From 4f7556376dc9e218435a99e082df76f015928117 Mon Sep 17 00:00:00 2001
From: cenhuilin <cenhuilin@kylinos.cn>
Date: Mon, 7 Jul 2025 18:17:27 +0800
Subject: [PATCH] fix CVE-2024-6174

---
 cloud-init.spec           |  7 ++-
 fix-CVE-2024-6174-1.patch | 99 +++++++++++++++++++++++++++++++++++++++
 fix-CVE-2024-6174-2.patch | 80 +++++++++++++++++++++++++++++++
 3 files changed, 185 insertions(+), 1 deletion(-)
 create mode 100644 fix-CVE-2024-6174-1.patch
 create mode 100644 fix-CVE-2024-6174-2.patch

diff --git a/cloud-init.spec b/cloud-init.spec
index 2d724d4..2c8b092 100644
--- a/cloud-init.spec
+++ b/cloud-init.spec
@@ -1,6 +1,6 @@
 Name: cloud-init
 Version: 19.4
-Release: 15
+Release: 16
 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance.
 License: ASL 2.0 or GPLv3
 URL: http://launchpad.net/cloud-init
@@ -27,6 +27,8 @@ Patch16: backport-fix-Don-t-loosen-the-permissions-of-the-log-file.patch
 Patch17: backport-add-get_permissions-get_owner-get_group-get_user_gro.patch
 Patch18: backport-feat-Ensure-random-passwords-contain-multiple-charac.patch
 Patch19: backport-test-Fix-duplicate-judgment-conditions-in-password-g.patch
+Patch20: fix-CVE-2024-6174-1.patch
+Patch21: fix-CVE-2024-6174-2.patch
 
 Patch9000: Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch
 
@@ -135,6 +137,9 @@ fi
 %exclude /usr/share/doc/*
 
 %changelog
+* Mon Jul 07 2025 cenhuilin <cenhuilin@kylinos.cn> - 19.4-16
+- fix CVE-2024-6174
+
 * Mon Nov 04 2024 shixuantong <shixuantong1@huawei.com> - 19.4-15
 - Ensure random passwords contain multiple character types
 
