Compare commits
No commits in common. "c8" and "c8s" have entirely different histories.
@ -1 +0,0 @@
|
||||
e73116733f5636eb4bc1a5e47e802c3635b9bfa2 SOURCES/23.4.tar.gz
|
6
.gitignore
vendored
6
.gitignore
vendored
@ -1 +1,5 @@
|
||||
SOURCES/23.4.tar.gz
|
||||
SOURCES/cloud-init-22.1.tar.gz
|
||||
/cloud-init-22.1.tar.gz
|
||||
/cloud-init-23.1.1.tar.gz
|
||||
/*.tar.gz
|
||||
/*.rpm
|
||||
|
113
ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch
Normal file
113
ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch
Normal file
@ -0,0 +1,113 @@
|
||||
From 5f36d42e42fb32abb55c69b47749a60d8de98dbf Mon Sep 17 00:00:00 2001
|
||||
From: Brett Holman <brett.holman@canonical.com>
|
||||
Date: Thu, 22 Aug 2024 16:54:53 -0600
|
||||
Subject: [PATCH 1/2] fix: Don't attempt to identify non-x86 OpenStack
|
||||
instances
|
||||
|
||||
RH-Author: Ani Sinha <anisinha@redhat.com>
|
||||
RH-MergeRequest: 163: CVE-2024-6174: fix: Don't attempt to identify non-x86 OpenStack instances
|
||||
RH-Jira: RHEL-100606
|
||||
RH-Acked-by: xiachen <xiachen@redhat.com>
|
||||
RH-Commit: [1/2] 8c759fbd27046038bd52dbd694ca071a3ea6d6cc
|
||||
|
||||
This causes cloud-init to attempt to reach out to the OpenStack Nova
|
||||
datasource in non-Nova deployments on non-x86 architectures.
|
||||
|
||||
Change default policy of ds-identify to disallow discovery of datasources
|
||||
without strict identifiable artifacts in either kernel cmdline, DMI
|
||||
platform information or system configuration files. This prevents
|
||||
cloud-init from attempting to reach out to well-known hard-codded link-local
|
||||
IP addresses for configuration information unless the platform strictly
|
||||
identifies as a specific datasource.
|
||||
|
||||
CVE-2024-6174
|
||||
LP: #2069607
|
||||
BREAKING_CHANGE: This may break non-x86 OpenStack Nova users. Affected users
|
||||
may wish to use ConfigDrive as a workaround.
|
||||
|
||||
(cherry picked from commit 8c3ae1bb9f1d80fbf217b41a222ee434e7f58900)
|
||||
Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
||||
|
||||
Conflicts:
|
||||
doc/rtd/reference/breaking_changes.rst
|
||||
This doc file does not exist. It was added in 8778506, so ignored.
|
||||
---
|
||||
tests/unittests/test_ds_identify.py | 13 ++++++-------
|
||||
tools/ds-identify | 8 ++++----
|
||||
2 files changed, 10 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py
|
||||
index acbf3f032..c4f0115a8 100644
|
||||
--- a/tests/unittests/test_ds_identify.py
|
||||
+++ b/tests/unittests/test_ds_identify.py
|
||||
@@ -58,9 +58,9 @@ BLKID_UEFI_UBUNTU = [
|
||||
|
||||
|
||||
POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled"
|
||||
-POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=all,notfound=disabled"
|
||||
-DI_DEFAULT_POLICY = "search,found=all,maybe=all,notfound=disabled"
|
||||
-DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=all,notfound=enabled"
|
||||
+POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled"
|
||||
+DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled"
|
||||
+DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled"
|
||||
DI_EC2_STRICT_ID_DEFAULT = "true"
|
||||
OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1"
|
||||
|
||||
@@ -574,7 +574,7 @@ class TestDsIdentify(DsIdentifyBase):
|
||||
self._test_ds_found("OpenStack-AssetTag-Compute")
|
||||
|
||||
def test_openstack_on_non_intel_is_maybe(self):
|
||||
- """On non-Intel, openstack without dmi info is maybe.
|
||||
+ """On non-Intel, openstack without dmi info is none.
|
||||
|
||||
nova does not identify itself on platforms other than intel.
|
||||
https://bugs.launchpad.net/cloud-init/+bugs?field.tag=dsid-nova"""
|
||||
@@ -594,10 +594,9 @@ class TestDsIdentify(DsIdentifyBase):
|
||||
|
||||
# updating the uname to ppc64 though should get a maybe.
|
||||
data.update({"mocks": [MOCK_VIRT_IS_KVM, MOCK_UNAME_IS_PPC64]})
|
||||
- (_, _, err, _, _) = self._check_via_dict(
|
||||
- data, RC_FOUND, dslist=["OpenStack", "None"]
|
||||
- )
|
||||
+ (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND)
|
||||
self.assertIn("check for 'OpenStack' returned maybe", err)
|
||||
+ self.assertIn("No ds found", err)
|
||||
|
||||
def test_default_ovf_is_found(self):
|
||||
"""OVF is identified found when ovf/ovf-env.xml seed file exists."""
