[meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8564

[meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8564

[vanusuri]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-commit: https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../kubernetes/kubernetes/CVE-2020-8564.patch | 166 ++++++++++++++++++
 .../kubernetes/kubernetes_git.bb              |   1 +
 2 files changed, 167 insertions(+)
 create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch

diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
new file mode 100644
index 0000000..9388f18
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
@@ -0,0 +1,166 @@
+From b907f9e11892ddab1e71095e3d41bf76e63c3873 Mon Sep 17 00:00:00 2001
+From: Nikolaos Moraitis <nmoraiti@redhat.com>
+Date: Fri, 11 Sep 2020 11:36:27 +0200
+Subject: [PATCH] avoid potential secret leaking while reading .dockercfg
+
+There are a lot of scenarios where an invalid .dockercfg file
+will still contain secrets. This commit removes logging of the
+contents to avoid any potential leaking and manages the actual error
+by printing to the user the actual location of the invalid file.
+
+Signed-off-by: Nikolaos Moraitis <nmoraiti@redhat.com>
+
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634]
+CVE: CVE-2020-8564
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/credentialprovider/config.go      | 16 +++--
+ pkg/credentialprovider/config_test.go | 93 +++++++++++++++++++++++++++
+ 2 files changed, 102 insertions(+), 7 deletions(-)
+
+diff --git a/pkg/credentialprovider/config.go b/pkg/credentialprovider/config.go
+index 377383aa903..b256bd8e7f0 100644
+--- a/src/import/pkg/credentialprovider/config.go
++++ b/src/import/pkg/credentialprovider/config.go
+@@ -114,10 +114,14 @@ func ReadDockercfgFile(searchPaths []string) (cfg DockerConfig, err error) {
+ 			continue
+ 		}
+ 		cfg, err := readDockerConfigFileFromBytes(contents)
+-		if err == nil {
+-			klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
+-			return cfg, nil
++		if err != nil {
++			klog.V(4).Infof("couldn't get the config from %q contents: %v", absDockerConfigFileLocation, err)
++			continue
+ 		}
++
++		klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
++		return cfg, nil
++
+ 	}
+ 	return nil, fmt.Errorf("couldn't find valid .dockercfg after checking in %v", searchPaths)
+ }
+@@ -224,8 +228,7 @@ func ReadDockerConfigFileFromUrl(url string, client *http.Client, header *http.H
+ 
+ func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
+ 	if err = json.Unmarshal(contents, &cfg); err != nil {
+-		klog.Errorf("while trying to parse blob %q: %v", contents, err)
+-		return nil, err
++		return nil, errors.New("error occurred while trying to unmarshal json")
+ 	}
+ 	return
+ }
+@@ -233,8 +236,7 @@ func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error
+ func readDockerConfigJsonFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
+ 	var cfgJson DockerConfigJson
+ 	if err = json.Unmarshal(contents, &cfgJson); err != nil {
+-		klog.Errorf("while trying to parse blob %q: %v", contents, err)
+-		return nil, err
++		return nil, errors.New("error occurred while trying to unmarshal json")
+ 	}
+ 	cfg = cfgJson.Auths
+ 	return
+diff --git a/pkg/credentialprovider/config_test.go b/pkg/credentialprovider/config_test.go
+index c310dc33dce..6974076984f 100644
+--- a/src/import/pkg/credentialprovider/config_test.go
++++ b/src/import/pkg/credentialprovider/config_test.go
+@@ -304,3 +304,96 @@ func TestDockerConfigEntryJSONCompatibleEncode(t *testing.T) {
+ 		}
+ 	}
+ }
++
++func TestReadDockerConfigFileFromBytes(t *testing.T) {
++	testCases := []struct {
++		id               string
++		input            []byte
++		expectedCfg      DockerConfig
++		errorExpected    bool
++		expectedErrorMsg string
++	}{
++		{
++			id:    "valid input, no error expected",
++			input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}}`),
++			expectedCfg: DockerConfig(map[string]DockerConfigEntry{
++				"http://foo.example.com": {
++					Username: "foo",
++					Password: "bar",
++					Email:    "foo@example.com",
++				},
++			}),
++		},
++		{
++			id:               "invalid input, error expected",
++			input:            []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"`),
++			errorExpected:    true,
++			expectedErrorMsg: "error occurred while trying to unmarshal json",
++		},
++	}
++
++	for _, tc := range testCases {
++		cfg, err := readDockerConfigFileFromBytes(tc.input)
++		if err != nil && !tc.errorExpected {
++			t.Fatalf("Error was not expected: %v", err)
++		}
++		if err != nil && tc.errorExpected {
++			if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
++				t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
++			}
++		} else {
++			if !reflect.DeepEqual(cfg, tc.expectedCfg) {
++				t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
++			}
++		}
++	}
++}
++
++func TestReadDockerConfigJSONFileFromBytes(t *testing.T) {
++	testCases := []struct {
++		id               string
++		input            []byte
++		expectedCfg      DockerConfig
++		errorExpected    bool
++		expectedErrorMsg string
++	}{
++		{
++			id:    "valid input, no error expected",
++			input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"}}}`),
++			expectedCfg: DockerConfig(map[string]DockerConfigEntry{
++				"http://foo.example.com": {
++					Username: "foo",
++					Password: "bar",
++					Email:    "foo@example.com",
++				},
++				"http://bar.example.com": {
++					Username: "bar",
++					Password: "baz",
++					Email:    "bar@example.com",
++				},
++			}),
++		},
++		{
++			id:               "invalid input, error expected",
++			input:            []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"`),
++			errorExpected:    true,
++			expectedErrorMsg: "error occurred while trying to unmarshal json",
++		},
++	}
++
++	for _, tc := range testCases {
++		cfg, err := readDockerConfigJSONFileFromBytes(tc.input)
++		if err != nil && !tc.errorExpected {
++			t.Fatalf("Error was not expected: %v", err)
++		}
++		if err != nil && tc.errorExpected {
++			if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
++				t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
++			}
++		} else {
++			if !reflect.DeepEqual(cfg, tc.expectedCfg) {
++				t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
++			}
++		}
++	}
++}
+-- 
+2.25.1
+
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index 8c286e2..c73f988 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -11,6 +11,7 @@ SRCREV_kubernetes = "f45fc1861acab22eb6a4697e3fb831e85ef5ff9c"
 SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=kubernetes;protocol=https \
            file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
            file://0001-cross-don-t-build-tests-by-default.patch \
+           file://CVE-2020-8564.patch \
           "
 
