From 50800d1bb11ef8b9e981938fdea879d201d45098 Mon Sep 17 00:00:00 2001 From: xzf1234 Date: Wed, 26 Apr 2023 18:02:27 +0800 Subject: [PATCH] fix CVE-2022-2084 --- backport-CVE-2022-2084.patch | 157 +++++++++++++++++++++++++++++++++++ cloud-init.spec | 6 +- 2 files changed, 162 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-2084.patch diff --git a/backport-CVE-2022-2084.patch b/backport-CVE-2022-2084.patch new file mode 100644 index 0000000..981eab4 --- /dev/null +++ b/backport-CVE-2022-2084.patch @@ -0,0 +1,157 @@ +From 2ad02b787cd0a348faeab488091d78d6e5ec3068 Mon Sep 17 00:00:00 2001 +From: xzf1234 +Date: Wed, 26 Apr 2023 17:53:52 +0800 +Subject: [PATCH] fix CVE-2022-2084 + +--- + cloud-init-22.2/cloudinit/cmd/main.py | 4 +++- + cloud-init-22.2/cloudinit/config/schema.py | 23 +++++++++++++------ + .../integration_tests/modules/test_cli.py | 20 +++++++++++----- + .../tests/unittests/config/test_schema.py | 23 ++++++++++++++++++- + 4 files changed, 55 insertions(+), 15 deletions(-) + +diff --git a//cloudinit/cmd/main.py b//cloudinit/cmd/main.py +index fcdaf72..bc7149d 100644 +--- a//cloudinit/cmd/main.py ++++ b//cloudinit/cmd/main.py +@@ -454,7 +454,9 @@ def main_init(name, args): + + # Validate user-data adheres to schema definition + if os.path.exists(init.paths.get_ipath_cur("userdata_raw")): +- validate_cloudconfig_schema(config=init.cfg, strict=False) ++ validate_cloudconfig_schema( ++ config=init.cfg, strict=False, log_details=False ++ ) + else: + LOG.debug("Skipping user-data validation. No user-data found.") + +diff --git a//cloudinit/config/schema.py b//cloudinit/config/schema.py +index 7a6ecf0..ab7b8a3 100644 +--- a//cloudinit/config/schema.py ++++ b//cloudinit/config/schema.py +@@ -196,6 +196,7 @@ def validate_cloudconfig_schema( + schema: dict = None, + strict: bool = False, + strict_metaschema: bool = False, ++ log_details: bool = True, + ): + """Validate provided config meets the schema definition. + +@@ -208,6 +209,9 @@ def validate_cloudconfig_schema( + logging warnings. + @param strict_metaschema: Boolean, when True validates schema using strict + metaschema definition at runtime (currently unused) ++ @param log_details: Boolean, when True logs details of validation errors. ++ If there are concerns about logging sensitive userdata, this should ++ be set to False. + + @raises: SchemaValidationError when provided config does not validate + against the provided schema. +@@ -231,13 +235,18 @@ def validate_cloudconfig_schema( + path = ".".join([str(p) for p in error.path]) + errors += ((path, error.message),) + if errors: +- if strict: +- raise SchemaValidationError(errors) +- else: +- messages = ["{0}: {1}".format(k, msg) for k, msg in errors] +- LOG.warning( +- "Invalid cloud-config provided:\n%s", "\n".join(messages) +- ) ++ if strict: ++ # This could output/log sensitive data ++ raise SchemaValidationError(errors) ++ if log_details: ++ messages = ["{0}: {1}".format(k, msg) for k, msg in errors] ++ details = "\n" + "\n".join(messages) ++ else: ++ details = ( ++ "Please run 'sudo cloud-init schema --system' to " ++ "see the schema errors." ++ ) ++ LOG.warning("Invalid cloud-config provided: %s", details) + + + def annotated_cloudconfig_file( +diff --git a//tests/integration_tests/modules/test_cli.py b//tests/integration_tests/modules/test_cli.py +index e878176..4b8f53a 100644 +--- a//tests/integration_tests/modules/test_cli.py ++++ b//tests/integration_tests/modules/test_cli.py +@@ -18,11 +18,18 @@ runcmd: + - echo 'hi' > /var/tmp/test + """ + ++# The '-' in 'hashed-password' fails schema validation + INVALID_USER_DATA_SCHEMA = """\ + #cloud-config +-updates: +- notnetwork: -1 +-apt_pipelining: bogus ++users: ++ - default ++ - name: newsuper ++ gecos: Big Stuff ++ groups: users, admin ++ sudo: ALL=(ALL) NOPASSWD:ALL ++ hashed-password: asdfasdf ++ shell: /bin/bash ++ lock_passwd: true + """ + + +@@ -69,11 +76,12 @@ def test_invalid_userdata_schema(client: IntegrationInstance): + assert result.ok + log = client.read_from_file("/var/log/cloud-init.log") + warning = ( +- "[WARNING]: Invalid cloud-config provided:\napt_pipelining: 'bogus'" +- " is not valid under any of the given schemas\nupdates: Additional" +- " properties are not allowed ('notnetwork' was unexpected)" ++ "[WARNING]: Invalid cloud-config provided: Please run " ++ "'sudo cloud-init schema --system' to see the schema errors." + ) + assert warning in log ++ assert "asdfasdf" not in log ++ + result = client.execute("cloud-init status --long") + if not result.ok: + raise AssertionError( +diff --git a//tests/unittests/config/test_schema.py b//tests/unittests/config/test_schema.py +index c75b722..78dda67 100644 +--- a//tests/unittests/config/test_schema.py ++++ b//tests/unittests/config/test_schema.py +@@ -304,10 +304,31 @@ class TestValidateCloudConfigSchema: + assert "cloudinit.config.schema" == module + assert logging.WARNING == log_level + assert ( +- "Invalid cloud-config provided:\np1: -1 is not of type 'string'" ++ "Invalid cloud-config provided: \np1: -1 is not of type 'string'" + == log_msg + ) + ++ @skipUnlessJsonSchema() ++ def test_validateconfig_schema_sensitive(self, caplog): ++ """When log_details=False, ensure details are omitted""" ++ schema = { ++ "properties": {"hashed_password": {"type": "string"}}, ++ "additionalProperties": False, ++ } ++ validate_cloudconfig_schema( ++ {"hashed-password": "secret"}, ++ schema, ++ strict=False, ++ log_details=False, ++ ) ++ [(module, log_level, log_msg)] = caplog.record_tuples ++ assert "cloudinit.config.schema" == module ++ assert logging.WARNING == log_level ++ assert ( ++ "Invalid cloud-config provided: Please run 'sudo cloud-init " ++ "schema --system' to see the schema errors." == log_msg ++ ) ++ + @skipUnlessJsonSchema() + def test_validateconfig_schema_emits_warning_on_missing_jsonschema( + self, caplog +-- +2.33.1.windows.1 + diff --git a/cloud-init.spec b/cloud-init.spec index 5d87858..cd25883 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,6 +1,6 @@ Name: cloud-init Version: 22.2 -Release: 7 +Release: 8 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance. License: ASL 2.0 or GPLv3 URL: http://launchpad.net/cloud-init @@ -15,6 +15,7 @@ Patch3: add-variable-to-forbid-tmp-dir.patch Patch4: Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch Patch5: backport-Fix-permission-of-SSH-host-keys-1971.patch Patch6: backport-Do-not-change-permissions-of-netrules-target.patch +Patch7: backport-CVE-2022-2084.patch Patch9000: fix-permission-of-the-private-key.patch @@ -131,6 +132,9 @@ fi %exclude /usr/share/doc/* %changelog +* Web Apr 26 2023 wangyongcong - 22.2-8 +- backport patch of CVE-2022-2084 + * Fri Apr 14 2023 shixuantong - 22.2-7 - Don't change permissions of netrules target -- Gitee