|
||||
diff --git a/tools/ds-identify b/tools/ds-identify
|
||||
index 6e49ded36..87b320f56 100755
|
||||
--- a/tools/ds-identify
|
||||
+++ b/tools/ds-identify
|
||||
@@ -14,7 +14,7 @@
|
||||
# The format is:
|
||||
# <mode>,found=value,maybe=value,notfound=value
|
||||
# default setting is:
|
||||
-# search,found=all,maybe=all,notfound=disabled
|
||||
+# search,found=all,maybe=none,notfound=disabled
|
||||
#
|
||||
# kernel command line option: ci.di.policy=<policy>
|
||||
# example line in /etc/cloud/ds-identify.cfg:
|
||||
@@ -40,7 +40,7 @@
|
||||
# first: use the first found do no further checking
|
||||
# all: enable all DS_FOUND
|
||||
#
|
||||
-# maybe: (default=all)
|
||||
+# maybe: (default=none)
|
||||
# if nothing returned 'found', then how to handle maybe.
|
||||
# no network sources are allowed to return 'maybe'.
|
||||
# all: enable all DS_MAYBE
|
||||
@@ -94,8 +94,8 @@ DI_MAIN=${DI_MAIN:-main}
|
||||
|
||||
DI_BLKID_EXPORT_OUT=""
|
||||
DI_GEOM_LABEL_STATUS_OUT=""
|
||||
-DI_DEFAULT_POLICY="search,found=all,maybe=all,notfound=${DI_DISABLED}"
|
||||
-DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=all,notfound=${DI_ENABLED}"
|
||||
+DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}"
|
||||
+DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}"
|
||||
DI_DMI_BOARD_NAME=""
|
||||
DI_DMI_CHASSIS_ASSET_TAG=""
|
||||
DI_DMI_PRODUCT_NAME=""
|
||||
--
|
||||
2.39.3
|
||||
|
@ -0,0 +1,89 @@
|
||||
From e095bbfa939a9ec61d4448a6f16370dd656dd30a Mon Sep 17 00:00:00 2001
|
||||
From: Chad Smith <chad.smith@canonical.com>
|
||||
Date: Tue, 24 Jun 2025 09:12:52 -0600
|
||||
Subject: [PATCH 2/2] fix: strict disable in ds-identify on no datasources
|
||||
found
|
||||
|
||||
RH-Author: Ani Sinha <anisinha@redhat.com>
|
||||
RH-MergeRequest: 163: CVE-2024-6174: fix: Don't attempt to identify non-x86 OpenStack instances
|
||||
RH-Jira: RHEL-100606
|
||||
RH-Acked-by: xiachen <xiachen@redhat.com>
|
||||
RH-Commit: [2/2] 01f55ab3c476a47ca2f2d2ace4b81b9a8a17e5d9
|
||||
|
||||
Take the CVE-2024-6174 strict detection fix one step further.
|
||||
|
||||
Commit 8c3ae1b took a step to ignore DS_MAYBE datasource discovery.
|
||||
But, if no datasources are met the DS_FOUND conditions, ds-identify was
|
||||
still leaving cloud-init enabled. This resulted in cloud-init python
|
||||
code attempting to discover all datasources later in boot based on
|
||||
the default datasource_list.
|
||||
|
||||
ds-identify will now assert that at least one datasource is found. If
|
||||
no datasources, ds-identify will exit 1 which disables cloud-init boot
|
||||
stages and results in no boot configuration operations from cloud-init.
