From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: Vijay Anusuri <vanusuri@mvista.com>
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8564
Date: Tue, 22 Aug 2023 03:44:42 +0000 [thread overview]
Message-ID: <ZOQvKvnpIvi9xWnn@gmail.com> (raw)
In-Reply-To: <20230818063757.406414-1-vanusuri@mvista.com>
merged.
Bruce
In message: [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8564
on 18/08/2023 Vijay Anusuri wrote:
> From: Vijay Anusuri <vanusuri@mvista.com>
>
> Upstream-commit: https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
> .../kubernetes/kubernetes/CVE-2020-8564.patch | 166 ++++++++++++++++++
> .../kubernetes/kubernetes_git.bb | 1 +
> 2 files changed, 167 insertions(+)
> create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
>
> diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
> new file mode 100644
> index 0000000..9388f18
> --- /dev/null
> +++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
> @@ -0,0 +1,166 @@
> +From b907f9e11892ddab1e71095e3d41bf76e63c3873 Mon Sep 17 00:00:00 2001
> +From: Nikolaos Moraitis <nmoraiti@redhat.com>
> +Date: Fri, 11 Sep 2020 11:36:27 +0200
> +Subject: [PATCH] avoid potential secret leaking while reading .dockercfg
> +
> +There are a lot of scenarios where an invalid .dockercfg file
> +will still contain secrets. This commit removes logging of the
> +contents to avoid any potential leaking and manages the actual error
> +by printing to the user the actual location of the invalid file.
> +
> +Signed-off-by: Nikolaos Moraitis <nmoraiti@redhat.com>
> +
> +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634]
> +CVE: CVE-2020-8564
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + pkg/credentialprovider/config.go | 16 +++--
> + pkg/credentialprovider/config_test.go | 93 +++++++++++++++++++++++++++
> + 2 files changed, 102 insertions(+), 7 deletions(-)
> +
> +diff --git a/pkg/credentialprovider/config.go b/pkg/credentialprovider/config.go
> +index 377383aa903..b256bd8e7f0 100644
> +--- a/src/import/pkg/credentialprovider/config.go
> ++++ b/src/import/pkg/credentialprovider/config.go
> +@@ -114,10 +114,14 @@ func ReadDockercfgFile(searchPaths []string) (cfg DockerConfig, err error) {
> + continue
> + }
> + cfg, err := readDockerConfigFileFromBytes(contents)
> +- if err == nil {
> +- klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
> +- return cfg, nil
> ++ if err != nil {
> ++ klog.V(4).Infof("couldn't get the config from %q contents: %v", absDockerConfigFileLocation, err)
> ++ continue
> + }
> ++
> ++ klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
> ++ return cfg, nil
> ++
> + }
> + return nil, fmt.Errorf("couldn't find valid .dockercfg after checking in %v", searchPaths)
> + }
> +@@ -224,8 +228,7 @@ func ReadDockerConfigFileFromUrl(url string, client *http.Client, header *http.H
> +
> + func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
> + if err = json.Unmarshal(contents, &cfg); err != nil {
> +- klog.Errorf("while trying to parse blob %q: %v", contents, err)
> +- return nil, err
> ++ return nil, errors.New("error occurred while trying to unmarshal json")
> + }
> + return
> + }
> +@@ -233,8 +236,7 @@ func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error
> + func readDockerConfigJsonFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
> + var cfgJson DockerConfigJson
> + if err = json.Unmarshal(contents, &cfgJson); err != nil {
> +- klog.Errorf("while trying to parse blob %q: %v", contents, err)
> +- return nil, err
> ++ return nil, errors.New("error occurred while trying to unmarshal json")
> + }
> + cfg = cfgJson.Auths
> + return
> +diff --git a/pkg/credentialprovider/config_test.go b/pkg/credentialprovider/config_test.go
> +index c310dc33dce..6974076984f 100644
> +--- a/src/import/pkg/credentialprovider/config_test.go
> ++++ b/src/import/pkg/credentialprovider/config_test.go
> +@@ -304,3 +304,96 @@ func TestDockerConfigEntryJSONCompatibleEncode(t *testing.T) {
> + }
