XPost: linux.debian.devel.release

This is a multi-part MIME message sent by reportbug.


Package: release.debian.org
Severity: normal
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:cloud-init
User: [email protected]
Usertags: unblock

Please unblock package cloud-init

(Please provide enough (but not too much) information to help
the release team to judge the request efficiently. E.g. by
filling in the sections below.)

[ Reason ]

This update pulls in the latest upstream patch release to 25.1. The primary rationale for pulling this into trixie is fixes for two CVEs:

- CVE-2024-6174 - When a non-x86 platform is detected, cloud-init grants
root access to a hardcoded url with a local IP address. To prevent this,
cloud-init default configurations disable platform enumeration.

- CVE-2024-11584 - cloud-init through 25.1.2 includes the systemd socket
unit cloud-init-hotplugd.socket with default SocketMode that grants 0666
permissions, making it world-writable. This is used for the
"/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could
trigger hotplug-hook commands.

The complete upstream changelog from 25.1.1 (currently in trixie) is:

25.1.4
- fix: disable cloud-init when non-x86 environments have no DMI-data and
no strict datasources detected (LP: #2069607) (CVE-2024-6174)

25.1.3
- docs: provide example3 for PAM and ssh_pwauth behavior (#27)
- fix: Make hotplug socket writable only by root (#25) (CVE-2024-11584)
- fix: Don't attempt to identify non-x86 OpenStack instances (LP: #2069607)
(CVE-2024-6174)

25.1.2
- fix: ensure MAAS datasource retries on failure (#6167)

[ Impact ]

Exposure to two security risks. Although NVD rates CVE-2024-6174 as high severity, with an 8.8 CVSSv3 score, I don't agree with this assessment and would rate both CVEs as moderate in severity. Nevertheless, we should get
the fixes into trixe and I expect that we'll want to update bookworm to
address CVE-2024-6174 as well.

[ Tests ]

Upstream's automated test suite. The changes have also been validated using repro steps for CVE-2024-6174 in upstream's bug tracker (https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2069607)

[ Risks ]

The fix to CVE-2024-6174 does introduce a behavior change, which is the
highest source of risk. However, because the behavior change is limited to uncommon scenarios (non-x86 architectures relying on network based instance metadata service in openstack or non-cloud standalone VMs), it's been deemed acceptable by upstrea. The cloud team concurs with this conclusion.

[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing

unblock cloud-init/25.1.4-1

diff -Nru cloud-init-25.1.1/ChangeLog cloud-init-25.1.4/ChangeLog
--- cloud-init-25.1.1/ChangeLog 2025-03-24 13:18:23.000000000 -0400
+++ cloud-init-25.1.4/ChangeLog 2025-06-24 16:50:00.000000000 -0400
@@ -1,3 +1,16 @@
+25.1.4
+- fix: disable cloud-init when non-x86 environments have no DMI-data and
+ no strict datasources detected (LP: #2069607) (CVE-2024-6174)
+
+25.1.3
+ - docs: provide example3 for PAM and ssh_pwauth behavior (#27)
+ - fix: Make hotplug socket writable only by root (#25) (CVE-2024-11584)
+ - fix: Don't attempt to identify non-x86 OpenStack instances (LP: #2069607)
+ (CVE-2024-6174)
+
+25.1.2
+ - fix: ensure MAAS datasource retries on failure (#6167)
+
25.1.1
- test: pytestify cc_chef tests, add migration test
- chef: migrate files in old config directories for backups and cache
diff -Nru cloud-init-25.1.1/cloudinit/cmd/devel/logs.py cloud-init-25.1.4/cloudinit/cmd/devel/logs.py
--- cloud-init-25.1.1/cloudinit/cmd/devel/logs.py 2025-03-24 13:18:23.000000000 -0400
+++ cloud-init-25.1.4/cloudinit/cmd/devel/logs.py 2025-06-24 16