Merge pull request #5801 from microsoft/sammeluch/1.0-release-fix

Merge cloud-init fix into 1.0 branch

Author: jslobodzian

SPECS/cloud-init/CVE-2022-2084.patch

@@ -0,0 +1,149 @@
+diff -ruN a/cloudinit/config/schema.py b/cloudinit/config/schema.py
+--- a/cloudinit/config/schema.py	2021-11-02 12:35:08.000000000 -0700
++++ b/cloudinit/config/schema.py	2023-06-28 13:10:31.476935314 -0700
+@@ -14,6 +14,8 @@
+ import sys
+ import yaml
+
++
++LOG = logging.getLogger(__name__)
+ _YAML_MAP = {True: 'true', False: 'false', None: 'null'}
+ SCHEMA_UNDEFINED = b'UNDEFINED'
+ CLOUD_CONFIG_HEADER = b'#cloud-config'
+@@ -72,7 +74,7 @@
+             isinstance(instance, (bytes,)))
+
+
+-def validate_cloudconfig_schema(config, schema, strict=False):
++def validate_cloudconfig_schema(config, schema, strict=False, log_details: bool = True,):
+     """Validate provided config meets the schema definition.
+
+     @param config: Dict of cloud configuration settings validated against
+@@ -81,6 +83,9 @@
+        for the cloud config module (config.cc_*).
+     @param strict: Boolean, when True raise SchemaValidationErrors instead of
+        logging warnings.
++    @param log_details: Boolean, when True logs details of validation errors.
++       If there are concerns about logging sensitive userdata, this should
++       be set to False.
+
+     @raises: SchemaValidationError when provided config does not validate
+         against the provided schema.
+@@ -118,11 +123,17 @@
+         errors += ((path, error.message),)
+     if errors:
+         if strict:
++            # This could output/log sensitive data
+             raise SchemaValidationError(errors)
++        if log_details:
++            messages = ["{0}: {1}".format(k, msg) for k, msg in errors]
++            details = "\n" + "\n".join(messages)
+         else:
+-            messages = ['{0}: {1}'.format(k, msg) for k, msg in errors]
+-            logging.warning('Invalid config:\n%s', '\n'.join(messages))
+-
++            details = (
++                "Please run 'sudo cloud-init schema --system' to "
++                "see the schema errors."
++            )
++        LOG.warning("Invalid cloud-config provided: %s", details)
+
+ def annotated_cloudconfig_file(cloudconfig, original_content, schema_errors):
+     """Return contents of the cloud-config file annotated with schema errors.
+Binary files a/cloudinit/__pycache__/__init__.cpython-36.pyc and b/cloudinit/__pycache__/__init__.cpython-36.pyc differ
+Binary files a/cloudinit/__pycache__/version.cpython-36.pyc and b/cloudinit/__pycache__/version.cpython-36.pyc differ
+diff -ruN a/tests/integration_tests/modules/test_cli.py b/tests/integration_tests/modules/test_cli.py
+--- a/tests/integration_tests/modules/test_cli.py	2021-11-02 12:35:08.000000000 -0700
++++ b/tests/integration_tests/modules/test_cli.py	2023-06-28 21:13:45.841309945 -0700
+@@ -20,6 +20,20 @@
+ """
+
+
++# The '-' in 'hashed-password' fails schema validation
++INVALID_USER_DATA_SCHEMA = """\
++#cloud-config
++users:
++  - default
++  - name: newsuper
++    gecos: Big Stuff
++    groups: users, admin
++    sudo: ALL=(ALL) NOPASSWD:ALL
++    hashed-password: asdfasdf
++    shell: /bin/bash
++    lock_passwd: true
++"""
++
+ @pytest.mark.sru_2020_11
+ @pytest.mark.user_data(VALID_USER_DATA)
+ def test_valid_userdata(client: IntegrationInstance):
+@@ -43,3 +57,25 @@
+     assert not result.ok
+     assert 'Cloud config schema errors' in result.stderr
+     assert 'needs to begin with "#cloud-config"' in result.stderr
++
++
++@pytest.mark.user_data(INVALID_USER_DATA_SCHEMA)
++def test_invalid_userdata_schema(client: IntegrationInstance):
++    """Test invalid schema represented as Warnings, not fatal
++    PR #1175
++    """
++    result = client.execute("cloud-init status --long")
++    assert result.ok
++    log = client.read_from_file("/var/log/cloud-init.log")
++    warning = (
++        "[WARNING]: Invalid cloud-config provided: Please run "
++        "'sudo cloud-init schema --system' to see the schema errors."
++    )
++    assert warning in log
++    assert "asdfasdf" not in log
++
++    result = client.execute("cloud-init status --long")
++    if not result.ok:
++        raise AssertionError(
++            f"Unexpected error from cloud-init status: {result}"
++        )
+\ No newline at end of file
+diff -ruN a/tests/unittests/test_handler/test_schema.py b/tests/unittests/test_handler/test_schema.py
+--- a/tests/unittests/test_handler/test_schema.py	2021-11-02 12:35:08.000000000 -0700
++++ b/tests/unittests/test_handler/test_schema.py	2023-06-28 21:17:02.071767654 -0700
+@@ -11,6 +11,7 @@
+ from copy import copy
+ import itertools
+ import pytest
++import logging
+ from pathlib import Path
+ from textwrap import dedent
+ from yaml import safe_load
+@@ -83,10 +84,31 @@
+         schema = {'properties': {'p1': {'type': 'string'}}}
+         validate_cloudconfig_schema({'p1': -1}, schema, strict=False)
+         self.assertIn(
+-            "Invalid config:\np1: -1 is not of type 'string'\n",
++            "Invalid config: \np1: -1 is not of type 'string'\n",
+             self.logs.getvalue())
+
+     @skipUnlessJsonSchema()
++    def test_validateconfig_schema_sensitive(self, caplog):
++        """When log_details=False, ensure details are omitted"""
++        schema = {
++            "properties": {"hashed_password": {"type": "string"}},
++            "additionalProperties": False,
++        }
++        validate_cloudconfig_schema(
++            {"hashed-password": "secret"},
++            schema,
++            strict=False,
++            log_details=False,
++        )
++        [(module, log_level, log_msg)] = caplog.record_tuples
++        assert "cloudinit.config.schema" == module
++        assert logging.WARNING == log_level
++        assert (
++            "Invalid cloud-config provided: Please run 'sudo cloud-init "
++            "schema --system' to see the schema errors." == log_msg
++        )
++
++    @skipUnlessJsonSchema()
+     def test_validateconfig_schema_emits_warning_on_missing_jsonschema(self):
+         """Warning from validate_cloudconfig_schema when missing jsonschema."""
+         schema = {'properties': {'p1': {'type': 'string'}}}

