Version in base suite: 22.4.2-1+deb12u2

Base version: cloud-init_22.4.2-1+deb12u2
Target version: cloud-init_22.4.2-1+deb12u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/cloud-init/cloud-init_22.4.2-1+deb12u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/cloud-init/cloud-init_22.4.2-1+deb12u3.dsc

 changelog                    |    8 +++
 patches/CVE-2024-11584.patch |   93 ++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2024-6174.patch  |   99 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    2 
 salsa-ci.yml                 |    2 
 5 files changed, 204 insertions(+)

diff -Nru cloud-init-22.4.2/debian/changelog cloud-init-22.4.2/debian/changelog
--- cloud-init-22.4.2/debian/changelog	2024-09-17 15:08:48.000000000 +0000
+++ cloud-init-22.4.2/debian/changelog	2025-07-10 19:07:51.000000000 +0000
@@ -1,3 +1,11 @@
+cloud-init (22.4.2-1+deb12u3) bookworm; urgency=medium
+
+  * Import upstream fix for CVE-2024-6174 (Closes: #1108403)
+  * salsa-ci: build in bookworm
+  * Backport upstream fix for CVE-2024-11584 (Closes: #1108402)
+
+ -- Noah Meyerhans <noahm@debian.org>  Thu, 10 Jul 2025 15:07:51 -0400
+
 cloud-init (22.4.2-1+deb12u2) bookworm; urgency=medium
 
   * networkd: Add support for multiple [Route] sections (Closes: #1052535)
diff -Nru cloud-init-22.4.2/debian/patches/CVE-2024-11584.patch cloud-init-22.4.2/debian/patches/CVE-2024-11584.patch
--- cloud-init-22.4.2/debian/patches/CVE-2024-11584.patch	1970-01-01 00:00:00.000000000 +0000
+++ cloud-init-22.4.2/debian/patches/CVE-2024-11584.patch	2025-07-10 19:07:51.000000000 +0000
@@ -0,0 +1,93 @@
+From 6e10240a7f0a2d6110b398640b3fd46cfa9a7cf3 Mon Sep 17 00:00:00 2001
+From: James Falcon <therealfalcon@gmail.com>
+Date: Wed, 11 Jun 2025 16:22:32 -0500
+Subject: [PATCH] fix: Make hotplug socket writable only by root (#25)
+
+The 'hook-hotplug-cmd' was writable by all users, allowing any user
+to trigger the hotplug hook script. This script should only be run
+by root via a udev trigger.
+
+Also move socket into 'share' directory and update references
+accordingly. Since the 'share' directory is only readable by root,
+this adds another layer of security while also being in a consistent
+location with the other sockets used by cloud-init.
+
+CVE-2024-11584
+
+[backported to 22.4.2 by noahm@debian.org]
+
+---
+ cloudinit/cmd/devel/logs.py         | 2 +-
+ systemd/cloud-init-hotplugd.service | 2 +-
+ systemd/cloud-init-hotplugd.socket  | 5 +++--
+ tools/cloud-init-hotplugd           | 2 +-
+ tools/hook-hotplug                  | 2 +-
+ 5 files changed, 7 insertions(+), 6 deletions(-)
+
+Origin: upstream, https://github.com/canonical/cloud-init/commit/6e10240a7f0a2d6110b398640b3fd46cfa9a7cf3.patch
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108402
+Index: cloud-init/cloudinit/cmd/devel/logs.py
+===================================================================
+--- cloud-init.orig/cloudinit/cmd/devel/logs.py
++++ cloud-init/cloudinit/cmd/devel/logs.py
+@@ -132,9 +132,7 @@ def get_parser(parser=None):
+ 
+ def _copytree_rundir_ignore_files(curdir, files):
+     """Return a list of files to ignore for /run/cloud-init directory"""
+-    ignored_files = [
+-        "hook-hotplug-cmd",  # named pipe for hotplug
+-    ]
++    ignored_files = []
+     if os.getuid() != 0:
+         # Ignore root-permissioned files
+         ignored_files.append(Paths({}).lookups["instance_data_sensitive"])
+Index: cloud-init/systemd/cloud-init-hotplugd.service
+===================================================================
+--- cloud-init.orig/systemd/cloud-init-hotplugd.service
++++ cloud-init/systemd/cloud-init-hotplugd.service
+@@ -1,6 +1,7 @@
+ # Paired with cloud-init-hotplugd.socket to read from the FIFO
+-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
+-# add or remove event as processed by 10-cloud-init-hook-hotplug.rules.
