From 50800d1bb11ef8b9e981938fdea879d201d45098 Mon Sep 17 00:00:00 2001
From: xzf1234 <m202071390@hust.edu.cn>
Date: Wed, 26 Apr 2023 18:02:27 +0800
Subject: [PATCH] fix CVE-2022-2084

---
 backport-CVE-2022-2084.patch | 157 +++++++++++++++++++++++++++++++++++
 cloud-init.spec              |   6 +-
 2 files changed, 162 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-2084.patch

diff --git a/backport-CVE-2022-2084.patch b/backport-CVE-2022-2084.patch
new file mode 100644
index 0000000..981eab4
--- /dev/null
+++ b/backport-CVE-2022-2084.patch
@@ -0,0 +1,157 @@
+From 2ad02b787cd0a348faeab488091d78d6e5ec3068 Mon Sep 17 00:00:00 2001
+From: xzf1234 <yangyixin@hust.edu.cn>
+Date: Wed, 26 Apr 2023 17:53:52 +0800
+Subject: [PATCH] fix CVE-2022-2084
+
+---
+ cloud-init-22.2/cloudinit/cmd/main.py         |  4 +++-
+ cloud-init-22.2/cloudinit/config/schema.py    | 23 +++++++++++++------
+ .../integration_tests/modules/test_cli.py     | 20 +++++++++++-----
+ .../tests/unittests/config/test_schema.py     | 23 ++++++++++++++++++-
+ 4 files changed, 55 insertions(+), 15 deletions(-)
+
+diff --git a//cloudinit/cmd/main.py b//cloudinit/cmd/main.py
+index fcdaf72..bc7149d 100644
+--- a//cloudinit/cmd/main.py
++++ b//cloudinit/cmd/main.py
+@@ -454,7 +454,9 @@ def main_init(name, args):
+ 
+     # Validate user-data adheres to schema definition
+     if os.path.exists(init.paths.get_ipath_cur("userdata_raw")):
+-        validate_cloudconfig_schema(config=init.cfg, strict=False)
++        validate_cloudconfig_schema(
++                    config=init.cfg, strict=False, log_details=False
++                )
+     else:
+         LOG.debug("Skipping user-data validation. No user-data found.")
+ 
+diff --git a//cloudinit/config/schema.py b//cloudinit/config/schema.py
+index 7a6ecf0..ab7b8a3 100644
+--- a//cloudinit/config/schema.py
++++ b//cloudinit/config/schema.py
+@@ -196,6 +196,7 @@ def validate_cloudconfig_schema(
+     schema: dict = None,
+     strict: bool = False,
+     strict_metaschema: bool = False,
++    log_details: bool = True,
+ ):
+     """Validate provided config meets the schema definition.
+ 
+@@ -208,6 +209,9 @@ def validate_cloudconfig_schema(
+        logging warnings.
+     @param strict_metaschema: Boolean, when True validates schema using strict
+        metaschema definition at runtime (currently unused)
++    @param log_details: Boolean, when True logs details of validation errors.
++           If there are concerns about logging sensitive userdata, this should
++           be set to False.
+ 
+     @raises: SchemaValidationError when provided config does not validate
+         against the provided schema.
+@@ -231,13 +235,18 @@ def validate_cloudconfig_schema(
+         path = ".".join([str(p) for p in error.path])
+         errors += ((path, error.message),)
+     if errors:
+-        if strict:
+-            raise SchemaValidationError(errors)
+-        else:
+-            messages = ["{0}: {1}".format(k, msg) for k, msg in errors]
+-            LOG.warning(
+-                "Invalid cloud-config provided:\n%s", "\n".join(messages)
+-            )
++            if strict:
++                # This could output/log sensitive data
++                raise SchemaValidationError(errors)
++            if log_details:
++                messages = ["{0}: {1}".format(k, msg) for k, msg in errors]
++                details = "\n" + "\n".join(messages)
++            else:
++                details = (
++                    "Please run 'sudo cloud-init schema --system' to "
++                    "see the schema errors."
++                )
++            LOG.warning("Invalid cloud-config provided: %s", details)
+ 
+ 
+ def annotated_cloudconfig_file(
+diff --git a//tests/integration_tests/modules/test_cli.py b//tests/integration_tests/modules/test_cli.py
+index e878176..4b8f53a 100644
