* [meta-virtualization][scarthgap][PATCH] kubernetes: Fix for CVE-2024-10220
@ 2025-11-19 8:52 Hitendra Prajapati
2025-11-19 23:26 ` Bruce Ashfield
0 siblings, 1 reply; 2+ messages in thread
From: Hitendra Prajapati @ 2025-11-19 8:52 UTC (permalink / raw)
To: meta-virtualization; +Cc: Hitendra Prajapati
Upstream-Status: Backport from https://github.com/kubernetes/kubernetes/commit/4b7b754099e32ce4b67dacd51d60daa2686ddd94
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
.../kubernetes/CVE-2024-10220.patch | 60 +++++++++++++++++++
.../kubernetes/kubernetes_git.bb | 1 +
2 files changed, 61 insertions(+)
create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch b/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
new file mode 100644
index 00000000..1de966e4
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
@@ -0,0 +1,60 @@
+From 4b7b754099e32ce4b67dacd51d60daa2686ddd94 Mon Sep 17 00:00:00 2001
+From: Imre Rad <imrer@google.com>
+Date: Thu, 25 Apr 2024 14:21:51 +0000
+Subject: [PATCH] gitRepo volume: directory must be max 1 level deep
+
+More details on Hackerone #2266560
+
+CVE: CVE-2024-10220
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/4b7b754099e32ce4b67dacd51d60daa2686ddd94]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ pkg/volume/git_repo/git_repo.go | 6 ++++++
+ pkg/volume/git_repo/git_repo_test.go | 14 ++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go
+index 995018d9007..b3827b92ad0 100644
+--- a/pkg/volume/git_repo/git_repo.go
++++ b/pkg/volume/git_repo/git_repo.go
+@@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error {
+ if err := validateNonFlagArgument(src.Directory, "directory"); err != nil {
+ return err
+ }
++ if (src.Revision != "") && (src.Directory != "") {
++ cleanedDir := filepath.Clean(src.Directory)
++ if strings.Contains(cleanedDir, "/") || (strings.Contains(cleanedDir, "\\")) {
++ return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory)
++ }
++ }
+ return nil
+ }
+
+diff --git a/pkg/volume/git_repo/git_repo_test.go b/pkg/volume/git_repo/git_repo_test.go
+index 5b1461be892..650f765cc48 100644
+--- a/pkg/volume/git_repo/git_repo_test.go
++++ b/pkg/volume/git_repo/git_repo_test.go
+@@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) {
+ },
+ isExpectedFailure: true,
+ },
++ {
++ name: "invalid-revision-directory-combo",
++ vol: &v1.Volume{
++ Name: "vol1",
++ VolumeSource: v1.VolumeSource{
++ GitRepo: &v1.GitRepoVolumeSource{
++ Repository: gitURL,
++ Revision: "main",
++ Directory: "foo/bar",
++ },
++ },
++ },
++ isExpectedFailure: true,
++ },
+ }
+
+ for _, scenario := range scenarios {
+--
+2.50.1
+
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index ee44db47..5339371c 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -35,6 +35,7 @@ SRC_URI:append = " \
file://k8s-init \
file://99-kubernetes.conf \
file://CVE-2025-5187.patch \
+ file://CVE-2024-10220.patch \
"
DEPENDS += "rsync-native \
--
2.50.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [meta-virtualization][scarthgap][PATCH] kubernetes: Fix for CVE-2024-10220
2025-11-19 8:52 [meta-virtualization][scarthgap][PATCH] kubernetes: Fix for CVE-2024-10220 Hitendra Prajapati
@ 2025-11-19 23:26 ` Bruce Ashfield
0 siblings, 0 replies; 2+ messages in thread
From: Bruce Ashfield @ 2025-11-19 23:26 UTC (permalink / raw)
To: hprajapati; +Cc: meta-virtualization
merged.
