From 751c2bc44ea683eedcd5eaeff6106d105153c1f8 Mon Sep 17 00:00:00 2001
From: shixuantong <shixuantong1@huawei.com>
Date: Mon, 7 Jul 2025 20:00:33 +0800
Subject: [PATCH] fix CVE-2024-11584

---
 backport-CVE-2024-11584.patch | 97 +++++++++++++++++++++++++++++++++++
 cloud-init.spec               |  9 +++-
 2 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-11584.patch

diff --git a/backport-CVE-2024-11584.patch b/backport-CVE-2024-11584.patch
new file mode 100644
index 0000000..b70e147
--- /dev/null
+++ b/backport-CVE-2024-11584.patch
@@ -0,0 +1,97 @@
+From 4839736429e9057a309ccd835cb3159fb51b1353 Mon Sep 17 00:00:00 2001
+From: James Falcon <therealfalcon@gmail.com>
+Date: Wed, 11 Jun 2025 16:22:32 -0500
+Subject: [PATCH] fix: Make hotplug socket writable only by root (#25)
+
+The 'hook-hotplug-cmd' was writable by all users, allowing any user
+to trigger the hotplug hook script. This script should only be run
+by root via a udev trigger.
+
+Also move socket into 'share' directory and update references
+accordingly. Since the 'share' directory is only readable by root,
+this adds another layer of security while also being in a consistent
+location with the other sockets used by cloud-init.
+
+CVE-2024-11584
+---
+ cloudinit/cmd/devel/logs.py         | 2 +-
+ systemd/cloud-init-hotplugd.service | 2 +-
+ systemd/cloud-init-hotplugd.socket  | 5 +++--
+ tools/cloud-init-hotplugd           | 2 +-
+ tools/hook-hotplug                  | 2 +-
+ 5 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/cloudinit/cmd/devel/logs.py b/cloudinit/cmd/devel/logs.py
+index 17be2c1d5..b8d87d6f3 100755
+--- a/cloudinit/cmd/devel/logs.py
++++ b/cloudinit/cmd/devel/logs.py
+@@ -295,7 +295,7 @@ def _get_run_dir(run_dir: pathlib.Path) -> Iterator[pathlib.Path]:
+     Note that this only globs the top-level directory as there are currently
+     no relevant files within subdirectories.
+     """
+-    return (p for p in run_dir.glob("*") if p.name != "hook-hotplug-cmd")
++    return run_dir.glob("*")
+ 
+ 
+ def _collect_logs_into_tmp_dir(
+diff --git a/systemd/cloud-init-hotplugd.service b/systemd/cloud-init-hotplugd.service
+index 2e552a0a0..5f4c8e838 100644
+--- a/systemd/cloud-init-hotplugd.service
++++ b/systemd/cloud-init-hotplugd.service
+@@ -1,5 +1,5 @@
+ # Paired with cloud-init-hotplugd.socket to read from the FIFO
+-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
++# hook-hotplug-cmd which is created during a udev network
+ # add or remove event as processed by 90-cloud-init-hook-hotplug.rules.
+ 
+ # On start, read args from the FIFO, process and provide structured arguments
+diff --git a/systemd/cloud-init-hotplugd.socket b/systemd/cloud-init-hotplugd.socket
+index c56b978f3..023dfa2a9 100644
+--- a/systemd/cloud-init-hotplugd.socket
++++ b/systemd/cloud-init-hotplugd.socket
+@@ -1,5 +1,5 @@
+ # cloud-init-hotplugd.socket listens on the FIFO file
+-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
++# hook-hotplug-cmd which is created during a udev network
+ # add or remove event as processed by 90-cloud-init-hook-hotplug.rules.
+ 
+ # Known bug with an enforcing SELinux policy: LP: #1936229
+@@ -14,7 +14,8 @@ ConditionKernelCommandLine=!cloud-init=disabled
+ ConditionEnvironment=!KERNEL_CMDLINE=cloud-init=disabled
+ 
+ [Socket]
+-ListenFIFO=/run/cloud-init/hook-hotplug-cmd
++ListenFIFO=/run/cloud-init/share/hook-hotplug-cmd
++SocketMode=0600
+ 
+ [Install]
+ WantedBy=cloud-config.target
+diff --git a/tools/cloud-init-hotplugd b/tools/cloud-init-hotplugd
+index 70977d48e..3d56fffa7 100755
+--- a/tools/cloud-init-hotplugd
++++ b/tools/cloud-init-hotplugd
+@@ -9,7 +9,7 @@
+ # upon a network device event). Anything received via the pipe is then
+ # passed on via the "cloud-init devel hotplug-hook handle" command.
+ 
+-PIPE="/run/cloud-init/hook-hotplug-cmd"
++PIPE="/run/cloud-init/share/hook-hotplug-cmd"
+ 
+ mkfifo -m700 $PIPE
+ 
+diff --git a/tools/hook-hotplug b/tools/hook-hotplug
+index 208d21dd7..f142d4b95 100755
+--- a/tools/hook-hotplug
++++ b/tools/hook-hotplug
+@@ -4,7 +4,7 @@
+ # This script checks if cloud-init has hotplug hooked and if
+ # cloud-init is ready; if so invoke cloud-init hotplug-hook
+ 
+-fifo=/run/cloud-init/hook-hotplug-cmd
++fifo=/run/cloud-init/share/hook-hotplug-cmd
+ log_file=/run/cloud-init/hook-hotplug.log
+ 
+ should_run() {
+-- 
+2.27.0
+
diff --git a/cloud-init.spec b/cloud-init.spec
index a5f3ab3..2293ae9 100644
--- a/cloud-init.spec
+++ b/cloud-init.spec
@@ -1,6 +1,6 @@
 Name: cloud-init
 Version: 25.1
-Release: 2
+Release: 3
 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance.
 License: ASL 2.0 or GPLv3
 URL: http://launchpad.net/cloud-init
@@ -14,6 +14,7 @@ Patch3: delete-config-nopasswd-all.patch
 Patch4: skip-test_ntp_custom_client_overrides_installed_clie.patch
 Patch5: fix-CVE-2024-6174-1.patch
 Patch6: fix-CVE-2024-6174-2.patch
+Patch7: backport-CVE-2024-11584.patch
 
 BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd
 BuildRequires: iproute python3-configobj python3-responses
@@ -144,6 +145,12 @@ fi
 %exclude /usr/share/doc/*
 
 %changelog
+* Mon Jul 07 2025 shixuantong <shixuantong1@huawei.com> - 25.1-3
+- Type:CVE
+- CVE:CVE-2024-11584
+- SUG:NA
+- DESC:fix CVE-2024-11584
+
 * Mon Jul 07 2025 cenhuilin <cenhuilin@kylinos.cn> - 25.1-2
 - Type:cve
 - CVE:NA
-- 
Gitee