[meta-virtualization][kirkstone][PATCH] kubernetes: Fix for CVE-2024-10220

All of lore.kernel.org
 help / color / mirror / Atom feed

* [meta-virtualization][kirkstone][PATCH] kubernetes: Fix for CVE-2024-10220
@ 2025-11-17  5:00 vanusuri
  2025-11-19 23:28 ` Bruce Ashfield
  0 siblings, 1 reply; 2+ messages in thread
From: vanusuri @ 2025-11-17  5:00 UTC (permalink / raw)
  To: meta-virtualization; +Cc: Vijay Anusuri

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from https://github.com/kubernetes/kubernetes/commit/6622b002f70a153100d1c286fbcea721160da192

Reference: https://github.com/kubernetes/kubernetes/issues/128885

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../kubernetes/CVE-2024-10220.patch           | 57 +++++++++++++++++++
 .../kubernetes/kubernetes_git.bb              |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch

diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch b/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
new file mode 100644
index 00000000..c0e371af
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
@@ -0,0 +1,57 @@
+From 6622b002f70a153100d1c286fbcea721160da192 Mon Sep 17 00:00:00 2001
+From: Imre Rad <imrer@google.com>
+Date: Thu, 25 Apr 2024 14:21:51 +0000
+Subject: [PATCH] gitRepo volume: directory must be max 1 level deep
+
+More details on Hackerone #2266560
+
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/6622b002f70a153100d1c286fbcea721160da192]
+CVE: CVE-2024-10220
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/volume/git_repo/git_repo.go      |  6 ++++++
+ pkg/volume/git_repo/git_repo_test.go | 14 ++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go
+index 995018d900727..b3827b92ad0f0 100644
+--- a/pkg/volume/git_repo/git_repo.go
++++ b/pkg/volume/git_repo/git_repo.go
+@@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error {
+ 	if err := validateNonFlagArgument(src.Directory, "directory"); err != nil {
+ 		return err
+ 	}
++	if (src.Revision != "") && (src.Directory != "") {
++		cleanedDir := filepath.Clean(src.Directory)
++		if strings.Contains(cleanedDir, "/") || (strings.Contains(cleanedDir, "\\")) {
++			return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory)
++		}
++	}
+ 	return nil
+ }
+ 
+diff --git a/pkg/volume/git_repo/git_repo_test.go b/pkg/volume/git_repo/git_repo_test.go
+index 5b1461be892a1..650f765cc4884 100644
+--- a/pkg/volume/git_repo/git_repo_test.go
++++ b/pkg/volume/git_repo/git_repo_test.go
+@@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) {
+ 			},
+ 			isExpectedFailure: true,
+ 		},
++		{
++			name: "invalid-revision-directory-combo",
++			vol: &v1.Volume{
++				Name: "vol1",
++				VolumeSource: v1.VolumeSource{
++					GitRepo: &v1.GitRepoVolumeSource{
++						Repository: gitURL,
++						Revision:   "main",
++						Directory:  "foo/bar",
++					},
++				},
++			},
++			isExpectedFailure: true,
++		},
+ 	}
+ 
+ 	for _, scenario := range scenarios {
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index 41f1ad73..dbfb3705 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -39,6 +39,7 @@ SRC_URI:append = " \
            file://CVE-2023-3955.patch;patchdir=src/import \
            file://CVE-2023-3676.patch;patchdir=src/import \
            file://CVE-2025-5187.patch;patchdir=src/import \
+           file://CVE-2024-10220.patch;patchdir=src/import \
           "
 
 DEPENDS += "rsync-native \
-- 
2.25.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [meta-virtualization][kirkstone][PATCH] kubernetes: Fix for CVE-2024-10220
  2025-11-17  5:00 [meta-virtualization][kirkstone][PATCH] kubernetes: Fix for CVE-2024-10220 vanusuri
@ 2025-11-19 23:28 ` Bruce Ashfield
  0 siblings, 0 replies; 2+ messages in thread
From: Bruce Ashfield @ 2025-11-19 23:28 UTC (permalink / raw)
  To: vanusuri; +Cc: meta-virtualization

merged.