++# /run/cloud-init/share/hook-hotplug-cmd which is created during a
++# udev network add or remove event as processed by
++# 10-cloud-init-hook-hotplug.rules.
+ 
+ # On start, read args from the FIFO, process and provide structured arguments
+ # to `cloud-init devel hotplug-hook` which will setup or teardown network
+Index: cloud-init/systemd/cloud-init-hotplugd.socket
+===================================================================
+--- cloud-init.orig/systemd/cloud-init-hotplugd.socket
++++ cloud-init/systemd/cloud-init-hotplugd.socket
+@@ -1,13 +1,15 @@
+ # cloud-init-hotplugd.socket listens on the FIFO file
+-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network
+-# add or remove event as processed by 10-cloud-init-hook-hotplug.rules.
++# /run/cloud-init/share/hook-hotplug-cmd which is created during a
++# udev network add or remove event as processed by
++# 10-cloud-init-hook-hotplug.rules.
+ 
+ # Known bug with an enforcing SELinux policy: LP: #1936229
+ [Unit]
+ Description=cloud-init hotplug hook socket
+ 
+ [Socket]
+-ListenFIFO=/run/cloud-init/hook-hotplug-cmd
++ListenFIFO=/run/cloud-init/share/hook-hotplug-cmd
++SocketMode=0600
+ 
+ [Install]
+ WantedBy=cloud-init.target
+Index: cloud-init/tools/hook-hotplug
+===================================================================
+--- cloud-init.orig/tools/hook-hotplug
++++ cloud-init/tools/hook-hotplug
+@@ -10,7 +10,7 @@ is_finished() {
+ 
+ if is_finished; then
+     # open cloud-init's hotplug-hook fifo rw
+-    exec 3<>/run/cloud-init/hook-hotplug-cmd
++    exec 3<>/run/cloud-init/share/hook-hotplug-cmd
+     env_params=(
+         --subsystem="${SUBSYSTEM}"
+         handle
diff -Nru cloud-init-22.4.2/debian/patches/CVE-2024-6174.patch cloud-init-22.4.2/debian/patches/CVE-2024-6174.patch
--- cloud-init-22.4.2/debian/patches/CVE-2024-6174.patch	1970-01-01 00:00:00.000000000 +0000
+++ cloud-init-22.4.2/debian/patches/CVE-2024-6174.patch	2025-07-10 19:07:51.000000000 +0000
@@ -0,0 +1,99 @@
+From: Brett Holman <brett.holman@canonical.com>
+Date: Thu, 22 Aug 2024 16:54:53 -0600
+Subject: [PATCH] fix: Don't attempt to identify non-x86 OpenStack instances
+
+This causes cloud-init to attempt to reach out to the OpenStack Nova
+datasource in non-Nova deployments on non-x86 architectures.
+
+Change default policy of ds-identify to disallow discovery of datasources
+without strict identifiable artifacts in either kernel cmdline, DMI
+platform information or system configuration files. This prevents
+cloud-init from attempting to reach out to well-known hard-codded link-local
+IP addresses for configuration information unless the platform strictly
+identifies as a specific datasource.
+
+CVE-2024-6174
+LP: #2069607
+BREAKING_CHANGE: This may break non-x86 OpenStack Nova users. Affected users
+    may wish to use ConfigDrive as a workaround.
+---
+ doc/rtd/reference/breaking_changes.rst | 49 ++++++++++++++++++++++++++
+ tests/unittests/test_ds_identify.py    | 13 ++++---
+ tools/ds-identify                      |  8 ++---
+ 3 files changed, 59 insertions(+), 11 deletions(-)
+
+Origin: upstream, https://github.com/canonical/cloud-init/commit/f43937f0b462734eb9c76700491c18fe4133c8e1.patch
+Bug: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2069607
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108403
+Index: cloud-init/tests/unittests/test_ds_identify.py
+===================================================================
+--- cloud-init.orig/tests/unittests/test_ds_identify.py
++++ cloud-init/tests/unittests/test_ds_identify.py
+@@ -58,9 +58,9 @@ BLKID_UEFI_UBUNTU = [
+ 
+ 
+ POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled"
+-POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=all,notfound=disabled"
+-DI_DEFAULT_POLICY = "search,found=all,maybe=all,notfound=disabled"
+-DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=all,notfound=enabled"
++POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled"
++DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled"
++DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled"
+ DI_EC2_STRICT_ID_DEFAULT = "true"
+ OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1"
+ 
+@@ -570,7 +570,7 @@ class TestDsIdentify(DsIdentifyBase):
+         self._test_ds_found("OpenStack-AssetTag-Compute")
+ 
+     def test_openstack_on_non_intel_is_maybe(self):
+-        """On non-Intel, openstack without dmi info is maybe.
