diff --git a/cloud-init.spec b/cloud-init.spec index 04f9614b2b356e28a599624869cea8c97e59ff01..a71a0892b9546e515932229eb484b77b135a4818 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,6 +1,6 @@ Name: cloud-init Version: 21.4 -Release: 13 +Release: 14 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance. License: ASL 2.0 or GPLv3 URL: http://launchpad.net/cloud-init @@ -22,6 +22,7 @@ Patch10: backport-Fix-the-distro.osfamily-output-problem.patch Patch11: backport-netplan-keep-custom-strict-perms-when-50-cloud-init.patch Patch12: backport-Do-not-change-permissions-of-netrules-target.patch Patch13: fix-a-small-unitest-error.patch +Patch14: fix-CVE-2022-2084.patch Patch9000: Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch @@ -133,6 +134,12 @@ fi %exclude /usr/share/doc/* %changelog +* Fri May 5 2023 wangyongcong - 21.4-14 +- Type:CVE +- ID: CVE-2022-2084 +- SUG:NA +- DESC: Fix CVE-2022-2084 + * Sun Apr 23 2023 shixuantong - 21.4-13 - Fix a unitest error diff --git a/fix-CVE-2022-2084.patch b/fix-CVE-2022-2084.patch new file mode 100644 index 0000000000000000000000000000000000000000..04242d821d6fd1146a08223b4d84b8e141c3df8b --- /dev/null +++ b/fix-CVE-2022-2084.patch @@ -0,0 +1,129 @@ +From 4d467b14363d800b2185b89790d57871f11ea88c Mon Sep 17 00:00:00 2001 +From: James Falcon +Date: Wed, 29 Jun 2022 17:27:44 -0500 +Subject: [PATCH] Remove schema errors from log (#1551) + +When schema errors are encountered, the section of userdata in question +gets printed to the cloud-init log. As this could contain sensitive +data, so log a generic warning instead and redirect user to run +cloud-init schema --system as root. + +LP: #1978422 +CVE: 2022-2084 +--- + cloudinit/cmd/main.py | 8 ++++++++ + cloudinit/config/schema.py | 20 +++++++++++++++---- + unittests/test_handler/test_schema.py | 17 ++++++++++++++++ + 3 files changed, 41 insertions(+), 4 deletions(-) + +diff --git a/cloudinit/cmd/main.py b/cloudinit/cmd/main.py +index 63186d3..6eabe97 100644 +--- a/cloudinit/cmd/main.py ++++ b/cloudinit/cmd/main.py +@@ -432,6 +432,14 @@ def main_init(name, args): + util.logexc(LOG, "Consuming user data failed!") + return (init.datasource, ["Consuming user data failed!"]) + ++ # Validate user-data adheres to schema definition ++ if os.path.exists(init.paths.get_ipath_cur("userdata_raw")): ++ validate_cloudconfig_schema( ++ config=init.cfg, strict=False, log_details=False ++ ) ++ else: ++ LOG.debug("Skipping user-data validation. No user-data found.") ++ + apply_reporting_cfg(init.cfg) + + # Stage 8 - re-read and apply relevant cloud-config to include user-data +diff --git a/cloudinit/config/schema.py b/cloudinit/config/schema.py +index 456bab2..a1a4fb8 100644 +--- a/cloudinit/config/schema.py ++++ b/cloudinit/config/schema.py +@@ -14,6 +14,8 @@ import re + import sys + import yaml + ++LOG = logging.getLogger(__name__) ++ + _YAML_MAP = {True: 'true', False: 'false', None: 'null'} + SCHEMA_UNDEFINED = b'UNDEFINED' + CLOUD_CONFIG_HEADER = b'#cloud-config' +@@ -72,7 +74,7 @@ def is_schema_byte_string(checker, instance): + isinstance(instance, (bytes,))) + + +-def validate_cloudconfig_schema(config, schema, strict=False): ++def validate_cloudconfig_schema(config, schema, strict=False, log_details=True): + """Validate provided config meets the schema definition. + + @param config: Dict of cloud configuration settings validated against +@@ -81,6 +83,9 @@ def validate_cloudconfig_schema(config, schema, strict=False): + for the cloud config module (config.cc_*). + @param strict: Boolean, when True raise SchemaValidationErrors instead of + logging warnings. ++ @param log_details: Boolean, when True logs details of validation errors. ++ If there are concerns about logging sensitive userdata, this should ++ be set to False. + + @raises: SchemaValidationError when provided config does not validate + against the provided schema. +@@ -118,10 +123,17 @@ def validate_cloudconfig_schema(config, schema, strict=False): + errors += ((path, error.message),) + if errors: + if strict: ++ # This could output/log sensitive data + raise SchemaValidationError(errors) ++ if log_details: ++ messages = ["{0}: {1}".format(k, msg) for k, msg in errors] ++ details = "\n" + "\n".join(messages) + else: +- messages = ['{0}: {1}'.format(k, msg) for k, msg in errors] +- logging.warning('Invalid config:\n%s', '\n'.join(messages)) ++ details = ( ++ "Please run 'sudo cloud-init schema --system' to " ++ "see the schema errors." ++ ) ++ LOG.warning('Invalid config:%s', details) + + + def annotated_cloudconfig_file(cloudconfig, original_content, schema_errors): +@@ -479,7 +491,7 @@ def handle_schema_args(name, args): + invalid_docs = set(args.docs).difference(set(schema_ids)) + if invalid_docs: + error('Invalid --docs value {0}. Must be one of: {1}'.format( +- list(invalid_docs), ', '.join(schema_ids))) ++ list(invalid_docs), ', '.join(schema_ids))) + for subschema in full_schema['allOf']: + if 'all' in args.docs or subschema['id'] in args.docs: + print(get_schema_doc(subschema)) +diff --git a/tests/unittests/test_handler/test_schema.py b/tests/unittests/test_handler/test_schema.py +index 1dae223..b5b1bc3 100644 +--- a/tests/unittests/test_handler/test_schema.py ++++ b/tests/unittests/test_handler/test_schema.py +@@ -86,6 +86,23 @@ class ValidateCloudConfigSchemaTest(CiTestCase): + "Invalid config:\np1: -1 is not of type 'string'\n", + self.logs.getvalue()) + ++ @skipUnlessJsonSchema() ++ def test_validateconfig_schema_sensitive(self): ++ """When log_details=False, ensure details are omitted""" ++ schema = { ++ "properties": {"hashed_password": {"type": "string"}}, ++ "additionalProperties": False, ++ } ++ validate_cloudconfig_schema( ++ {"hashed-password": "secret"}, ++ schema, ++ strict=False, ++ log_details=False, ++ ) ++ self.assertIn( ++ "Invalid config:Please run 'sudo cloud-init " ++ "schema --system' to see the schema errors.", self.logs.getvalue()) ++ + @skipUnlessJsonSchema() + def test_validateconfig_schema_emits_warning_on_missing_jsonschema(self): + """Warning from validate_cloudconfig_schema when missing jsonschema.""" +-- +2.33.1.windows.1 +