|
||||
|
||||
OpenStack images which cannot identify a valid datasource with DMI-data
|
||||
or kernel command line ci.ds=OpenStack parameter will need to either:
|
||||
- provide image-based configuration in either /etc/cloud/cloud.cfg.* to set
|
||||
datasource_list: [ OpenStack ]
|
||||
- provide --config-drive true to openstack server create
|
||||
- attach a nocloud disk labelled CIDATA containing user-data and
|
||||
meta-data files
|
||||
|
||||
CVE-2024-6174
|
||||
LP: #2069607
|
||||
|
||||
(cherry picked from commit e3f42adc2674a38fb29e414cfbf96f884934b2d2)
|
||||
Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
||||
---
|
||||
tests/unittests/test_ds_identify.py | 6 ++++--
|
||||
tools/ds-identify | 2 +-
|
||||
2 files changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py
|
||||
index c4f0115a8..3c8976167 100644
|
||||
--- a/tests/unittests/test_ds_identify.py
|
||||
+++ b/tests/unittests/test_ds_identify.py
|
||||
@@ -60,7 +60,7 @@ BLKID_UEFI_UBUNTU = [
|
||||
POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled"
|
||||
POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled"
|
||||
DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled"
|
||||
-DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled"
|
||||
+DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=disabled"
|
||||
DI_EC2_STRICT_ID_DEFAULT = "true"
|
||||
OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1"
|
||||
|
||||
@@ -584,7 +584,7 @@ class TestDsIdentify(DsIdentifyBase):
|
||||
data.update(
|
||||
{
|
||||
"policy_dmi": POLICY_FOUND_OR_MAYBE,
|
||||
- "policy_no_dmi": POLICY_FOUND_OR_MAYBE,
|
||||
+ "policy_no_dmi": DI_DEFAULT_POLICY_NO_DMI,
|
||||
}
|
||||
)
|
||||
|
||||
@@ -597,6 +597,8 @@ class TestDsIdentify(DsIdentifyBase):
|
||||
(_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND)
|
||||
self.assertIn("check for 'OpenStack' returned maybe", err)
|
||||
self.assertIn("No ds found", err)
|
||||
+ self.assertIn("Disabled cloud-init", err)
|
||||
+ self.assertIn("returning 1", err)
|
||||
|
||||
def test_default_ovf_is_found(self):
|
||||
"""OVF is identified found when ovf/ovf-env.xml seed file exists."""
|
||||
diff --git a/tools/ds-identify b/tools/ds-identify
|
||||
index 87b320f56..a293ecf3e 100755
|
||||
--- a/tools/ds-identify
|
||||
+++ b/tools/ds-identify
|
||||
@@ -95,7 +95,7 @@ DI_MAIN=${DI_MAIN:-main}
|
||||
DI_BLKID_EXPORT_OUT=""
|
||||
DI_GEOM_LABEL_STATUS_OUT=""
|
||||
DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}"
|
||||
-DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}"
|
||||
+DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_DISABLED}"
|
||||
DI_DMI_BOARD_NAME=""
|
||||
DI_DMI_CHASSIS_ASSET_TAG=""
|
||||
DI_DMI_PRODUCT_NAME=""
|
||||
--
|
||||
2.39.3
|
||||
|
@ -6,7 +6,7 @@
|
||||
|
||||
Name: cloud-init
|
||||
Version: 23.4
|
||||
Release: 7%{?dist}.9
|
||||
Release: 7%{?dist}.10
|
||||
Summary: Cloud instance init scripts
|
||||
|
||||
Group: System Environment/Base
|
||||
@ -61,6 +61,10 @@ Patch32: ci-fix-Add-subnet-ipv4-ipv6-to-network-schema-5191.patch
|
||||
Patch33: ci-fix-rh_subscription-add-string-type-to-org-5453.patch
|
||||
# For RHEL-81169 - Cloud-init fails to subscribe system if activation key 'org' is not an integer [rhel-8.10.z]
|
||||
Patch34: ci-fix-python3.13-Fix-import-error-for-passlib-on-Pytho.patch
|
||||
# For RHEL-100606 - CVE-2024-6174 cloud-init: From CVEorg collector [rhel-8.10.z]
|
||||
Patch35: ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch
|
||||
# For RHEL-100606 - CVE-2024-6174 cloud-init: From CVEorg collector [rhel-8.10.z]
|
||||
Patch36: ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
@ -276,6 +280,12 @@ fi
|
||||
%config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf
|
||||
|
||||
%changelog
|
||||
* Mon Jul 14 2025 Miroslav Rezanina <mrezanin@redhat.com> - 23.4-7.el8.10
|
||||
- ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch [RHEL-100606]
|
||||
- ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch [RHEL-100606]
|
||||
- Resolves: RHEL-100606
|
||||
(CVE-2024-6174 cloud-init: From CVEorg collector [rhel-8.10.z])
|
||||
|
||||
* Mon Mar 10 2025 Jon Maloy <jmaloy@redhat.com> - 23.4-7.el8.9
|
||||
- ci-fix-rh_subscription-add-string-type-to-org-5453.patch [RHEL-81169]
|
||||
- ci-fix-python3.13-Fix-import-error-for-passlib-on-Pytho.patch [RHEL-81169]
|
9
gating.yaml
Normal file
9
gating.yaml
Normal file
@ -0,0 +1,9 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-8
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: 3rd-azure-ci.brew-build.tier1.functional}
|
||||
- !PassingTestCaseRule {test_case_name: 3rd-esxi-x86_64.brew-build.tier1.functional}
|
||||
- !PassingTestCaseRule {test_case_name: s1-aws-ci.brew-build.tier1.functional}
|
||||
- !PassingTestCaseRule {test_case_name: 3rd-openstack-cloudinit-ci.brew-build.tier1.functional}
|
Loading…
Reference in New Issue
Block a user