Bug#1108403: cloud-init: CVE-2024-6174

[Noah Meyerhans <noahm@debian.org>]

On Mon, Jul 07, 2025 at 06:00:15PM +0000, Jeremy Stanley wrote:
> https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2069607 has
> finally been switched to public upstream as of Friday, and contains a lot
> more of the rationale behind their breaking change decisions.

Thanks.  My initial thinking about this issue mirrors what was
expressed by James Page in the launchpad comments. [1]  In a typical
cloud environment, this would not be an issue, as it would not be
possible for a malicious user to hijack one of the link-local IMDS
addresses.  However, as observed elsewhere, not all uses of cloud-init
are in actual cloud environments. [2] We provide downloadable VM images
that are usable with qemu in non-cloud environments.  In those cases, it
is possible that there could be a malicious user on the local network
link with one of the IMDS addresses.  It's an unlikely scenario, and
relies on quite a bit of coincidental network access and configuration,
but it can happen.

Given all of that, I think we should:
1. Update to the latest cloud-init upstream for trixie.  It includes a
   couple of other low-risk bug fixes, too.
2. Update cloud-init in a bookworm point release with a backport of the
   fix.  I haven't looked yet at the complexity involved in backporting
   the fix to 22.4.2 yet, but will do so now.

Given the limited impact of the breaking change, I think documenting it
in debian/changelog is sufficient, and we don't need a NEWS entry.

Does anybody disagree with the above?

noah

1. https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2069607/comments/31
2. https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2069607/comments/32