+--- a//tests/integration_tests/modules/test_cli.py
++++ b//tests/integration_tests/modules/test_cli.py
+@@ -18,11 +18,18 @@ runcmd:
+   - echo 'hi' > /var/tmp/test
+ """
+ 
++# The '-' in 'hashed-password' fails schema validation
+ INVALID_USER_DATA_SCHEMA = """\
+ #cloud-config
+-updates:
+- notnetwork: -1
+-apt_pipelining: bogus
++users:
++  - default
++  - name: newsuper
++    gecos: Big Stuff
++    groups: users, admin
++    sudo: ALL=(ALL) NOPASSWD:ALL
++    hashed-password: asdfasdf
++    shell: /bin/bash
++    lock_passwd: true
+ """
+ 
+ 
+@@ -69,11 +76,12 @@ def test_invalid_userdata_schema(client: IntegrationInstance):
+     assert result.ok
+     log = client.read_from_file("/var/log/cloud-init.log")
+     warning = (
+-        "[WARNING]: Invalid cloud-config provided:\napt_pipelining: 'bogus'"
+-        " is not valid under any of the given schemas\nupdates: Additional"
+-        " properties are not allowed ('notnetwork' was unexpected)"
++        "[WARNING]: Invalid cloud-config provided: Please run "
++        "'sudo cloud-init schema --system' to see the schema errors."
+     )
+     assert warning in log
++    assert "asdfasdf" not in log
++
+     result = client.execute("cloud-init status --long")
+     if not result.ok:
+         raise AssertionError(
+diff --git a//tests/unittests/config/test_schema.py b//tests/unittests/config/test_schema.py
+index c75b722..78dda67 100644
+--- a//tests/unittests/config/test_schema.py
++++ b//tests/unittests/config/test_schema.py
+@@ -304,10 +304,31 @@ class TestValidateCloudConfigSchema:
+         assert "cloudinit.config.schema" == module
+         assert logging.WARNING == log_level
+         assert (
+-            "Invalid cloud-config provided:\np1: -1 is not of type 'string'"
++            "Invalid cloud-config provided: \np1: -1 is not of type 'string'"
+             == log_msg
+         )
+ 
++    @skipUnlessJsonSchema()
++        def test_validateconfig_schema_sensitive(self, caplog):
++            """When log_details=False, ensure details are omitted"""
++            schema = {
++                "properties": {"hashed_password": {"type": "string"}},
++                "additionalProperties": False,
++            }
++            validate_cloudconfig_schema(
++                {"hashed-password": "secret"},
++                schema,
++                strict=False,
++                log_details=False,
++            )
++            [(module, log_level, log_msg)] = caplog.record_tuples
++            assert "cloudinit.config.schema" == module
++            assert logging.WARNING == log_level
++            assert (
++                "Invalid cloud-config provided: Please run 'sudo cloud-init "
++                "schema --system' to see the schema errors." == log_msg
++            )
++
+     @skipUnlessJsonSchema()
+     def test_validateconfig_schema_emits_warning_on_missing_jsonschema(
+         self, caplog
+-- 
+2.33.1.windows.1
+
diff --git a/cloud-init.spec b/cloud-init.spec
index 5d87858..cd25883 100644
--- a/cloud-init.spec
+++ b/cloud-init.spec
@@ -1,6 +1,6 @@
 Name: cloud-init
 Version: 22.2
-Release: 7
+Release: 8
 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance.
 License: ASL 2.0 or GPLv3
 URL: http://launchpad.net/cloud-init
@@ -15,6 +15,7 @@ Patch3: add-variable-to-forbid-tmp-dir.patch
 Patch4: Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch
 Patch5: backport-Fix-permission-of-SSH-host-keys-1971.patch
 Patch6: backport-Do-not-change-permissions-of-netrules-target.patch
+Patch7: backport-CVE-2022-2084.patch
 
 Patch9000:     fix-permission-of-the-private-key.patch
 
@@ -131,6 +132,9 @@ fi
 %exclude /usr/share/doc/*
 
 %changelog
+* Web Apr 26 2023 wangyongcong <m202071390@hust.edu.cn> - 22.2-8
+- backport patch of CVE-2022-2084
+
 * Fri Apr 14 2023 shixuantong <shixuantong1@huawei.com> - 22.2-7
 - Don't change permissions of netrules target
 
-- 
Gitee