++        """On non-Intel, openstack without dmi info is none.
+ 
+         nova does not identify itself on platforms other than intel.
+            https://bugs.launchpad.net/cloud-init/+bugs?field.tag=dsid-nova"""
+@@ -590,10 +590,9 @@ class TestDsIdentify(DsIdentifyBase):
+ 
+         # updating the uname to ppc64 though should get a maybe.
+         data.update({"mocks": [MOCK_VIRT_IS_KVM, MOCK_UNAME_IS_PPC64]})
+-        (_, _, err, _, _) = self._check_via_dict(
+-            data, RC_FOUND, dslist=["OpenStack", "None"]
+-        )
++        (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND)
+         self.assertIn("check for 'OpenStack' returned maybe", err)
++        self.assertIn("No ds found", err)
+ 
+     def test_default_ovf_is_found(self):
+         """OVF is identified found when ovf/ovf-env.xml seed file exists."""
+Index: cloud-init/tools/ds-identify
+===================================================================
+--- cloud-init.orig/tools/ds-identify
++++ cloud-init/tools/ds-identify
+@@ -14,7 +14,7 @@
+ #   The format is:
+ #        <mode>,found=value,maybe=value,notfound=value
+ #   default setting is:
+-#     search,found=all,maybe=all,notfound=disabled
++#     search,found=all,maybe=none,notfound=disabled
+ #
+ #   kernel command line option: ci.di.policy=<policy>
+ #   example line in /etc/cloud/ds-identify.cfg:
+@@ -40,7 +40,7 @@
+ #         first: use the first found do no further checking
+ #         all: enable all DS_FOUND
+ #
+-#      maybe: (default=all)
++#      maybe: (default=none)
+ #       if nothing returned 'found', then how to handle maybe.
+ #       no network sources are allowed to return 'maybe'.
+ #         all: enable all DS_MAYBE
+@@ -94,8 +94,8 @@ DI_MAIN=${DI_MAIN:-main}
+ 
+ DI_BLKID_EXPORT_OUT=""
+ DI_GEOM_LABEL_STATUS_OUT=""
+-DI_DEFAULT_POLICY="search,found=all,maybe=all,notfound=${DI_DISABLED}"
+-DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=all,notfound=${DI_ENABLED}"
++DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}"
++DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}"
+ DI_DMI_BOARD_NAME=""
+ DI_DMI_CHASSIS_ASSET_TAG=""
+ DI_DMI_PRODUCT_NAME=""
diff -Nru cloud-init-22.4.2/debian/patches/series cloud-init-22.4.2/debian/patches/series
--- cloud-init-22.4.2/debian/patches/series	2024-09-17 15:08:48.000000000 +0000
+++ cloud-init-22.4.2/debian/patches/series	2025-07-10 19:07:51.000000000 +0000
@@ -4,3 +4,5 @@
 0012-Fix-message-when-a-local-is-missing.patch
 0001-config-Support-APT-automated-mirror-selection.patch
 networkd_Add_support_for_multiple_Route_sections.patch
+CVE-2024-6174.patch
+CVE-2024-11584.patch
diff -Nru cloud-init-22.4.2/debian/salsa-ci.yml cloud-init-22.4.2/debian/salsa-ci.yml
--- cloud-init-22.4.2/debian/salsa-ci.yml	2024-09-12 19:55:08.000000000 +0000
+++ cloud-init-22.4.2/debian/salsa-ci.yml	2025-07-10 19:07:51.000000000 +0000
@@ -4,3 +4,5 @@
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
 reprotest:
   allow_failure: true
+variables:
+  RELEASE: 'bookworm'