Bruce

In message: [meta-virtualization][kirkstone][PATCH] kubernetes: Fix for CVE-2024-10220
on 17/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote:

> From: Vijay Anusuri <vanusuri@mvista.com>
> 
> Upstream-Status: Backport from https://github.com/kubernetes/kubernetes/commit/6622b002f70a153100d1c286fbcea721160da192
> 
> Reference: https://github.com/kubernetes/kubernetes/issues/128885
> 
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
>  .../kubernetes/CVE-2024-10220.patch           | 57 +++++++++++++++++++
>  .../kubernetes/kubernetes_git.bb              |  1 +
>  2 files changed, 58 insertions(+)
>  create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
> 
> diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch b/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
> new file mode 100644
> index 00000000..c0e371af
> --- /dev/null
> +++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
> @@ -0,0 +1,57 @@
> +From 6622b002f70a153100d1c286fbcea721160da192 Mon Sep 17 00:00:00 2001
> +From: Imre Rad <imrer@google.com>
> +Date: Thu, 25 Apr 2024 14:21:51 +0000
> +Subject: [PATCH] gitRepo volume: directory must be max 1 level deep
> +
> +More details on Hackerone #2266560
> +
> +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/6622b002f70a153100d1c286fbcea721160da192]
> +CVE: CVE-2024-10220
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + pkg/volume/git_repo/git_repo.go      |  6 ++++++
> + pkg/volume/git_repo/git_repo_test.go | 14 ++++++++++++++
> + 2 files changed, 20 insertions(+)
> +
> +diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go
> +index 995018d900727..b3827b92ad0f0 100644
> +--- a/pkg/volume/git_repo/git_repo.go
> ++++ b/pkg/volume/git_repo/git_repo.go
> +@@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error {
> + 	if err := validateNonFlagArgument(src.Directory, "directory"); err != nil {
> + 		return err
> + 	}
> ++	if (src.Revision != "") && (src.Directory != "") {
> ++		cleanedDir := filepath.Clean(src.Directory)
> ++		if strings.Contains(cleanedDir, "/") || (strings.Contains(cleanedDir, "\\")) {
> ++			return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory)
> ++		}
> ++	}
> + 	return nil
> + }
> + 
> +diff --git a/pkg/volume/git_repo/git_repo_test.go b/pkg/volume/git_repo/git_repo_test.go
> +index 5b1461be892a1..650f765cc4884 100644
> +--- a/pkg/volume/git_repo/git_repo_test.go
> ++++ b/pkg/volume/git_repo/git_repo_test.go
> +@@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) {
> + 			},
> + 			isExpectedFailure: true,
> + 		},
> ++		{
> ++			name: "invalid-revision-directory-combo",
> ++			vol: &v1.Volume{
> ++				Name: "vol1",
> ++				VolumeSource: v1.VolumeSource{
> ++					GitRepo: &v1.GitRepoVolumeSource{
> ++						Repository: gitURL,
> ++						Revision:   "main",
> ++						Directory:  "foo/bar",
> ++					},
> ++				},
> ++			},
> ++			isExpectedFailure: true,
> ++		},
> + 	}
> + 
> + 	for _, scenario := range scenarios {
> diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
> index 41f1ad73..dbfb3705 100644
> --- a/recipes-containers/kubernetes/kubernetes_git.bb
> +++ b/recipes-containers/kubernetes/kubernetes_git.bb
> @@ -39,6 +39,7 @@ SRC_URI:append = " \
>             file://CVE-2023-3955.patch;patchdir=src/import \
>             file://CVE-2023-3676.patch;patchdir=src/import \
>             file://CVE-2025-5187.patch;patchdir=src/import \
> +           file://CVE-2024-10220.patch;patchdir=src/import \
>            "
>  
>  DEPENDS += "rsync-native \
> -- 
> 2.25.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9441): https://lists.yoctoproject.org/g/meta-virtualization/message/9441
> Mute This Topic: https://lists.yoctoproject.org/mt/116333305/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-11-19 23:29 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-17  5:00 [meta-virtualization][kirkstone][PATCH] kubernetes: Fix for CVE-2024-10220 vanusuri
2025-11-19 23:28 ` Bruce Ashfield

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.