diff --git a/SOURCES/ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch b/SOURCES/ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch new file mode 100644 index 0000000..7bb6679 --- /dev/null +++ b/SOURCES/ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch @@ -0,0 +1,113 @@ +From 5f36d42e42fb32abb55c69b47749a60d8de98dbf Mon Sep 17 00:00:00 2001 +From: Brett Holman +Date: Thu, 22 Aug 2024 16:54:53 -0600 +Subject: [PATCH 1/2] fix: Don't attempt to identify non-x86 OpenStack + instances + +RH-Author: Ani Sinha +RH-MergeRequest: 163: CVE-2024-6174: fix: Don't attempt to identify non-x86 OpenStack instances +RH-Jira: RHEL-100606 +RH-Acked-by: xiachen +RH-Commit: [1/2] 8c759fbd27046038bd52dbd694ca071a3ea6d6cc + +This causes cloud-init to attempt to reach out to the OpenStack Nova +datasource in non-Nova deployments on non-x86 architectures. + +Change default policy of ds-identify to disallow discovery of datasources +without strict identifiable artifacts in either kernel cmdline, DMI +platform information or system configuration files. This prevents +cloud-init from attempting to reach out to well-known hard-codded link-local +IP addresses for configuration information unless the platform strictly +identifies as a specific datasource. + +CVE-2024-6174 +LP: #2069607 +BREAKING_CHANGE: This may break non-x86 OpenStack Nova users. Affected users + may wish to use ConfigDrive as a workaround. + +(cherry picked from commit 8c3ae1bb9f1d80fbf217b41a222ee434e7f58900) +Signed-off-by: Ani Sinha + + Conflicts: + doc/rtd/reference/breaking_changes.rst + This doc file does not exist. It was added in 8778506, so ignored. +--- + tests/unittests/test_ds_identify.py | 13 ++++++------- + tools/ds-identify | 8 ++++---- + 2 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py +index acbf3f032..c4f0115a8 100644 +--- a/tests/unittests/test_ds_identify.py ++++ b/tests/unittests/test_ds_identify.py +@@ -58,9 +58,9 @@ BLKID_UEFI_UBUNTU = [ + + + POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled" +-POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=all,notfound=disabled" +-DI_DEFAULT_POLICY = "search,found=all,maybe=all,notfound=disabled" +-DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=all,notfound=enabled" ++POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled" ++DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled" ++DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled" + DI_EC2_STRICT_ID_DEFAULT = "true" + OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1" + +@@ -574,7 +574,7 @@ class TestDsIdentify(DsIdentifyBase): + self._test_ds_found("OpenStack-AssetTag-Compute") + + def test_openstack_on_non_intel_is_maybe(self): +- """On non-Intel, openstack without dmi info is maybe. ++ """On non-Intel, openstack without dmi info is none. + + nova does not identify itself on platforms other than intel. + https://bugs.launchpad.net/cloud-init/+bugs?field.tag=dsid-nova""" +@@ -594,10 +594,9 @@ class TestDsIdentify(DsIdentifyBase): + + # updating the uname to ppc64 though should get a maybe. + data.update({"mocks": [MOCK_VIRT_IS_KVM, MOCK_UNAME_IS_PPC64]}) +- (_, _, err, _, _) = self._check_via_dict( +- data, RC_FOUND, dslist=["OpenStack", "None"] +- ) ++ (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND) + self.assertIn("check for 'OpenStack' returned maybe", err) ++ self.assertIn("No ds found", err) + + def test_default_ovf_is_found(self): + """OVF is identified found when ovf/ovf-env.xml seed file exists.""" +diff --git a/tools/ds-identify b/tools/ds-identify +index 6e49ded36..87b320f56 100755 +--- a/tools/ds-identify ++++ b/tools/ds-identify +@@ -14,7 +14,7 @@ + # The format is: + # ,found=value,maybe=value,notfound=value + # default setting is: +-# search,found=all,maybe=all,notfound=disabled ++# search,found=all,maybe=none,notfound=disabled + # + # kernel command line option: ci.di.policy= + # example line in /etc/cloud/ds-identify.cfg: +@@ -40,7 +40,7 @@ + # first: use the first found do no further checking + # all: enable all DS_FOUND + # +-# maybe: (default=all) ++# maybe: (default=none) + # if nothing returned 'found', then how to handle maybe. + # no network sources are allowed to return 'maybe'. + # all: enable all DS_MAYBE +@@ -94,8 +94,8 @@ DI_MAIN=${DI_MAIN:-main} + + DI_BLKID_EXPORT_OUT="" + DI_GEOM_LABEL_STATUS_OUT="" +-DI_DEFAULT_POLICY="search,found=all,maybe=all,notfound=${DI_DISABLED}" +-DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=all,notfound=${DI_ENABLED}" ++DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}" ++DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}" + DI_DMI_BOARD_NAME="" + DI_DMI_CHASSIS_ASSET_TAG="" + DI_DMI_PRODUCT_NAME="" +-- +2.39.3 + diff --git a/SOURCES/ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch b/SOURCES/ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch new file mode 100644 index 0000000..896d813 --- /dev/null +++ b/SOURCES/ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch @@ -0,0 +1,89 @@ +From e095bbfa939a9ec61d4448a6f16370dd656dd30a Mon Sep 17 00:00:00 2001 +From: Chad Smith +Date: Tue, 24 Jun 2025 09:12:52 -0600 +Subject: [PATCH 2/2] fix: strict disable in ds-identify on no datasources + found + +RH-Author: Ani Sinha +RH-MergeRequest: 163: CVE-2024-6174: fix: Don't attempt to identify non-x86 OpenStack instances +RH-Jira: RHEL-100606 +RH-Acked-by: xiachen +RH-Commit: [2/2] 01f55ab3c476a47ca2f2d2ace4b81b9a8a17e5d9 + +Take the CVE-2024-6174 strict detection fix one step further. + +Commit 8c3ae1b took a step to ignore DS_MAYBE datasource discovery. +But, if no datasources are met the DS_FOUND conditions, ds-identify was +still leaving cloud-init enabled. This resulted in cloud-init python +code attempting to discover all datasources later in boot based on +the default datasource_list. + +ds-identify will now assert that at least one datasource is found. If +no datasources, ds-identify will exit 1 which disables cloud-init boot +stages and results in no boot configuration operations from cloud-init. + +OpenStack images which cannot identify a valid datasource with DMI-data +or kernel command line ci.ds=OpenStack parameter will need to either: +- provide image-based configuration in either /etc/cloud/cloud.cfg.* to set + datasource_list: [ OpenStack ] +- provide --config-drive true to openstack server create +- attach a nocloud disk labelled CIDATA containing user-data and + meta-data files + +CVE-2024-6174 +LP: #2069607 + +(cherry picked from commit e3f42adc2674a38fb29e414cfbf96f884934b2d2) +Signed-off-by: Ani Sinha +--- + tests/unittests/test_ds_identify.py | 6 ++++-- + tools/ds-identify | 2 +- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py +index c4f0115a8..3c8976167 100644 +--- a/tests/unittests/test_ds_identify.py ++++ b/tests/unittests/test_ds_identify.py +@@ -60,7 +60,7 @@ BLKID_UEFI_UBUNTU = [ + POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled" + POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled" + DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled" +-DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled" ++DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=disabled" + DI_EC2_STRICT_ID_DEFAULT = "true" + OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1" + +@@ -584,7 +584,7 @@ class TestDsIdentify(DsIdentifyBase): + data.update( + { + "policy_dmi": POLICY_FOUND_OR_MAYBE, +- "policy_no_dmi": POLICY_FOUND_OR_MAYBE, ++ "policy_no_dmi": DI_DEFAULT_POLICY_NO_DMI, + } + ) + +@@ -597,6 +597,8 @@ class TestDsIdentify(DsIdentifyBase): + (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND) + self.assertIn("check for 'OpenStack' returned maybe", err) + self.assertIn("No ds found", err) ++ self.assertIn("Disabled cloud-init", err) ++ self.assertIn("returning 1", err) + + def test_default_ovf_is_found(self): + """OVF is identified found when ovf/ovf-env.xml seed file exists.""" +diff --git a/tools/ds-identify b/tools/ds-identify +index 87b320f56..a293ecf3e 100755 +--- a/tools/ds-identify ++++ b/tools/ds-identify +@@ -95,7 +95,7 @@ DI_MAIN=${DI_MAIN:-main} + DI_BLKID_EXPORT_OUT="" + DI_GEOM_LABEL_STATUS_OUT="" + DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}" +-DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}" ++DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_DISABLED}" + DI_DMI_BOARD_NAME="" + DI_DMI_CHASSIS_ASSET_TAG="" + DI_DMI_PRODUCT_NAME="" +-- +2.39.3 + diff --git a/SPECS/cloud-init.spec b/SPECS/cloud-init.spec index 224e390..65d7553 100644 --- a/SPECS/cloud-init.spec +++ b/SPECS/cloud-init.spec @@ -6,7 +6,7 @@ Name: cloud-init Version: 23.4 -Release: 7%{?dist}.9 +Release: 7%{?dist}.10 Summary: Cloud instance init scripts Group: System Environment/Base @@ -61,6 +61,10 @@ Patch32: ci-fix-Add-subnet-ipv4-ipv6-to-network-schema-5191.patch Patch33: ci-fix-rh_subscription-add-string-type-to-org-5453.patch # For RHEL-81169 - Cloud-init fails to subscribe system if activation key 'org' is not an integer [rhel-8.10.z] Patch34: ci-fix-python3.13-Fix-import-error-for-passlib-on-Pytho.patch +# For RHEL-100606 - CVE-2024-6174 cloud-init: From CVEorg collector [rhel-8.10.z] +Patch35: ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch +# For RHEL-100606 - CVE-2024-6174 cloud-init: From CVEorg collector [rhel-8.10.z] +Patch36: ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch BuildArch: noarch @@ -276,6 +280,12 @@ fi %config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf %changelog +* Mon Jul 14 2025 Miroslav Rezanina - 23.4-7.el8.10 +- ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch [RHEL-100606] +- ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch [RHEL-100606] +- Resolves: RHEL-100606 + (CVE-2024-6174 cloud-init: From CVEorg collector [rhel-8.10.z]) + * Mon Mar 10 2025 Jon Maloy - 23.4-7.el8.9 - ci-fix-rh_subscription-add-string-type-to-org-5453.patch [RHEL-81169] - ci-fix-python3.13-Fix-import-error-for-passlib-on-Pytho.patch [RHEL-81169]