From: Vijay Anusuri <[email protected]> Upstream-commit: https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634
Signed-off-by: Vijay Anusuri <[email protected]> --- .../kubernetes/kubernetes/CVE-2020-8564.patch | 166 ++++++++++++++++++ .../kubernetes/kubernetes_git.bb | 1 + 2 files changed, 167 insertions(+) create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch new file mode 100644 index 0000000..9388f18 --- /dev/null +++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch @@ -0,0 +1,166 @@ +From b907f9e11892ddab1e71095e3d41bf76e63c3873 Mon Sep 17 00:00:00 2001 +From: Nikolaos Moraitis <[email protected]> +Date: Fri, 11 Sep 2020 11:36:27 +0200 +Subject: [PATCH] avoid potential secret leaking while reading .dockercfg + +There are a lot of scenarios where an invalid .dockercfg file +will still contain secrets. This commit removes logging of the +contents to avoid any potential leaking and manages the actual error +by printing to the user the actual location of the invalid file. + +Signed-off-by: Nikolaos Moraitis <[email protected]> + +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634] +CVE: CVE-2020-8564 +Signed-off-by: Vijay Anusuri <[email protected]> +--- + pkg/credentialprovider/config.go | 16 +++-- + pkg/credentialprovider/config_test.go | 93 +++++++++++++++++++++++++++ + 2 files changed, 102 insertions(+), 7 deletions(-) + +diff --git a/pkg/credentialprovider/config.go b/pkg/credentialprovider/config.go +index 377383aa903..b256bd8e7f0 100644 +--- a/src/import/pkg/credentialprovider/config.go ++++ b/src/import/pkg/credentialprovider/config.go +@@ -114,10 +114,14 @@ func ReadDockercfgFile(searchPaths []string) (cfg DockerConfig, err error) { + continue + } + cfg, err := readDockerConfigFileFromBytes(contents) +- if err == nil { +- klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation) +- return cfg, nil ++ if err != nil { ++ klog.V(4).Infof("couldn't get the config from %q contents: %v", absDockerConfigFileLocation, err) ++ continue + } ++ ++ klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation) ++ return cfg, nil ++ + } + return nil, fmt.Errorf("couldn't find valid .dockercfg after checking in %v", searchPaths) + } +@@ -224,8 +228,7 @@ func ReadDockerConfigFileFromUrl(url string, client *http.Client, header *http.H + + func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error) { + if err = json.Unmarshal(contents, &cfg); err != nil { +- klog.Errorf("while trying to parse blob %q: %v", contents, err) +- return nil, err ++ return nil, errors.New("error occurred while trying to unmarshal json") + } + return + } +@@ -233,8 +236,7 @@ func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error + func readDockerConfigJsonFileFromBytes(contents []byte) (cfg DockerConfig, err error) { + var cfgJson DockerConfigJson + if err = json.Unmarshal(contents, &cfgJson); err != nil { +- klog.Errorf("while trying to parse blob %q: %v", contents, err) +- return nil, err ++ return nil, errors.New("error occurred while trying to unmarshal json") + } + cfg = cfgJson.Auths + return +diff --git a/pkg/credentialprovider/config_test.go b/pkg/credentialprovider/config_test.go +index c310dc33dce..6974076984f 100644 +--- a/src/import/pkg/credentialprovider/config_test.go ++++ b/src/import/pkg/credentialprovider/config_test.go +@@ -304,3 +304,96 @@ func TestDockerConfigEntryJSONCompatibleEncode(t *testing.T) { + } + } + } ++ ++func TestReadDockerConfigFileFromBytes(t *testing.T) { ++ testCases := []struct { ++ id string ++ input []byte ++ expectedCfg DockerConfig ++ errorExpected bool ++ expectedErrorMsg string ++ }{ ++ { ++ id: "valid input, no error expected", ++ input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "[email protected]"}}`), ++ expectedCfg: DockerConfig(map[string]DockerConfigEntry{ ++ "http://foo.example.com": { ++ Username: "foo", ++ Password: "bar", ++ Email: "[email protected]", ++ }, ++ }), ++ }, ++ { ++ id: "invalid input, error expected", ++ input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "[email protected]"`), ++ errorExpected: true, ++ expectedErrorMsg: "error occurred while trying to unmarshal json", ++ }, ++ } ++ ++ for _, tc := range testCases { ++ cfg, err := readDockerConfigFileFromBytes(tc.input) ++ if err != nil && !tc.errorExpected { ++ t.Fatalf("Error was not expected: %v", err) ++ } ++ if err != nil && tc.errorExpected { ++ if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) { ++ t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error()) ++ } ++ } else { ++ if !reflect.DeepEqual(cfg, tc.expectedCfg) { ++ t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg) ++ } ++ } ++ } ++} ++ ++func TestReadDockerConfigJSONFileFromBytes(t *testing.T) { ++ testCases := []struct { ++ id string ++ input []byte ++ expectedCfg DockerConfig ++ errorExpected bool ++ expectedErrorMsg string ++ }{ ++ { ++ id: "valid input, no error expected", ++ input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "[email protected]"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "[email protected]"}}}`), ++ expectedCfg: DockerConfig(map[string]DockerConfigEntry{ ++ "http://foo.example.com": { ++ Username: "foo", ++ Password: "bar", ++ Email: "[email protected]", ++ }, ++ "http://bar.example.com": { ++ Username: "bar", ++ Password: "baz", ++ Email: "[email protected]", ++ }, ++ }), ++ }, ++ { ++ id: "invalid input, error expected", ++ input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "[email protected]"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "[email protected]"`), ++ errorExpected: true, ++ expectedErrorMsg: "error occurred while trying to unmarshal json", ++ }, ++ } ++ ++ for _, tc := range testCases { ++ cfg, err := readDockerConfigJSONFileFromBytes(tc.input) ++ if err != nil && !tc.errorExpected { ++ t.Fatalf("Error was not expected: %v", err) ++ } ++ if err != nil && tc.errorExpected { ++ if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) { ++ t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error()) ++ } ++ } else { ++ if !reflect.DeepEqual(cfg, tc.expectedCfg) { ++ t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg) ++ } ++ } ++ } ++} +-- +2.25.1 + diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb index 8c286e2..c73f988 100644 --- a/recipes-containers/kubernetes/kubernetes_git.bb +++ b/recipes-containers/kubernetes/kubernetes_git.bb @@ -11,6 +11,7 @@ SRCREV_kubernetes = "f45fc1861acab22eb6a4697e3fb831e85ef5ff9c" SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=kubernetes;protocol=https \ file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \ file://0001-cross-don-t-build-tests-by-default.patch \ + file://CVE-2020-8564.patch \ " DEPENDS += "rsync-native \ -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#8214): https://lists.yoctoproject.org/g/meta-virtualization/message/8214 Mute This Topic: https://lists.yoctoproject.org/mt/100815936/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
