From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: Vijay Anusuri <vanusuri@mvista.com>
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8564
Date: Tue, 22 Aug 2023 03:44:42 +0000 [thread overview]
Message-ID: <ZOQvKvnpIvi9xWnn@gmail.com> (raw)
In-Reply-To: <20230818063757.406414-1-vanusuri@mvista.com>
merged.
Bruce
In message: [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8564
on 18/08/2023 Vijay Anusuri wrote:
> From: Vijay Anusuri <vanusuri@mvista.com>
>
> Upstream-commit: https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
> .../kubernetes/kubernetes/CVE-2020-8564.patch | 166 ++++++++++++++++++
> .../kubernetes/kubernetes_git.bb | 1 +
> 2 files changed, 167 insertions(+)
> create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
>
> diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
> new file mode 100644
> index 0000000..9388f18
> --- /dev/null
> +++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
> @@ -0,0 +1,166 @@
> +From b907f9e11892ddab1e71095e3d41bf76e63c3873 Mon Sep 17 00:00:00 2001
> +From: Nikolaos Moraitis <nmoraiti@redhat.com>
> +Date: Fri, 11 Sep 2020 11:36:27 +0200
> +Subject: [PATCH] avoid potential secret leaking while reading .dockercfg
> +
> +There are a lot of scenarios where an invalid .dockercfg file
> +will still contain secrets. This commit removes logging of the
> +contents to avoid any potential leaking and manages the actual error
> +by printing to the user the actual location of the invalid file.
> +
> +Signed-off-by: Nikolaos Moraitis <nmoraiti@redhat.com>
> +
> +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634]
> +CVE: CVE-2020-8564
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + pkg/credentialprovider/config.go | 16 +++--
> + pkg/credentialprovider/config_test.go | 93 +++++++++++++++++++++++++++
> + 2 files changed, 102 insertions(+), 7 deletions(-)
> +
> +diff --git a/pkg/credentialprovider/config.go b/pkg/credentialprovider/config.go
> +index 377383aa903..b256bd8e7f0 100644
> +--- a/src/import/pkg/credentialprovider/config.go
> ++++ b/src/import/pkg/credentialprovider/config.go
> +@@ -114,10 +114,14 @@ func ReadDockercfgFile(searchPaths []string) (cfg DockerConfig, err error) {
> + continue
> + }
> + cfg, err := readDockerConfigFileFromBytes(contents)
> +- if err == nil {
> +- klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
> +- return cfg, nil
> ++ if err != nil {
> ++ klog.V(4).Infof("couldn't get the config from %q contents: %v", absDockerConfigFileLocation, err)
> ++ continue
> + }
> ++
> ++ klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
> ++ return cfg, nil
> ++
> + }
> + return nil, fmt.Errorf("couldn't find valid .dockercfg after checking in %v", searchPaths)
> + }
> +@@ -224,8 +228,7 @@ func ReadDockerConfigFileFromUrl(url string, client *http.Client, header *http.H
> +
> + func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
> + if err = json.Unmarshal(contents, &cfg); err != nil {
> +- klog.Errorf("while trying to parse blob %q: %v", contents, err)
> +- return nil, err
> ++ return nil, errors.New("error occurred while trying to unmarshal json")
> + }
> + return
> + }
> +@@ -233,8 +236,7 @@ func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error
> + func readDockerConfigJsonFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
> + var cfgJson DockerConfigJson
> + if err = json.Unmarshal(contents, &cfgJson); err != nil {
> +- klog.Errorf("while trying to parse blob %q: %v", contents, err)
> +- return nil, err
> ++ return nil, errors.New("error occurred while trying to unmarshal json")
> + }
> + cfg = cfgJson.Auths
> + return
> +diff --git a/pkg/credentialprovider/config_test.go b/pkg/credentialprovider/config_test.go
> +index c310dc33dce..6974076984f 100644
> +--- a/src/import/pkg/credentialprovider/config_test.go
> ++++ b/src/import/pkg/credentialprovider/config_test.go
> +@@ -304,3 +304,96 @@ func TestDockerConfigEntryJSONCompatibleEncode(t *testing.T) {
> + }
> + }
