@@ -10,7 +10,7 @@ is_finished() { + + if is_finished; then + # open cloud-init's hotplug-hook fifo rw +- exec 3<>/run/cloud-init/hook-hotplug-cmd ++ exec 3<>/run/cloud-init/share/hook-hotplug-cmd + env_params=( + --subsystem="${SUBSYSTEM}" + handle +-- +2.47.3 + diff --git a/Enable-ipv6-network-by-default.patch b/Enable-ipv6-network-by-default.patch deleted file mode 100644 index 432a1d788eb54404c6fdaa210bda0d5d0a860baa..0000000000000000000000000000000000000000 --- a/Enable-ipv6-network-by-default.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- cloud-init-19.1.14/config/cloud.cfg.tmpl 2021-12-14 11:10:30.000000000 +0800 -+++ cloud-init-19.1.14-edit/config/cloud.cfg.tmpl 2022-05-23 20:57:09.060790268 +0800 -@@ -22,7 +22,7 @@ - - manage_etc_hosts: localhost - --{% if variant in ["sles","opensuse","aliyun"]%} -+{% if variant in ["sles","opensuse"]%} - network: - config: disabled - {% endif%} diff --git a/cloud-init-19.1.17.tgz b/cloud-init-19.1.17.tgz deleted file mode 100644 index efb9e6ca12bca791051bde7b988ec14bfd759f5b..0000000000000000000000000000000000000000 Binary files a/cloud-init-19.1.17.tgz and /dev/null differ diff --git a/cloud-init-23.2.2.tar.gz b/cloud-init-23.2.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..1702d4e688bdb2b52c62c4d0ead3c576d7026688 Binary files /dev/null and b/cloud-init-23.2.2.tar.gz differ diff --git a/cloud-init.spec b/cloud-init.spec index bd9c63e91d1fb5f1dfb2e6efd7d2d9b9f33e0591..292abb32222711f9d462c703affe26950a09a701 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,4 +1,4 @@ -%define anolis_release 5 +%define anolis_release 1 %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} @@ -15,7 +15,7 @@ # Or: http://www.rpm.org/max-rpm/ch-rpm-inside.html Name: cloud-init -Version: 19.1.17 +Version: 23.2.2 Release: %{anolis_release}%{?dist} Summary: Cloud instance init scripts @@ -23,11 +23,13 @@ Group: System Environment/Base License: Dual-licesed GPLv3 or Apache 2.0 URL: http://launchpad.net/cloud-init -Source0: cloud-init-19.1.17.tgz +Source0: https://launchpad.net/cloud-init/trunk/%{version}/+download/%{name}-%{version}.tar.gz -Patch0: Enable-ipv6-network-by-default.patch -Patch1001: 0001-replace-deprecated-collections-Iterable-with-abc-replacement.patch -Patch1002: 0002-Make-user-vendor-data-sensitive-and-remove-log-permi.patch +Patch0: 1000-support-anolis.patch +# https://github.com/canonical/cloud-init/commit/f43937f0b462734eb9c76700491c18fe4133c8e1 +Patch1: 1001-fix-CVE-2024-6174.patch +# https://github.com/canonical/cloud-init/commit/4839736429e9057a309ccd835cb3159fb51b1353 +Patch2: 1002-fix-CVE-2024-11584.patch BuildArch: noarch BuildRoot: %{_tmppath} @@ -92,7 +94,7 @@ need special scripts to run during initialization to retrieve and install ssh keys and to let the user run various scripts. %prep -%autosetup -n cloud-init-19.1.17 -p1 +%autosetup -n cloud-init-23.2.2 -p1 %build %{__python} setup.py build @@ -153,11 +155,13 @@ fi /bin/systemctl daemon-reload >/dev/null 2>&1 || : %files -/lib/udev/rules.d/66-azure-ephemeral.rules +/etc/cloud/clean.d/README +/etc/systemd/system/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf +/usr/lib/udev/rules.d/66-azure-ephemeral.rules +/usr/lib/cloud-init/hook-hotplug + /usr/lib/systemd/system-generators/cloud-init-generator %{_unitdir}/cloud-* -%{_sysconfdir}/NetworkManager/dispatcher.d/hook-network-manager -%{_sysconfdir}/dhcp/dhclient-exit-hooks.d/hook-dhclient # Program binaries %{_bindir}/cloud-init* %{_bindir}/cloud-id* @@ -183,6 +187,11 @@ fi %{file_patch}/write-ssh-key-fingerprints %changelog +* Wed Jul 30 2025 mgb01105731 - 23.2.2-1 +- Update to 23.2.2 to fix CVE-2023-1786 +- Add patches to fix CVE-2024-6174 and CVE-2024-11584 +- Delete patches as The content already exists in the code + * Thu May 27 2025 shaxiaoxiao - 19.1.17-5 - Fix CVE-2023-1786