[meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8564

meta-virtualization.lists.yoctoproject.org archive mirror
 help / color / mirror / Atom feed

From: vanusuri@mvista.com
To: meta-virtualization@lists.yoctoproject.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8564
Date: Fri, 18 Aug 2023 12:07:57 +0530	[thread overview]
Message-ID: <20230818063757.406414-1-vanusuri@mvista.com> (raw)

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-commit: https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../kubernetes/kubernetes/CVE-2020-8564.patch | 166 ++++++++++++++++++
 .../kubernetes/kubernetes_git.bb              |   1 +
 2 files changed, 167 insertions(+)
 create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch

diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
new file mode 100644
index 0000000..9388f18
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
@@ -0,0 +1,166 @@
+From b907f9e11892ddab1e71095e3d41bf76e63c3873 Mon Sep 17 00:00:00 2001
+From: Nikolaos Moraitis <nmoraiti@redhat.com>
+Date: Fri, 11 Sep 2020 11:36:27 +0200
+Subject: [PATCH] avoid potential secret leaking while reading .dockercfg
+
+There are a lot of scenarios where an invalid .dockercfg file
+will still contain secrets. This commit removes logging of the
+contents to avoid any potential leaking and manages the actual error
+by printing to the user the actual location of the invalid file.
+
+Signed-off-by: Nikolaos Moraitis <nmoraiti@redhat.com>
+
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634]
+CVE: CVE-2020-8564
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/credentialprovider/config.go      | 16 +++--
+ pkg/credentialprovider/config_test.go | 93 +++++++++++++++++++++++++++
+ 2 files changed, 102 insertions(+), 7 deletions(-)
+
+diff --git a/pkg/credentialprovider/config.go b/pkg/credentialprovider/config.go
+index 377383aa903..b256bd8e7f0 100644
+--- a/src/import/pkg/credentialprovider/config.go
++++ b/src/import/pkg/credentialprovider/config.go
+@@ -114,10 +114,14 @@ func ReadDockercfgFile(searchPaths []string) (cfg DockerConfig, err error) {
+ 			continue
+ 		}
+ 		cfg, err := readDockerConfigFileFromBytes(contents)
+-		if err == nil {
+-			klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
+-			return cfg, nil
++		if err != nil {
++			klog.V(4).Infof("couldn't get the config from %q contents: %v", absDockerConfigFileLocation, err)
++			continue
+ 		}
++
++		klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
++		return cfg, nil
++
+ 	}
+ 	return nil, fmt.Errorf("couldn't find valid .dockercfg after checking in %v", searchPaths)
+ }
+@@ -224,8 +228,7 @@ func ReadDockerConfigFileFromUrl(url string, client *http.Client, header *http.H
+ 
+ func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
+ 	if err = json.Unmarshal(contents, &cfg); err != nil {
+-		klog.Errorf("while trying to parse blob %q: %v", contents, err)
+-		return nil, err
++		return nil, errors.New("error occurred while trying to unmarshal json")
+ 	}
+ 	return
+ }
+@@ -233,8 +236,7 @@ func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error
+ func readDockerConfigJsonFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
+ 	var cfgJson DockerConfigJson
+ 	if err = json.Unmarshal(contents, &cfgJson); err != nil {
+-		klog.Errorf("while trying to parse blob %q: %v", contents, err)
+-		return nil, err
++		return nil, errors.New("error occurred while trying to unmarshal json")
+ 	}
+ 	cfg = cfgJson.Auths
+ 	return
+diff --git a/pkg/credentialprovider/config_test.go b/pkg/credentialprovider/config_test.go
+index c310dc33dce..6974076984f 100644
+--- a/src/import/pkg/credentialprovider/config_test.go
++++ b/src/import/pkg/credentialprovider/config_test.go
+@@ -304,3 +304,96 @@ func TestDockerConfigEntryJSONCompatibleEncode(t *testing.T) {
+ 		}
+ 	}
+ }
++
++func TestReadDockerConfigFileFromBytes(t *testing.T) {
++	testCases := []struct {
++		id               string
++		input            []byte
++		expectedCfg      DockerConfig
++		errorExpected    bool
++		expectedErrorMsg string
++	}{
++		{
++			id:    "valid input, no error expected",
++			input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}}`),
++			expectedCfg: DockerConfig(map[string]DockerConfigEntry{
++				"http://foo.example.com": {
++					Username: "foo",
++					Password: "bar",
++					Email:    "foo@example.com",
++				},
++			}),
++		},
++		{
++			id:               "invalid input, error expected",
++			input:            []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"`),
++			errorExpected:    true,
++			expectedErrorMsg: "error occurred while trying to unmarshal json",
++		},
++	}
++
++	for _, tc := range testCases {
++		cfg, err := readDockerConfigFileFromBytes(tc.input)
++		if err != nil && !tc.errorExpected {
++			t.Fatalf("Error was not expected: %v", err)
++		}
++		if err != nil && tc.errorExpected {
++			if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
++				t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
++			}
++		} else {
++			if !reflect.DeepEqual(cfg, tc.expectedCfg) {
++				t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
++			}
++		}
++	}
++}
++
++func TestReadDockerConfigJSONFileFromBytes(t *testing.T) {
++	testCases := []struct {
++		id               string
++		input            []byte
++		expectedCfg      DockerConfig
++		errorExpected    bool
++		expectedErrorMsg string
++	}{
++		{
++			id:    "valid input, no error expected",
++			input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"}}}`),
++			expectedCfg: DockerConfig(map[string]DockerConfigEntry{
++				"http://foo.example.com": {
++					Username: "foo",
++					Password: "bar",
++					Email:    "foo@example.com",
++				},
++				"http://bar.example.com": {
++					Username: "bar",
++					Password: "baz",
++					Email:    "bar@example.com",
++				},
++			}),
++		},
++		{
++			id:               "invalid input, error expected",
++			input:            []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"`),
++			errorExpected:    true,
++			expectedErrorMsg: "error occurred while trying to unmarshal json",
++		},
++	}
++
++	for _, tc := range testCases {
++		cfg, err := readDockerConfigJSONFileFromBytes(tc.input)
++		if err != nil && !tc.errorExpected {
++			t.Fatalf("Error was not expected: %v", err)
++		}
++		if err != nil && tc.errorExpected {
++			if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
++				t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
++			}
++		} else {
++			if !reflect.DeepEqual(cfg, tc.expectedCfg) {
++				t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
++			}
++		}
++	}
++}
+-- 
+2.25.1
+
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index 8c286e2..c73f988 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -11,6 +11,7 @@ SRCREV_kubernetes = "f45fc1861acab22eb6a4697e3fb831e85ef5ff9c"
 SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=kubernetes;protocol=https \
            file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
            file://0001-cross-don-t-build-tests-by-default.patch \
+           file://CVE-2020-8564.patch \
           "
 
 DEPENDS += "rsync-native \
-- 
2.25.1

next             reply	other threads:[~2023-08-18  6:38 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-18  6:37 vanusuri [this message]
2023-08-22  3:44 ` [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8564 Bruce Ashfield

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:8c286e2 dfblob:9388f18 dfblob:c73f988
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230818063757.406414-1-vanusuri@mvista.com \
    --to=vanusuri@mvista.com \
    --cc=meta-virtualization@lists.yoctoproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).