Re: [meta-virtualization][hardknott][PATCH] kubernetes: fix CVE-2021-20206

Fri, 30 Jul 2021 11:13:20 -0700 

Thanks Bruce!

Can this be cherry-picked into Dunfell and other branches as well?

-----Original Message-----
From: [email protected] 
<[email protected]> On Behalf Of Bruce Ashfield
Sent: Thursday, July 29, 2021 7:58 AM
To: [email protected]
Cc: [email protected]
Subject: Re: [meta-virtualization][hardknott][PATCH] kubernetes: fix 
CVE-2021-20206

merged.

Bruce

In message: [meta-virtualization][hardknott][PATCH] kubernetes: fix 
CVE-2021-20206 on 28/07/2021 [email protected] wrote:

> Signed-off-by: Sakib Sajal <[email protected]>
> ---
>  .../kubernetes/CVE-2021-20206.patch           | 92 +++++++++++++++++++
>  .../kubernetes/kubernetes_git.bb              |  1 +
>  2 files changed, 93 insertions(+)
>  create mode 100644 
> recipes-containers/kubernetes/kubernetes/CVE-2021-20206.patch
> 
> diff --git 
> a/recipes-containers/kubernetes/kubernetes/CVE-2021-20206.patch 
> b/recipes-containers/kubernetes/kubernetes/CVE-2021-20206.patch
> new file mode 100644
> index 0000000..dc4e902
> --- /dev/null
> +++ b/recipes-containers/kubernetes/kubernetes/CVE-2021-20206.patch
> @@ -0,0 +1,92 @@
> +From 5e8f9a8a72351e2fb5bcea3e3c58c935314557b6 Mon Sep 17 00:00:00 
> +2001
> +From: Navid Shaikh <[email protected]>
> +Date: Thu, 6 May 2021 15:41:08 +0530
> +Subject: [PATCH] Bump containernetworking/cni to v0.8.1
> +
> + Fix CVE-2021-20206
> +CVE: CVE-2021-20206
> +Upstream-Status: Backport [185f65fbddb5239666c0c67fb335589b7570f60c]
> +Signed-off-by: Sakib Sajal <[email protected]>
> +---
> + go.mod                                                       | 4 ++--
> + go.sum                                                       | 4 ++--
> + vendor/github.com/containernetworking/cni/pkg/invoke/find.go | 5 +++++
> + vendor/modules.txt                                           | 2 +-
> + 4 files changed, 10 insertions(+), 5 deletions(-)
> +
> +diff --git a/src/import/go.mod b/src/import/go.mod index 
> +e0ba549ab40..d4cc9ce01a9 100644
> +--- a/src/import/go.mod
> ++++ b/src/import/go.mod
> +@@ -28,7 +28,7 @@ require (
> +     github.com/clusterhq/flocker-go v0.0.0-20160920122132-2b8b7259d313
> +     github.com/codegangsta/negroni v1.0.0 // indirect
> +     github.com/container-storage-interface/spec v1.2.0
> +-    github.com/containernetworking/cni v0.8.0
> ++    github.com/containernetworking/cni v0.8.1
> +     github.com/coredns/corefile-migration v1.0.10
> +     github.com/coreos/go-oidc v2.1.0+incompatible
> +     github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e
> +@@ -214,7 +214,7 @@ replace (
> +     github.com/containerd/go-runc => github.com/containerd/go-runc 
> v0.0.0-20180907222934-5a6d9f37cfa3
> +     github.com/containerd/ttrpc => github.com/containerd/ttrpc v1.0.2
> +     github.com/containerd/typeurl => github.com/containerd/typeurl v1.0.1
> +-    github.com/containernetworking/cni => 
> github.com/containernetworking/cni v0.8.0
> ++    github.com/containernetworking/cni => 
> ++github.com/containernetworking/cni v0.8.1
> +     github.com/coredns/corefile-migration => 
> github.com/coredns/corefile-migration v1.0.10
> +     github.com/coreos/bbolt => github.com/coreos/bbolt v1.3.2
> +     github.com/coreos/etcd => github.com/coreos/etcd 
> +v3.3.13+incompatible diff --git a/src/import/go.sum 
> +b/src/import/go.sum index 288f4554b1f..9168f49c859 100644
> +--- a/src/import/go.sum
> ++++ b/src/import/go.sum
> +@@ -113,8 +113,8 @@ github.com/containerd/ttrpc v1.0.2 
> +h1:2/O3oTZN36q2xRolk0a2WWGgh7/Vf/liElg5hFYLX9
> + github.com/containerd/ttrpc v1.0.2/go.mod 
> +h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