 DEPENDS += "rsync-native \
-- 
2.25.1

Re: [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8564

[Bruce Ashfield]

merged.

Bruce

In message: [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8564
on 18/08/2023 Vijay Anusuri wrote:

> From: Vijay Anusuri <vanusuri@mvista.com>
> 
> Upstream-commit: https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634
> 
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
>  .../kubernetes/kubernetes/CVE-2020-8564.patch | 166 ++++++++++++++++++
>  .../kubernetes/kubernetes_git.bb              |   1 +
>  2 files changed, 167 insertions(+)
>  create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
> 
> diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
> new file mode 100644
> index 0000000..9388f18
> --- /dev/null
> +++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
> @@ -0,0 +1,166 @@
> +From b907f9e11892ddab1e71095e3d41bf76e63c3873 Mon Sep 17 00:00:00 2001
> +From: Nikolaos Moraitis <nmoraiti@redhat.com>
> +Date: Fri, 11 Sep 2020 11:36:27 +0200
> +Subject: [PATCH] avoid potential secret leaking while reading .dockercfg
> +
> +There are a lot of scenarios where an invalid .dockercfg file
> +will still contain secrets. This commit removes logging of the
> +contents to avoid any potential leaking and manages the actual error
> +by printing to the user the actual location of the invalid file.
> +
> +Signed-off-by: Nikolaos Moraitis <nmoraiti@redhat.com>
> +
> +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634]
> +CVE: CVE-2020-8564
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + pkg/credentialprovider/config.go      | 16 +++--
> + pkg/credentialprovider/config_test.go | 93 +++++++++++++++++++++++++++
> + 2 files changed, 102 insertions(+), 7 deletions(-)
> +
> +diff --git a/pkg/credentialprovider/config.go b/pkg/credentialprovider/config.go
> +index 377383aa903..b256bd8e7f0 100644
> +--- a/src/import/pkg/credentialprovider/config.go
> ++++ b/src/import/pkg/credentialprovider/config.go
> +@@ -114,10 +114,14 @@ func ReadDockercfgFile(searchPaths []string) (cfg DockerConfig, err error) {
> + 			continue
> + 		}
> + 		cfg, err := readDockerConfigFileFromBytes(contents)
> +-		if err == nil {
> +-			klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
> +-			return cfg, nil
> ++		if err != nil {
> ++			klog.V(4).Infof("couldn't get the config from %q contents: %v", absDockerConfigFileLocation, err)
> ++			continue
> + 		}
> ++
> ++		klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
> ++		return cfg, nil
> ++
> + 	}
> + 	return nil, fmt.Errorf("couldn't find valid .dockercfg after checking in %v", searchPaths)
> + }
> +@@ -224,8 +228,7 @@ func ReadDockerConfigFileFromUrl(url string, client *http.Client, header *http.H
> + 
> + func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
> + 	if err = json.Unmarshal(contents, &cfg); err != nil {
> +-		klog.Errorf("while trying to parse blob %q: %v", contents, err)
> +-		return nil, err
> ++		return nil, errors.New("error occurred while trying to unmarshal json")
> + 	}
> + 	return
> + }
> +@@ -233,8 +236,7 @@ func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error
> + func readDockerConfigJsonFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
> + 	var cfgJson DockerConfigJson
> + 	if err = json.Unmarshal(contents, &cfgJson); err != nil {
> +-		klog.Errorf("while trying to parse blob %q: %v", contents, err)
> +-		return nil, err
> ++		return nil, errors.New("error occurred while trying to unmarshal json")
> + 	}
> + 	cfg = cfgJson.Auths
> + 	return
> +diff --git a/pkg/credentialprovider/config_test.go b/pkg/credentialprovider/config_test.go
> +index c310dc33dce..6974076984f 100644
> +--- a/src/import/pkg/credentialprovider/config_test.go
> ++++ b/src/import/pkg/credentialprovider/config_test.go
> +@@ -304,3 +304,96 @@ func TestDockerConfigEntryJSONCompatibleEncode(t *testing.T) {
