From fcddd2c6e1392c74c9a85382b5de4d7b8768c226 Mon Sep 17 00:00:00 2001
From: shixuantong <shixuantong1@huawei.com>
Date: Fri, 12 Apr 2024 16:00:28 +0800
Subject: [PATCH] fix: Logging sensitive data

(cherry picked from commit 72a092f6c369dbaf5e840317f6de49668b79487a)
---
 backport-fix-Logging-sensitive-data.patch | 43 +++++++++++++++++++++++
 cloud-init.spec                           |  9 ++++-
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 backport-fix-Logging-sensitive-data.patch

diff --git a/backport-fix-Logging-sensitive-data.patch b/backport-fix-Logging-sensitive-data.patch
new file mode 100644
index 0000000..999ade0
--- /dev/null
+++ b/backport-fix-Logging-sensitive-data.patch
@@ -0,0 +1,43 @@
+From 2f9812e805f8e66feaf2689384ea6d669305d9a5 Mon Sep 17 00:00:00 2001
+From: Brett Holman <brett.holman@canonical.com>
+Date: Wed, 3 Apr 2024 13:51:25 -0600
+Subject: [PATCH] fix: Logging sensitive data
+
+Don't log sensitive data.
+
+Since /var/log/cloud-init.log is a priviledged file, this does not expose a
+secure system (no CVE). However, we don't want to log this information so that
+users can file reports without having to manually redact logs.
+
+Standardize log messages so that redacted and non-redacted logs match.
+
+Reference:https://github.com/canonical/cloud-init/commit/2f9812e8
+---
+ cloudinit/subp.py | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/cloudinit/subp.py b/cloudinit/subp.py
+index 267142e..749dc9c 100644
+--- a/cloudinit/subp.py
++++ b/cloudinit/subp.py
+@@ -217,13 +217,10 @@ def subp(args, data=None, rcs=None, env=None, capture=True,
+     if status_cb:
+         command = ' '.join(args) if isinstance(args, list) else args
+         status_cb('Begin run command: {command}\n'.format(command=command))
+-    if not logstring:
+-        LOG.debug(("Running command %s with allowed return codes %s"
+-                   " (shell=%s, capture=%s)"),
+-                  args, rcs, shell, 'combine' if combine_capture else capture)
+-    else:
+-        LOG.debug(("Running hidden command to protect sensitive "
+-                   "input/output logstring: %s"), logstring)
++
++    LOG.debug(("Running command %s with allowed return codes %s"
++                " (shell=%s, capture=%s)"),
++                logstring if logstring else args, rcs, shell, 'combine' if combine_capture else capture)
+ 
+     stdin = None
+     stdout = None
+-- 
+2.27.0
+
diff --git a/cloud-init.spec b/cloud-init.spec
index c94e5e3..7986020 100644
--- a/cloud-init.spec
+++ b/cloud-init.spec
@@ -1,6 +1,6 @@
 Name: cloud-init
 Version: 21.4
-Release: 25
+Release: 26
 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance.
 License: ASL 2.0 or GPLv3
 URL: http://launchpad.net/cloud-init
@@ -74,6 +74,7 @@ Patch6039: backport-Return-a-namedtuple-from-subp-1376.patch
 Patch6040: backport-fix-Don-t-loosen-the-permissions-of-the-log-file.patch
 Patch6041: backport-fix-growpart-race-4618.patch
 Patch6042: backport-handle-error-when-log-file-is-empty-4859.patch
+Patch6043: backport-fix-Logging-sensitive-data.patch
 
 BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd
 BuildRequires: iproute python3-configobj python3-httpretty >= 0.8.14-2
@@ -184,6 +185,12 @@ fi
 %exclude /usr/share/doc/*
 
 %changelog
+* Fri Apr 12 2024 shixuantong <shixuantong1@huawei.com> - 21.4-26
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix: Logging sensitive data
+
 * Tue Mar 26 2024 shixuantong <shixuantong1@huawei.com> - 21.4-25
 - Type:bugfix
 - CVE:NA
-- 
Gitee