SPECS/cloud-init/CVE-2023-1786.patch

@@ -65,7 +65,16 @@ diff -ruN a/cloudinit/sources/DataSourceVultr.py b/cloudinit/sources/DataSourceV
 
 diff -ruN a/cloudinit/sources/__init__.py b/cloudinit/sources/__init__.py
 --- a/cloudinit/sources/__init__.py	2021-11-02 12:35:08.000000000 -0700
-+++ b/cloudinit/sources/__init__.py	2023-06-15 14:29:08.864172606 -0700
++++ b/cloudinit/sources/__init__.py	2023-06-29 16:07:33.755159240 -0700
+@@ -13,7 +13,7 @@
+ import json
+ import os
+ from collections import namedtuple
+-from typing import Dict, List  # noqa: F401
++from typing import Dict, List, Tuple  # noqa: F401
+ 
+ from cloudinit import dmi
+ from cloudinit import importer
 @@ -103,7 +103,10 @@
              sub_key_path = key_path + '/' + key
          else:
@@ -128,9 +137,23 @@ diff -ruN a/cloudinit/sources/__init__.py b/cloudinit/sources/__init__.py
 
      _ci_pkl_version = 1
 
+diff -ruN a/cloudinit/stages.py b/cloudinit/stages.py
+--- a/cloudinit/stages.py	2021-11-02 12:35:08.000000000 -0700
++++ b/cloudinit/stages.py	2023-06-29 16:32:03.259644654 -0700
+@@ -204,7 +204,9 @@
+         util.ensure_dirs(self._initial_subdirs())
+         log_file = util.get_cfg_option_str(self.cfg, 'def_log_file')
+         if log_file:
+-            util.ensure_file(log_file, mode=0o640, preserve_mode=True)
++            # At this point the log file should have already been created
++            # in the setupLogging function of log.py
++            util.ensure_file(log_file, mode=0o640, preserve_mode=False)
+             perms = self.cfg.get('syslog_fix_perms')
+             if not perms:
+                 perms = {}
 diff -ruN a/cloudinit/sources/tests/test_init.py b/cloudinit/sources/tests/test_init.py
 --- a/cloudinit/sources/tests/test_init.py	2021-11-02 12:35:08.000000000 -0700
-+++ b/cloudinit/sources/tests/test_init.py	2023-06-15 14:44:39.886499541 -0700
++++ b/cloudinit/sources/tests/test_init.py	2023-06-29 17:07:56.129540654 -0700
 @@ -353,10 +353,31 @@
                  'availability_zone': 'myaz',
                  'local-hostname': 'test-subclass-hostname',
@@ -166,58 +189,55 @@ diff -ruN a/cloudinit/sources/tests/test_init.py b/cloudinit/sources/tests/test_
              datasource.sensitive_metadata_keys)
          sys_info = {
              "python": "3.7",
-@@ -372,8 +393,12 @@
-         expected = {
+@@ -373,7 +394,10 @@
              'base64_encoded_keys': [],
              'merged_cfg': REDACT_SENSITIVE_VALUE,
--            'sensitive_keys': [
+             'sensitive_keys': [
 -                'ds/meta_data/some/security-credentials', 'merged_cfg'],
-+            "sensitive_keys": [
-+                "ds/meta_data/VENDOR-DAta",
-+                "ds/meta_data/some/security-credentials",
-+                "ds/meta_data/someother/nested/userData",
-+                "merged_cfg",
-+            ],
++                'ds/meta_data/VENDOR-DAta',
++                'ds/meta_data/some/security-credentials', 
++                'ds/meta_data/someother/nested/userData',
++                'merged_cfg'],
              'sys_info': sys_info,
              'v1': {
                  '_beta_keys': ['subplatform'],
-@@ -381,6 +406,7 @@
+@@ -381,6 +405,7 @@
                  'availability_zone': 'myaz',
                  'cloud-name': 'subclasscloudname',
                  'cloud_name': 'subclasscloudname',
-+                "cloud_id": "subclasscloudname",
++                'cloud_id': 'subclasscloudname',
                  'distro': 'ubuntu',
                  'distro_release': 'focal',
                  'distro_version': '20.04',
-@@ -401,12 +427,18 @@
+@@ -401,12 +426,18 @@
              'ds': {
                  '_doc': EXPERIMENTAL_TEXT,
                  'meta_data': {
-+                    "VENDOR-DAta": REDACT_SENSITIVE_VALUE,
++                    'VENDOR-DAta': REDACT_SENSITIVE_VALUE,
                      'availability_zone': 'myaz',
                      'local-hostname': 'test-subclass-hostname',
                      'region': 'myregion',
 -                    'some': {'security-credentials': REDACT_SENSITIVE_VALUE}}}
-+                    "some": {"security-credentials": REDACT_SENSITIVE_VALUE},
++                    'some': {'security-credentials': REDACT_SENSITIVE_VALUE},
 +                    "someother": {
 +                        "nested": {"userData": REDACT_SENSITIVE_VALUE}
 +                    },
-+                },
-+            },
++                }
++            }
          }
 -        self.assertCountEqual(expected, redacted)
 +        self.assertEqual(expected, redacted)
          file_stat = os.stat(json_file)
          self.assertEqual(0o644, stat.S_IMODE(file_stat.st_mode))
 
