Revert "Revert "cloud-init: patch for CVE-2022-2084 (#3281)""

jslobodzian · jslobodzian · commit ce8b659d6278 · 2022-07-09T09:00:45.000-07:00
This reverts commit 0b1ba72.
diff --git a/SPECS/cloud-init/CVE-2022-2084.patch b/SPECS/cloud-init/CVE-2022-2084.patch
@@ -0,0 +1,151 @@
+commit 4d467b14363d800b2185b89790d57871f11ea88c
+Author: James Falcon <james.falcon@canonical.com>
+Date:   Wed Jun 29 17:27:44 2022 -0500
+
+    Remove schema errors from log (#1551)
+    
+    When schema errors are encountered, the section of userdata in question
+    gets printed to the cloud-init log. As this could contain sensitive
+    data, so log a generic warning instead and redirect user to run
+    cloud-init schema --system as root.
+    
+    LP: #1978422
+    CVE: 2022-2084
+
+diff --git a/cloudinit/cmd/main.py b/cloudinit/cmd/main.py
+index c6303478..4f157870 100755
+--- a/cloudinit/cmd/main.py
++++ b/cloudinit/cmd/main.py
+@@ -455,7 +455,9 @@ def main_init(name, args):
+ 
+     # Validate user-data adheres to schema definition
+     if os.path.exists(init.paths.get_ipath_cur("userdata_raw")):
+-        validate_cloudconfig_schema(config=init.cfg, strict=False)
++        validate_cloudconfig_schema(
++            config=init.cfg, strict=False, log_details=False
++        )
+     else:
+         LOG.debug("Skipping user-data validation. No user-data found.")
+ 
+diff --git a/cloudinit/config/schema.py b/cloudinit/config/schema.py
+index a60ceb11..1e29ae5a 100644
+--- a/cloudinit/config/schema.py
++++ b/cloudinit/config/schema.py
+@@ -198,6 +198,7 @@ def validate_cloudconfig_schema(
+     schema: dict = None,
+     strict: bool = False,
+     strict_metaschema: bool = False,
++    log_details: bool = True,
+ ):
+     """Validate provided config meets the schema definition.
+ 
+@@ -210,6 +211,9 @@ def validate_cloudconfig_schema(
+        logging warnings.
+     @param strict_metaschema: Boolean, when True validates schema using strict
+        metaschema definition at runtime (currently unused)
++    @param log_details: Boolean, when True logs details of validation errors.
++       If there are concerns about logging sensitive userdata, this should
++       be set to False.
+ 
+     @raises: SchemaValidationError when provided config does not validate
+         against the provided schema.
+@@ -234,12 +238,17 @@ def validate_cloudconfig_schema(
+         errors += ((path, error.message),)
+     if errors:
+         if strict:
++            # This could output/log sensitive data
+             raise SchemaValidationError(errors)
+-        else:
++        if log_details:
+             messages = ["{0}: {1}".format(k, msg) for k, msg in errors]
+-            LOG.warning(
+-                "Invalid cloud-config provided:\n%s", "\n".join(messages)
++            details = "\n" + "\n".join(messages)
++        else:
++            details = (
++                "Please run 'sudo cloud-init schema --system' to "
++                "see the schema errors."
+             )
++        LOG.warning("Invalid cloud-config provided: %s", details)
+ 
+ 
+ def annotated_cloudconfig_file(
+diff --git a/tests/integration_tests/modules/test_cli.py b/tests/integration_tests/modules/test_cli.py
+index e878176f..4b8f53a8 100644
+--- a/tests/integration_tests/modules/test_cli.py
++++ b/tests/integration_tests/modules/test_cli.py
+@@ -18,11 +18,18 @@ runcmd:
+   - echo 'hi' > /var/tmp/test
+ """
+ 
++# The '-' in 'hashed-password' fails schema validation
+ INVALID_USER_DATA_SCHEMA = """\
+ #cloud-config
+-updates:
+- notnetwork: -1
+-apt_pipelining: bogus
++users:
++  - default
++  - name: newsuper
++    gecos: Big Stuff
++    groups: users, admin
++    sudo: ALL=(ALL) NOPASSWD:ALL
++    hashed-password: asdfasdf
++    shell: /bin/bash
++    lock_passwd: true
+ """
+ 
+ 