diff --git a/fix-CVE-2024-6174-1.patch b/fix-CVE-2024-6174-1.patch
new file mode 100644
index 0000000..3201e64
--- /dev/null
+++ b/fix-CVE-2024-6174-1.patch
@@ -0,0 +1,99 @@
+From f43937f0b462734eb9c76700491c18fe4133c8e1 Mon Sep 17 00:00:00 2001
+From: Brett Holman <brett.holman@canonical.com>
+Date: Mon, 7 Jul 2025 17:38:23 +0800
+Subject: [PATCH] fix: Don't attempt to identify non-x86 OpenStack instances
+
+This causes cloud-init to attempt to reach out to the OpenStack Nova
+datasource in non-Nova deployments on non-x86 architectures.
+
+Change default policy of ds-identify to disallow discovery of datasources
+without strict identifiable artifacts in either kernel cmdline, DMI
+platform information or system configuration files. This prevents
+cloud-init from attempting to reach out to well-known hard-codded link-local
+IP addresses for configuration information unless the platform strictly
+identifies as a specific datasource.
+
+CVE-2024-6174
+LP: #2069607
+BREAKING_CHANGE: This may break non-x86 OpenStack Nova users. Affected users
+    may wish to use ConfigDrive as a workaround.
+
+---
+ tests/unittests/test_ds_identify.py | 12 ++++++------
+ tools/ds-identify                   |  8 ++++----
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py
+index 36d7fbb..25eeba5 100644
+--- a/tests/unittests/test_ds_identify.py
++++ b/tests/unittests/test_ds_identify.py
+@@ -41,9 +41,9 @@ BLKID_UEFI_UBUNTU = [
+ 
+ 
+ POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled"
+-POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=all,notfound=disabled"
+-DI_DEFAULT_POLICY = "search,found=all,maybe=all,notfound=disabled"
+-DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=all,notfound=enabled"
++POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled"
++DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled"
++DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled"
+ DI_EC2_STRICT_ID_DEFAULT = "true"
+ OVF_MATCH_STRING = 'http://schemas.dmtf.org/ovf/environment/1'
+ 
+@@ -456,7 +456,7 @@ class TestDsIdentify(DsIdentifyBase):
+         self._test_ds_found('OpenStack-AssetTag-Compute')
+ 
+     def test_openstack_on_non_intel_is_maybe(self):
+-        """On non-Intel, openstack without dmi info is maybe.
++        """On non-Intel, openstack without dmi info is none.
+ 
+         nova does not identify itself on platforms other than intel.
+            https://bugs.launchpad.net/cloud-init/+bugs?field.tag=dsid-nova"""
+@@ -472,9 +472,9 @@ class TestDsIdentify(DsIdentifyBase):
+ 
+         # updating the uname to ppc64 though should get a maybe.
+         data.update({'mocks': [MOCK_VIRT_IS_KVM, MOCK_UNAME_IS_PPC64]})
+-        (_, _, err, _, _) = self._check_via_dict(
+-            data, RC_FOUND, dslist=['OpenStack', 'None'])
++        (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND)
+         self.assertIn("check for 'OpenStack' returned maybe", err)
++        self.assertIn("No ds found", err)
+ 
+     def test_default_ovf_is_found(self):
+         """OVF is identified found when ovf/ovf-env.xml seed file exists."""
+diff --git a/tools/ds-identify b/tools/ds-identify
+index c93d4a7..054d3b3 100755
+--- a/tools/ds-identify
++++ b/tools/ds-identify
+@@ -14,7 +14,7 @@
+ #   The format is:
+ #        <mode>,found=value,maybe=value,notfound=value
+ #   default setting is:
+-#     search,found=all,maybe=all,notfound=disabled
++#     search,found=all,maybe=none,notfound=disabled
+ #
+ #   kernel command line option: ci.di.policy=<policy>
+ #   example line in /etc/cloud/ds-identify.cfg:
+@@ -40,7 +40,7 @@
+ #         first: use the first found do no further checking
+ #         all: enable all DS_FOUND
+ #
+-#      maybe: (default=all)
++#      maybe: (default=none)
+ #       if nothing returned 'found', then how to handle maybe.
+ #       no network sources are allowed to return 'maybe'.
+ #         all: enable all DS_MAYBE
+@@ -93,8 +93,8 @@ _DI_LOGGED=""
+ DI_MAIN=${DI_MAIN:-main}
+ 
+ DI_BLKID_OUTPUT=""
+-DI_DEFAULT_POLICY="search,found=all,maybe=all,notfound=${DI_DISABLED}"
+-DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=all,notfound=${DI_ENABLED}"
++DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}"
++DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}"
+ DI_DMI_CHASSIS_ASSET_TAG=""
+ DI_DMI_PRODUCT_NAME=""
+ DI_DMI_SYS_VENDOR=""
+-- 
+2.43.0
+
diff --git a/fix-CVE-2024-6174-2.patch b/fix-CVE-2024-6174-2.patch
new file mode 100644
index 0000000..03b8a54
--- /dev/null
+++ b/fix-CVE-2024-6174-2.patch
@@ -0,0 +1,80 @@
+From e3f42adc2674a38fb29e414cfbf96f884934b2d2 Mon Sep 17 00:00:00 2001
+From:  Chad Smith <chad.smith@canonical.com>
+Date: Mon, 7 Jul 2025 17:41:15 +0800
+Subject: [PATCH] fix: strict disable in ds-identify on no datasources found
+
+Take the CVE-2024-6174 strict detection fix one step further.
+
+Commit 8c3ae1b took a step to ignore DS_MAYBE datasource discovery.
+But, if no datasources are met the DS_FOUND conditions, ds-identify was
+still leaving cloud-init enabled. This resulted in cloud-init python
+code attempting to discover all datasources later in boot based on
+the default datasource_list.
+
+ds-identify will now assert that at least one datasource is found. If
+no datasources, ds-identify will exit 1 which disables cloud-init boot
+stages and results in no boot configuration operations from cloud-init.
+
+OpenStack images which cannot identify a valid datasource with DMI-data
+or kernel command line ci.ds=OpenStack parameter will need to either:
+- provide image-based configuration in either /etc/cloud/cloud.cfg.* to set
+   datasource_list: [ OpenStack ]
+- provide --config-drive true to openstack server create
+- attach a nocloud disk labelled CIDATA containing user-data and
+  meta-data files
+
+CVE-2024-6174
+LP: #2069607
+
+---
+ tests/unittests/test_ds_identify.py | 6 ++++--
+ tools/ds-identify                   | 2 +-
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py
+index 25eeba5..349e5a3 100644
+--- a/tests/unittests/test_ds_identify.py
++++ b/tests/unittests/test_ds_identify.py
+@@ -43,7 +43,7 @@ BLKID_UEFI_UBUNTU = [
+ POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled"
+ POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled"
+ DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled"
+-DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled"
++DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=disabled"
+ DI_EC2_STRICT_ID_DEFAULT = "true"
+ OVF_MATCH_STRING = 'http://schemas.dmtf.org/ovf/environment/1'
+ 
+@@ -464,7 +464,7 @@ class TestDsIdentify(DsIdentifyBase):
+         data = copy.deepcopy(VALID_CFG['OpenStack'])
+         del data['files'][P_PRODUCT_NAME]
+         data.update({'policy_dmi': POLICY_FOUND_OR_MAYBE,
+-                     'policy_no_dmi': POLICY_FOUND_OR_MAYBE})
++                     'policy_no_dmi': DI_DEFAULT_POLICY_NO_DMI})
+ 
+         # this should show not found as default uname in tests is intel.
+         # and intel openstack requires positive identification.
+@@ -475,6 +475,8 @@ class TestDsIdentify(DsIdentifyBase):
+         (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND)
+         self.assertIn("check for 'OpenStack' returned maybe", err)
+         self.assertIn("No ds found", err)
++        self.assertIn("Disabled cloud-init", err)
++        self.assertIn("returning 1", err)
+ 
+     def test_default_ovf_is_found(self):
+         """OVF is identified found when ovf/ovf-env.xml seed file exists."""
+diff --git a/tools/ds-identify b/tools/ds-identify
+index 054d3b3..753ccdb 100755
+--- a/tools/ds-identify
++++ b/tools/ds-identify
+@@ -94,7 +94,7 @@ DI_MAIN=${DI_MAIN:-main}
+ 
+ DI_BLKID_OUTPUT=""
+ DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}"
+-DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}"
++DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_DISABLED}"
+ DI_DMI_CHASSIS_ASSET_TAG=""
+ DI_DMI_PRODUCT_NAME=""
+ DI_DMI_SYS_VENDOR=""
+-- 
+2.43.0
+
-- 
Gitee