-@@ -432,7 +464,16 @@
+@@ -432,7 +463,16 @@
              "variant": "ubuntu", "dist": ["ubuntu", "20.04", "focal"]}
 
          self.assertCountEqual(
 -            ('merged_cfg', 'security-credentials',),
 +            (
-+                "merged_cfg",
-+                "security-credentials",
++                'merged_cfg', 
++                'security-credentials',               
 +                "userdata",
 +                "user-data",
 +                "user_data",
@@ -228,23 +248,9 @@ diff -ruN a/cloudinit/sources/tests/test_init.py b/cloudinit/sources/tests/test_
              datasource.sensitive_metadata_keys)
          with mock.patch("cloudinit.util.system_info", return_value=sys_info):
              datasource.get_data()
-diff -ruN a/cloudinit/stages.py b/cloudinit/stages.py
---- a/cloudinit/stages.py	2021-11-02 12:35:08.000000000 -0700
-+++ b/cloudinit/stages.py	2023-06-15 14:33:32.175651581 -0700
-@@ -204,7 +204,9 @@
-         util.ensure_dirs(self._initial_subdirs())
-         log_file = util.get_cfg_option_str(self.cfg, 'def_log_file')
-         if log_file:
--            util.ensure_file(log_file, mode=0o640, preserve_mode=True)
-+            # At this point the log file should have already been created
-+            # in the setupLogging function of log.py
-+            util.ensure_file(log_file, mode=0o640, preserve_mode=False)
-             perms = self.cfg.get('syslog_fix_perms')
-             if not perms:
-                 perms = {}
 diff -ruN a/cloudinit/tests/test_stages.py b/cloudinit/tests/test_stages.py
 --- a/cloudinit/tests/test_stages.py	2021-11-02 12:35:08.000000000 -0700
-+++ b/cloudinit/tests/test_stages.py	2023-06-15 14:49:05.304858409 -0700
++++ b/cloudinit/tests/test_stages.py	2023-06-29 17:09:37.046934002 -0700
 @@ -458,21 +458,24 @@
          # Assert we create it 0o640  by default if it doesn't already exist
          assert 0o640 == stat.S_IMODE(log_file.stat().mode)

SPECS/cloud-init/cloud-init.spec

@@ -3,7 +3,7 @@
 Summary:        Cloud instance init scripts
 Name:           cloud-init
 Version:        21.4
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv3
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -21,6 +21,7 @@ Patch4:         mariner-21.4.patch
 # backport patch https://github.com/canonical/cloud-init/commit/0988fb89be06aeb08083ce609f755509d08fa459.patch to 21.4
 Patch5:         azureds-set-ovf_is_accesible.patch
 Patch6:         CVE-2023-1786.patch
+Patch7:         CVE-2022-2084.patch
 
 BuildRequires:  automake
 BuildRequires:  dbus
@@ -163,6 +164,9 @@ rm -rf %{buildroot}
 %config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/10-azure-kvp.cfg
 
 %changelog
+* Mon Jul 03 2023 Minghe Ren <[email protected]> - 21.4-4
+- Add patch for CVE-2022-2084 and modify CVE-2023-1786.patch
+
 * Thu Jun 15 2023 Minghe Ren <[email protected]> - 21.4-3
 - Add patch for CVE-2023-1786