> + github.com/containerd/typeurl v1.0.1 
> +h1:PvuK4E3D5S5q6IqsPDCy928FhP0LUIGcmZ/Yhgp5Djw=
> + github.com/containerd/typeurl v1.0.1/go.mod 
> +h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg=
> +-github.com/containernetworking/cni v0.8.0 
> +h1:BT9lpgGoH4jw3lFC7Odz2prU5ruiYKcgAjMCbgybcKI=
> +-github.com/containernetworking/cni v0.8.0/go.mod 
> +h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
> ++github.com/containernetworking/cni v0.8.1 
> ++h1:7zpDnQ3T3s4ucOuJ/ZCLrYBxzkg0AELFfII3Epo9TmI=
> ++github.com/containernetworking/cni v0.8.1/go.mod 
> ++h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
> + github.com/coredns/corefile-migration v1.0.10 
> +h1:7HI4r5S5Fne749a+JDxUZppqBpYoZK8Q53ZVK9cn3aM=
> + github.com/coredns/corefile-migration v1.0.10/go.mod 
> +h1:RMy/mXdeDlYwzt0vdMEJvT2hGJ2I86/eO0UdXmH9XNI=
> + github.com/coreos/bbolt v1.3.2 
> +h1:wZwiHHUieZCquLkDL0B8UhzreNWsPHooDAG3q34zk0s=
> +diff --git 
> +a/src/import/vendor/github.com/containernetworking/cni/pkg/invoke/fin
> +d.go 
> +b/src/import/vendor/github.com/containernetworking/cni/pkg/invoke/fin
> +d.go index e815404c859..e62029eb788 100644
> +--- 
> +a/src/import/vendor/github.com/containernetworking/cni/pkg/invoke/fin
> +d.go
> ++++ b/src/import/vendor/github.com/containernetworking/cni/pkg/invoke
> ++++ /find.go
> +@@ -18,6 +18,7 @@ import (
> +     "fmt"
> +     "os"
> +     "path/filepath"
> ++    "strings"
> + )
> + 
> + // FindInPath returns the full path of the plugin by searching in 
> +the provided path @@ -26,6 +27,10 @@ func FindInPath(plugin string, paths 
> []string) (string, error) {
> +             return "", fmt.Errorf("no plugin name provided")
> +     }
> + 
> ++    if strings.ContainsRune(plugin, os.PathSeparator) {
> ++            return "", fmt.Errorf("invalid plugin name: %s", plugin)
> ++    }
> ++
> +     if len(paths) == 0 {
> +             return "", fmt.Errorf("no paths provided")
> +     }
> +diff --git a/src/import/vendor/modules.txt 
> +b/src/import/vendor/modules.txt index 6a263b51686..c3b68a5f547 100644
> +--- a/src/import/vendor/modules.txt
> ++++ b/src/import/vendor/modules.txt
> +@@ -257,7 +257,7 @@ github.com/containerd/containerd/pkg/dialer
> + github.com/containerd/ttrpc
> + # github.com/containerd/ttrpc => github.com/containerd/ttrpc v1.0.2  
> +# github.com/containerd/typeurl => github.com/containerd/typeurl 
> +v1.0.1 -# github.com/containernetworking/cni v0.8.0 => 
> +github.com/containernetworking/cni v0.8.0
> ++# github.com/containernetworking/cni v0.8.1 => 
> ++github.com/containernetworking/cni v0.8.1
> + ## explicit
> + # github.com/containernetworking/cni => 
> +github.com/containernetworking/cni v0.8.0  
> +github.com/containernetworking/cni/libcni
> +--
> +2.25.1
> +
> diff --git a/recipes-containers/kubernetes/kubernetes_git.bb 
> b/recipes-containers/kubernetes/kubernetes_git.bb
> index bc694a2..7b9aab8 100644
> --- a/recipes-containers/kubernetes/kubernetes_git.bb
> +++ b/recipes-containers/kubernetes/kubernetes_git.bb
> @@ -16,6 +16,7 @@ SRC_URI = 
> "git://github.com/kubernetes/kubernetes.git;branch=release-1.20;name=k
>             file://0001-generate-bindata-unset-GOBIN.patch \
>             
> file://0001-build-golang.sh-convert-remaining-go-calls-to-use.patch \
>             
> file://0001-Makefile.generated_files-Fix-race-issue-for-installi.patch 
> \
> +           file://CVE-2021-20206.patch \
>            "
>  
>  DEPENDS += "rsync-native \
> --
> 2.32.0
> 

> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6699): 
https://lists.yoctoproject.org/g/meta-virtualization/message/6699
Mute This Topic: https://lists.yoctoproject.org/mt/84510127/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to