diff --git a/backport-CVE-2024-11584.patch b/backport-CVE-2024-11584.patch new file mode 100644 index 0000000000000000000000000000000000000000..28cb8a685d82ba555afd75892217651e502c4b5b --- /dev/null +++ b/backport-CVE-2024-11584.patch @@ -0,0 +1,34 @@ +From 4839736429e9057a309ccd835cb3159fb51b1353 Mon Sep 17 00:00:00 2001 +From: James Falcon +Date: Wed, 11 Jun 2025 16:22:32 -0500 +Subject: [PATCH] fix: Make hotplug socket writable only by root (#25) + +The 'hook-hotplug-cmd' was writable by all users, allowing any user +to trigger the hotplug hook script. This script should only be run +by root via a udev trigger. + +Also move socket into 'share' directory and update references +accordingly. Since the 'share' directory is only readable by root, +this adds another layer of security while also being in a consistent +location with the other sockets used by cloud-init. + +CVE-2024-11584 +--- + systemd/cloud-init-hotplugd.socket | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/systemd/cloud-init-hotplugd.socket b/systemd/cloud-init-hotplugd.socket +index aa09301..78b5111 100644 +--- a/systemd/cloud-init-hotplugd.socket ++++ b/systemd/cloud-init-hotplugd.socket +@@ -8,6 +8,7 @@ Description=cloud-init hotplug hook socket + + [Socket] + ListenFIFO=/run/cloud-init/hook-hotplug-cmd ++SocketMode=0600 + + [Install] + WantedBy=cloud-init.target +-- +2.27.0 + diff --git a/cloud-init.spec b/cloud-init.spec index 920a9b27719f4ba470a14cf785366b129cf8a08a..348a205c450ebe1d9bd59e4f4da2b40f7dfb4af6 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,6 +1,6 @@ Name: cloud-init Version: 21.4 -Release: 35 +Release: 36 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance. License: ASL 2.0 or GPLv3 URL: http://launchpad.net/cloud-init @@ -94,6 +94,7 @@ Patch6060: backport-net-sysconfig-do-not-remove-all-existing-settings-of.patch Patch6061: backport-fix-typing-for-rsyslog-ubuntu_pro-power_state_change.patch Patch6062: fix-CVE-2024-6174-1.patch Patch6063: fix-CVE-2024-6174-2.patch +Patch6064: backport-CVE-2024-11584.patch BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd BuildRequires: iproute python3-configobj python3-httpretty >= 0.8.14-2 @@ -228,6 +229,12 @@ fi %exclude /usr/share/doc/* %changelog +* Mon Jul 07 2025 shixuantong - 21.4-36 +- Type:CVE +- CVE:CVE-2024-11584 +- SUG:NA +- DESC:fix CVE-2024-11584 + * Mon Jul 07 2025 cenhuilin - 21.4-35 - Type:cve - CVE:NA