> + }
> ++
> ++func TestReadDockerConfigFileFromBytes(t *testing.T) {
> ++ testCases := []struct {
> ++ id string
> ++ input []byte
> ++ expectedCfg DockerConfig
> ++ errorExpected bool
> ++ expectedErrorMsg string
> ++ }{
> ++ {
> ++ id: "valid input, no error expected",
> ++ input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}}`),
> ++ expectedCfg: DockerConfig(map[string]DockerConfigEntry{
> ++ "http://foo.example.com": {
> ++ Username: "foo",
> ++ Password: "bar",
> ++ Email: "foo@example.com",
> ++ },
> ++ }),
> ++ },
> ++ {
> ++ id: "invalid input, error expected",
> ++ input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"`),
> ++ errorExpected: true,
> ++ expectedErrorMsg: "error occurred while trying to unmarshal json",
> ++ },
> ++ }
> ++
> ++ for _, tc := range testCases {
> ++ cfg, err := readDockerConfigFileFromBytes(tc.input)
> ++ if err != nil && !tc.errorExpected {
> ++ t.Fatalf("Error was not expected: %v", err)
> ++ }
> ++ if err != nil && tc.errorExpected {
> ++ if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
> ++ t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
> ++ }
> ++ } else {
> ++ if !reflect.DeepEqual(cfg, tc.expectedCfg) {
> ++ t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
> ++ }
> ++ }
> ++ }
> ++}
> ++
> ++func TestReadDockerConfigJSONFileFromBytes(t *testing.T) {
> ++ testCases := []struct {
> ++ id string
> ++ input []byte
> ++ expectedCfg DockerConfig
> ++ errorExpected bool
> ++ expectedErrorMsg string
> ++ }{
> ++ {
> ++ id: "valid input, no error expected",
> ++ input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"}}}`),
> ++ expectedCfg: DockerConfig(map[string]DockerConfigEntry{
> ++ "http://foo.example.com": {
> ++ Username: "foo",
> ++ Password: "bar",
> ++ Email: "foo@example.com",
> ++ },
> ++ "http://bar.example.com": {
> ++ Username: "bar",
> ++ Password: "baz",
> ++ Email: "bar@example.com",
> ++ },
> ++ }),
> ++ },
> ++ {
> ++ id: "invalid input, error expected",
> ++ input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"`),
> ++ errorExpected: true,
> ++ expectedErrorMsg: "error occurred while trying to unmarshal json",
> ++ },
> ++ }
> ++
> ++ for _, tc := range testCases {
> ++ cfg, err := readDockerConfigJSONFileFromBytes(tc.input)
> ++ if err != nil && !tc.errorExpected {
> ++ t.Fatalf("Error was not expected: %v", err)
> ++ }
> ++ if err != nil && tc.errorExpected {
> ++ if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
> ++ t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
> ++ }
> ++ } else {
> ++ if !reflect.DeepEqual(cfg, tc.expectedCfg) {
> ++ t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
> ++ }
> ++ }
> ++ }
> ++}
> +--
> +2.25.1
> +
> diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
> index 8c286e2..c73f988 100644
> --- a/recipes-containers/kubernetes/kubernetes_git.bb
> +++ b/recipes-containers/kubernetes/kubernetes_git.bb
> @@ -11,6 +11,7 @@ SRCREV_kubernetes = "f45fc1861acab22eb6a4697e3fb831e85ef5ff9c"
> SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=kubernetes;protocol=https \
> file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
> file://0001-cross-don-t-build-tests-by-default.patch \
> + file://CVE-2020-8564.patch \
> "
>
> DEPENDS += "rsync-native \
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#8214): https://lists.yoctoproject.org/g/meta-virtualization/message/8214
> Mute This Topic: https://lists.yoctoproject.org/mt/100815936/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
prev parent reply other threads:[~2023-08-22 3:44 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-18 6:37 [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8564 vanusuri
2023-08-22 3:44 ` Bruce Ashfield [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZOQvKvnpIvi9xWnn@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=meta-virtualization@lists.yoctoproject.org \
--cc=vanusuri@mvista.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).