XPost: linux.debian.devel.release

This is a multi-part MIME message sent by reportbug.


Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:cloud-init
User: [email protected]
Usertags: pu

[ Reason ]

The cloud team would like to publish an update to cloud-init in the next bookworm point release. It is needed in order to address two CVEs that
aren't worth DSAs on their own.

These changes have been addressed in sid (and approved for trixie) in
version 25.1.4-1.

[ Impact ]

Bookworm users may be exposed to the following CVEs:

- CVE-2024-6174: When in an environment that doesn't expose cloud
information via DMI table values, cloud-init grants root access to a
hardcoded url with a local IP address. Cloud-init itself and common cloud
environments include protections against abuse of this address, so the
exposure primarily impacts VMs launched directly with e.g. qemu. (Bug
#1108403)

- CVE-2024-11584: cloud-init includes the systemd socket unit
cloud-init-hotplugd.socket with default SocketMode that grants 0666
permissions, making it world-writable. This is used for the
"/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could
trigger hotplug-hook commands. (Bug #1108402)

[ Tests ]

The changes are covered by upstream's test suite, and have been manually validated on cloud VMs and local qemu VMs.

[ Risks ]

The fix for CVE-2024-6174 introduces a behavior change in certain rare configurations involving architectures that don't expose VM details in DMI.
The primary risk is to riscv64 VMs, and since riscv64 isn't supported by bookworm and is not widly deployed in cloud environments, we consider this unlikely to impact users.

[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable

diff -Nru cloud-init-22.4.2/debian/changelog cloud-init-22.4.2/debian/changelog --- cloud-init-22.4.2/debian/changelog 2024-09-17 11:08:48.000000000 -0400
+++ cloud-init-22.4.2/debian/changelog 2025-07-10 15:07:51.000000000 -0400
@@ -1,3 +1,11 @@
+cloud-init (22.4.2-1+deb12u3) bookworm; urgency=medium
+
+ * Import upstream fix for CVE-2024-6174 (Closes: #1108403)
+ * salsa-ci: build in bookworm
+ * Backport upstream fix for CVE-2024-11584 (Closes: #1108402)
+
+ -- Noah Meyerhans <[email protected]> Thu, 10 Jul 2025 15:07:51 -0400
+
cloud-init (22.4.2-1+deb12u2) bookworm; urgency=medium

* networkd: Add support for multiple [Route] sections (Closes: #1052535) diff -Nru cloud-init-22.4.2/debian/patches/CVE-2024-11584.patch cloud-init-22.4.2/debian/patches/CVE-2024-11584.patch
--- cloud-init-22.4.2/debian/patches/CVE-2024-11584.patch 1969-12-31 19:00:00.000000000 -0500
+++ cloud-init-22.4.2/debian/patches/CVE-2024-11584.patch 2025-07-10 15:07:51.000000000 -0400
@@ -0,0 +1,93 @@
+From 6e10240a7f0a2d6110b398640b3fd46cfa9a7cf3 Mon Sep 17 00:00:00 2001
+From: James Fal

XPost: linux.debian.devel.release

package release.debian.org
tags 1109127 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: cloud-init
Version: 22.4.2-1+deb12u3

Explanation: make hotplug socket writable only by root [CVE-2024-11584]; don't attempt to identify non-x86 OpenStack instances [CVE-2024-6174]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)