> + }
> + }
> ++
> ++func TestReadDockerConfigFileFromBytes(t *testing.T) {
> ++ testCases := []struct {
> ++ id string
> ++ input []byte
> ++ expectedCfg DockerConfig
> ++ errorExpected bool
> ++ expectedErrorMsg string
> ++ }{
> ++ {
> ++ id: "valid input, no error expected",
> ++ input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}}`),
> ++ expectedCfg: DockerConfig(map[string]DockerConfigEntry{
> ++ "http://foo.example.com": {
> ++ Username: "foo",
> ++ Password: "bar",
> ++ Email: "foo@example.com",
> ++ },
> ++ }),
> ++ },
> ++ {
> ++ id: "invalid input, error expected",
> ++ input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"`),
> ++ errorExpected: true,
> ++ expectedErrorMsg: "error occurred while trying to unmarshal json",
> ++ },
> ++ }
> ++
> ++ for _, tc := range testCases {
> ++ cfg, err := readDockerConfigFileFromBytes(tc.input)
> ++ if err != nil && !tc.errorExpected {
> ++ t.Fatalf("Error was not expected: %v", err)
> ++ }
> ++ if err != nil && tc.errorExpected {
> ++ if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
> ++ t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
> ++ }
> ++ } else {
> ++ if !reflect.DeepEqual(cfg, tc.expectedCfg) {
> ++ t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
> ++ }
> ++ }
> ++ }
> ++}
> ++
> ++func TestReadDockerConfigJSONFileFromBytes(t *testing.T) {
> ++ testCases := []struct {
> ++ id string
> ++ input []byte
> ++ expectedCfg DockerConfig
> ++ errorExpected bool
> ++ expectedErrorMsg string
> ++ }{
> ++ {
> ++ id: "valid input, no error expected",
> ++ input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"}}}`),
> ++ expectedCfg: DockerConfig(map[string]DockerConfigEntry{
> ++ "http://foo.example.com": {
> ++ Username: "foo",
> ++ Password: "bar",
> ++ Email: "foo@example.com",
> ++ },
> ++ "http://bar.example.com": {
> ++ Username: "bar",
> ++ Password: "baz",
> ++ Email: "bar@example.com",
> ++ },
> ++ }),
> ++ },
> ++ {
> ++ id: "invalid input, error expected",
> ++ input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"`),
> ++ errorExpected: true,
> ++ expectedErrorMsg: "error occurred while trying to unmarshal json",
> ++ },
> ++ }
> ++
> ++ for _, tc := range testCases {
> ++ cfg, err := readDockerConfigJSONFileFromBytes(tc.input)
> ++ if err != nil && !tc.errorExpected {
> ++ t.Fatalf("Error was not expected: %v", err)
> ++ }
> ++ if err != nil && tc.errorExpected {
> ++ if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
> ++ t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
> ++ }
> ++ } else {
> ++ if !reflect.DeepEqual(cfg, tc.expectedCfg) {
> ++ t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
> ++ }
> ++ }
> ++ }
> ++}
> +--
> +2.25.1
> +
> diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
> index 8c286e2..c73f988 100644
> --- a/recipes-containers/kubernetes/kubernetes_git.bb
> +++ b/recipes-containers/kubernetes/kubernetes_git.bb
> @@ -11,6 +11,7 @@ SRCREV_kubernetes = "f45fc1861acab22eb6a4697e3fb831e85ef5ff9c"
> SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=kubernetes;protocol=https \
> file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
> file://0001-cross-don-t-build-tests-by-default.patch \
> + file://CVE-2020-8564.patch \
> "
>
> DEPENDS += "rsync-native \
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#8214): https://lists.yoctoproject.org/g/meta-virtualization/message/8214
> Mute This Topic: https://lists.yoctoproject.org/mt/100815936/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
prev parent reply other threads:[~2023-08-22 3:44 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-18 6:37 [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8564 vanusuri
2023-08-22 3:44 ` Bruce Ashfield [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZOQvKvnpIvi9xWnn@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=meta-virtualization@lists.yoctoproject.org \
--cc=vanusuri@mvista.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.