From: vanusuri@mvista.com
To: meta-virtualization@lists.yoctoproject.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8564
Date: Fri, 18 Aug 2023 12:07:57 +0530 [thread overview]
Message-ID: <20230818063757.406414-1-vanusuri@mvista.com> (raw)
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-commit: https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
.../kubernetes/kubernetes/CVE-2020-8564.patch | 166 ++++++++++++++++++
.../kubernetes/kubernetes_git.bb | 1 +
2 files changed, 167 insertions(+)
create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
new file mode 100644
index 0000000..9388f18
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
@@ -0,0 +1,166 @@
+From b907f9e11892ddab1e71095e3d41bf76e63c3873 Mon Sep 17 00:00:00 2001
+From: Nikolaos Moraitis <nmoraiti@redhat.com>
+Date: Fri, 11 Sep 2020 11:36:27 +0200
+Subject: [PATCH] avoid potential secret leaking while reading .dockercfg
+
+There are a lot of scenarios where an invalid .dockercfg file
+will still contain secrets. This commit removes logging of the
+contents to avoid any potential leaking and manages the actual error
+by printing to the user the actual location of the invalid file.
+
+Signed-off-by: Nikolaos Moraitis <nmoraiti@redhat.com>
+
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634]
+CVE: CVE-2020-8564
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/credentialprovider/config.go | 16 +++--
+ pkg/credentialprovider/config_test.go | 93 +++++++++++++++++++++++++++
+ 2 files changed, 102 insertions(+), 7 deletions(-)
+
+diff --git a/pkg/credentialprovider/config.go b/pkg/credentialprovider/config.go
+index 377383aa903..b256bd8e7f0 100644
+--- a/src/import/pkg/credentialprovider/config.go
++++ b/src/import/pkg/credentialprovider/config.go
+@@ -114,10 +114,14 @@ func ReadDockercfgFile(searchPaths []string) (cfg DockerConfig, err error) {
+ continue
+ }
+ cfg, err := readDockerConfigFileFromBytes(contents)
+- if err == nil {
+- klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
+- return cfg, nil
++ if err != nil {
++ klog.V(4).Infof("couldn't get the config from %q contents: %v", absDockerConfigFileLocation, err)
++ continue
+ }
++
++ klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
++ return cfg, nil
++
+ }
+ return nil, fmt.Errorf("couldn't find valid .dockercfg after checking in %v", searchPaths)
+ }
+@@ -224,8 +228,7 @@ func ReadDockerConfigFileFromUrl(url string, client *http.Client, header *http.H
+
+ func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
+ if err = json.Unmarshal(contents, &cfg); err != nil {
+- klog.Errorf("while trying to parse blob %q: %v", contents, err)
+- return nil, err
++ return nil, errors.New("error occurred while trying to unmarshal json")
+ }
+ return
+ }
+@@ -233,8 +236,7 @@ func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error
+ func readDockerConfigJsonFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
+ var cfgJson DockerConfigJson
+ if err = json.Unmarshal(contents, &cfgJson); err != nil {
+- klog.Errorf("while trying to parse blob %q: %v", contents, err)
+- return nil, err
++ return nil, errors.New("error occurred while trying to unmarshal json")
+ }
+ cfg = cfgJson.Auths
+ return
+diff --git a/pkg/credentialprovider/config_test.go b/pkg/credentialprovider/config_test.go
+index c310dc33dce..6974076984f 100644
+--- a/src/import/pkg/credentialprovider/config_test.go
++++ b/src/import/pkg/credentialprovider/config_test.go
+@@ -304,3 +304,96 @@ func TestDockerConfigEntryJSONCompatibleEncode(t *testing.T) {
+ }
+ }
+ }
++
++func TestReadDockerConfigFileFromBytes(t *testing.T) {
++ testCases := []struct {
++ id string
++ input []byte
++ expectedCfg DockerConfig
++ errorExpected bool
++ expectedErrorMsg string
++ }{
++ {
++ id: "valid input, no error expected",
++ input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}}`),
++ expectedCfg: DockerConfig(map[string]DockerConfigEntry{
++ "http://foo.example.com": {
++ Username: "foo",
++ Password: "bar",
++ Email: "foo@example.com",
++ },
++ }),
++ },
++ {
++ id: "invalid input, error expected",
++ input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"`),
++ errorExpected: true,
++ expectedErrorMsg: "error occurred while trying to unmarshal json",
++ },
++ }
++
++ for _, tc := range testCases {
++ cfg, err := readDockerConfigFileFromBytes(tc.input)
++ if err != nil && !tc.errorExpected {
++ t.Fatalf("Error was not expected: %v", err)
++ }
++ if err != nil && tc.errorExpected {
++ if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
++ t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
++ }
++ } else {
++ if !reflect.DeepEqual(cfg, tc.expectedCfg) {
++ t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
++ }
++ }
++ }
++}
++
++func TestReadDockerConfigJSONFileFromBytes(t *testing.T) {
++ testCases := []struct {
++ id string
++ input []byte
++ expectedCfg DockerConfig
++ errorExpected bool
++ expectedErrorMsg string
++ }{
++ {
++ id: "valid input, no error expected",
++ input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"}}}`),
++ expectedCfg: DockerConfig(map[string]DockerConfigEntry{
++ "http://foo.example.com": {
++ Username: "foo",
++ Password: "bar",
++ Email: "foo@example.com",
++ },
++ "http://bar.example.com": {
++ Username: "bar",
++ Password: "baz",
++ Email: "bar@example.com",
++ },
++ }),
++ },
++ {
++ id: "invalid input, error expected",
++ input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"`),
++ errorExpected: true,
++ expectedErrorMsg: "error occurred while trying to unmarshal json",
++ },
++ }
++
++ for _, tc := range testCases {
++ cfg, err := readDockerConfigJSONFileFromBytes(tc.input)
++ if err != nil && !tc.errorExpected {
++ t.Fatalf("Error was not expected: %v", err)
++ }
++ if err != nil && tc.errorExpected {
++ if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
++ t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
++ }
++ } else {
++ if !reflect.DeepEqual(cfg, tc.expectedCfg) {
++ t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
++ }
++ }
++ }
++}
+--
+2.25.1
+
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index 8c286e2..c73f988 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -11,6 +11,7 @@ SRCREV_kubernetes = "f45fc1861acab22eb6a4697e3fb831e85ef5ff9c"
SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=kubernetes;protocol=https \
file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
file://0001-cross-don-t-build-tests-by-default.patch \
+ file://CVE-2020-8564.patch \
"
DEPENDS += "rsync-native \
--
2.25.1
next reply other threads:[~2023-08-18 6:38 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-18 6:37 vanusuri [this message]
2023-08-22 3:44 ` [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8564 Bruce Ashfield
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230818063757.406414-1-vanusuri@mvista.com \
--to=vanusuri@mvista.com \
--cc=meta-virtualization@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).