+@@ -69,11 +76,12 @@ def test_invalid_userdata_schema(client: IntegrationInstance):
+     assert result.ok
+     log = client.read_from_file("/var/log/cloud-init.log")
+     warning = (
+-        "[WARNING]: Invalid cloud-config provided:\napt_pipelining: 'bogus'"
+-        " is not valid under any of the given schemas\nupdates: Additional"
+-        " properties are not allowed ('notnetwork' was unexpected)"
++        "[WARNING]: Invalid cloud-config provided: Please run "
++        "'sudo cloud-init schema --system' to see the schema errors."
+     )
+     assert warning in log
++    assert "asdfasdf" not in log
++
+     result = client.execute("cloud-init status --long")
+     if not result.ok:
+         raise AssertionError(
+diff --git a/tests/unittests/config/test_schema.py b/tests/unittests/config/test_schema.py
+index 1840b70d..4a41c4c1 100644
+--- a/tests/unittests/config/test_schema.py
++++ b/tests/unittests/config/test_schema.py
+@@ -286,10 +286,31 @@ class TestValidateCloudConfigSchema:
+         assert "cloudinit.config.schema" == module
+         assert logging.WARNING == log_level
+         assert (
+-            "Invalid cloud-config provided:\np1: -1 is not of type 'string'"
++            "Invalid cloud-config provided: \np1: -1 is not of type 'string'"
+             == log_msg
+         )
+ 
++    @skipUnlessJsonSchema()
++    def test_validateconfig_schema_sensitive(self, caplog):
++        """When log_details=False, ensure details are omitted"""
++        schema = {
++            "properties": {"hashed_password": {"type": "string"}},
++            "additionalProperties": False,
++        }
++        validate_cloudconfig_schema(
++            {"hashed-password": "secret"},
++            schema,
++            strict=False,
++            log_details=False,
++        )
++        [(module, log_level, log_msg)] = caplog.record_tuples
++        assert "cloudinit.config.schema" == module
++        assert logging.WARNING == log_level
++        assert (
++            "Invalid cloud-config provided: Please run 'sudo cloud-init "
++            "schema --system' to see the schema errors." == log_msg
++        )
++
+     @skipUnlessJsonSchema()
+     def test_validateconfig_schema_emits_warning_on_missing_jsonschema(
+         self, caplog
diff --git a/SPECS/cloud-init/cloud-init.spec b/SPECS/cloud-init/cloud-init.spec
@@ -1,7 +1,7 @@
 Summary:        Cloud instance init scripts
 Name:           cloud-init
 Version:        22.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv3
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -10,6 +10,7 @@ URL:            https://launchpad.net/cloud-init
 Source0:        https://launchpad.net/cloud-init/trunk/%{version}/+download/%{name}-%{version}.tar.gz
 Source1:        10-azure-kvp.cfg
 Patch0:         add-mariner-distro-support.patch
+Patch1:         CVE-2022-2084.patch
 %define cl_services cloud-config.service cloud-config.target cloud-final.service cloud-init.service cloud-init.target cloud-init-local.service
 BuildRequires:  automake
 BuildRequires:  dbus
@@ -82,6 +83,7 @@ python3 setup.py build
 %{py3_install "--init-system=systemd"}
 
 python3 tools/render-cloudcfg --variant mariner > %{buildroot}/%{_sysconfdir}/cloud/cloud.cfg
+sed -i "s,@@PACKAGED_VERSION@@,%{version}-%{release}," %{buildroot}/%{python3_sitelib}/cloudinit/version.py
 
 %if "%{_arch}" == "aarch64"
 # OpenStack DS in aarch64 adds a boot time of ~10 seconds by searching
@@ -143,6 +145,10 @@ make check %{?_smp_mflags}
 %config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/10-azure-kvp.cfg
 
 %changelog
+* Thu Jun 30 2022 Chris Patterson <cpatterson@microsoft.com> - 22.2-4
+- Patch for CVE-2022-2084
+- Report patch level in version info
+
 * Wed Jun 08 2022 Tom Fay <tomfay@microsoft.com> - 22.2-3
 - Add missing e2fsprogs dependency
 