Bruce
In message: [meta-virtualization][scarthgap][PATCH] kubernetes: Fix for CVE-2024-10220
on 19/11/2025 Hitendra Prajapati via lists.yoctoproject.org wrote:
> Upstream-Status: Backport from https://github.com/kubernetes/kubernetes/commit/4b7b754099e32ce4b67dacd51d60daa2686ddd94
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
> .../kubernetes/CVE-2024-10220.patch | 60 +++++++++++++++++++
> .../kubernetes/kubernetes_git.bb | 1 +
> 2 files changed, 61 insertions(+)
> create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
>
> diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch b/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
> new file mode 100644
> index 00000000..1de966e4
> --- /dev/null
> +++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
> @@ -0,0 +1,60 @@
> +From 4b7b754099e32ce4b67dacd51d60daa2686ddd94 Mon Sep 17 00:00:00 2001
> +From: Imre Rad <imrer@google.com>
> +Date: Thu, 25 Apr 2024 14:21:51 +0000
> +Subject: [PATCH] gitRepo volume: directory must be max 1 level deep
> +
> +More details on Hackerone #2266560
> +
> +CVE: CVE-2024-10220
> +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/4b7b754099e32ce4b67dacd51d60daa2686ddd94]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + pkg/volume/git_repo/git_repo.go | 6 ++++++
> + pkg/volume/git_repo/git_repo_test.go | 14 ++++++++++++++
> + 2 files changed, 20 insertions(+)
> +
> +diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go
> +index 995018d9007..b3827b92ad0 100644
> +--- a/pkg/volume/git_repo/git_repo.go
> ++++ b/pkg/volume/git_repo/git_repo.go
> +@@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error {
> + if err := validateNonFlagArgument(src.Directory, "directory"); err != nil {
> + return err
> + }
> ++ if (src.Revision != "") && (src.Directory != "") {
> ++ cleanedDir := filepath.Clean(src.Directory)
> ++ if strings.Contains(cleanedDir, "/") || (strings.Contains(cleanedDir, "\\")) {
> ++ return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory)
> ++ }
> ++ }
> + return nil
> + }
> +
> +diff --git a/pkg/volume/git_repo/git_repo_test.go b/pkg/volume/git_repo/git_repo_test.go
> +index 5b1461be892..650f765cc48 100644
> +--- a/pkg/volume/git_repo/git_repo_test.go
> ++++ b/pkg/volume/git_repo/git_repo_test.go
> +@@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) {
> + },
> + isExpectedFailure: true,
> + },
> ++ {
> ++ name: "invalid-revision-directory-combo",
> ++ vol: &v1.Volume{
> ++ Name: "vol1",
> ++ VolumeSource: v1.VolumeSource{
> ++ GitRepo: &v1.GitRepoVolumeSource{
> ++ Repository: gitURL,
> ++ Revision: "main",
> ++ Directory: "foo/bar",
> ++ },
> ++ },
> ++ },
> ++ isExpectedFailure: true,
> ++ },
> + }
> +
> + for _, scenario := range scenarios {
> +--
> +2.50.1
> +
> diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
> index ee44db47..5339371c 100644
> --- a/recipes-containers/kubernetes/kubernetes_git.bb
> +++ b/recipes-containers/kubernetes/kubernetes_git.bb
> @@ -35,6 +35,7 @@ SRC_URI:append = " \
> file://k8s-init \
> file://99-kubernetes.conf \
> file://CVE-2025-5187.patch \
> + file://CVE-2024-10220.patch \
> "
>
> DEPENDS += "rsync-native \
> --
> 2.50.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9443): https://lists.yoctoproject.org/g/meta-virtualization/message/9443
> Mute This Topic: https://lists.yoctoproject.org/mt/116370883/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-11-19 23:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-19 8:52 [meta-virtualization][scarthgap][PATCH] kubernetes: Fix for CVE-2024-10220 Hitendra Prajapati
2025-11-19 23:26 ` Bruce Ashfield
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.