> + 		}
> + 	}
> + }
> ++
> ++func TestReadDockerConfigFileFromBytes(t *testing.T) {
> ++	testCases := []struct {
> ++		id               string
> ++		input            []byte
> ++		expectedCfg      DockerConfig
> ++		errorExpected    bool
> ++		expectedErrorMsg string
> ++	}{
> ++		{
> ++			id:    "valid input, no error expected",
> ++			input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}}`),
> ++			expectedCfg: DockerConfig(map[string]DockerConfigEntry{
> ++				"http://foo.example.com": {
> ++					Username: "foo",
> ++					Password: "bar",
> ++					Email:    "foo@example.com",
> ++				},
> ++			}),
> ++		},
> ++		{
> ++			id:               "invalid input, error expected",
> ++			input:            []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"`),
> ++			errorExpected:    true,
> ++			expectedErrorMsg: "error occurred while trying to unmarshal json",
> ++		},
> ++	}
> ++
> ++	for _, tc := range testCases {
> ++		cfg, err := readDockerConfigFileFromBytes(tc.input)
> ++		if err != nil && !tc.errorExpected {
> ++			t.Fatalf("Error was not expected: %v", err)
> ++		}
> ++		if err != nil && tc.errorExpected {
> ++			if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
> ++				t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
> ++			}
> ++		} else {
> ++			if !reflect.DeepEqual(cfg, tc.expectedCfg) {
> ++				t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
> ++			}
> ++		}
> ++	}
> ++}
> ++
> ++func TestReadDockerConfigJSONFileFromBytes(t *testing.T) {
> ++	testCases := []struct {
> ++		id               string
> ++		input            []byte
> ++		expectedCfg      DockerConfig
> ++		errorExpected    bool
> ++		expectedErrorMsg string
> ++	}{
> ++		{
> ++			id:    "valid input, no error expected",
> ++			input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"}}}`),
> ++			expectedCfg: DockerConfig(map[string]DockerConfigEntry{
> ++				"http://foo.example.com": {
> ++					Username: "foo",
> ++					Password: "bar",
> ++					Email:    "foo@example.com",
> ++				},
> ++				"http://bar.example.com": {
> ++					Username: "bar",
> ++					Password: "baz",
> ++					Email:    "bar@example.com",
> ++				},
> ++			}),
> ++		},
> ++		{
> ++			id:               "invalid input, error expected",
> ++			input:            []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"`),
> ++			errorExpected:    true,
> ++			expectedErrorMsg: "error occurred while trying to unmarshal json",
> ++		},
> ++	}
> ++
> ++	for _, tc := range testCases {
> ++		cfg, err := readDockerConfigJSONFileFromBytes(tc.input)
> ++		if err != nil && !tc.errorExpected {
> ++			t.Fatalf("Error was not expected: %v", err)
> ++		}
> ++		if err != nil && tc.errorExpected {
> ++			if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
> ++				t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
> ++			}
> ++		} else {
> ++			if !reflect.DeepEqual(cfg, tc.expectedCfg) {
> ++				t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
> ++			}
> ++		}
> ++	}
> ++}
> +-- 
> +2.25.1
> +
> diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
> index 8c286e2..c73f988 100644
> --- a/recipes-containers/kubernetes/kubernetes_git.bb
> +++ b/recipes-containers/kubernetes/kubernetes_git.bb
> @@ -11,6 +11,7 @@ SRCREV_kubernetes = "f45fc1861acab22eb6a4697e3fb831e85ef5ff9c"
>  SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=kubernetes;protocol=https \
>             file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
>             file://0001-cross-don-t-build-tests-by-default.patch \
> +           file://CVE-2020-8564.patch \
>            "
>  
>  DEPENDS += "rsync-native \
> -- 
> 2.25.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#8214): https://lists.yoctoproject.org/g/meta-virtualization/message/8214
> Mute This Topic: https://lists.yoctoproject.org/mt/100815936/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>