merged. Bruce
In message: [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8564 on 18/08/2023 Vijay Anusuri wrote: > From: Vijay Anusuri <[email protected]> > > Upstream-commit: > https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634 > > Signed-off-by: Vijay Anusuri <[email protected]> > --- > .../kubernetes/kubernetes/CVE-2020-8564.patch | 166 ++++++++++++++++++ > .../kubernetes/kubernetes_git.bb | 1 + > 2 files changed, 167 insertions(+) > create mode 100644 > recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch > > diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch > b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch > new file mode 100644 > index 0000000..9388f18 > --- /dev/null > +++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch > @@ -0,0 +1,166 @@ > +From b907f9e11892ddab1e71095e3d41bf76e63c3873 Mon Sep 17 00:00:00 2001 > +From: Nikolaos Moraitis <[email protected]> > +Date: Fri, 11 Sep 2020 11:36:27 +0200 > +Subject: [PATCH] avoid potential secret leaking while reading .dockercfg > + > +There are a lot of scenarios where an invalid .dockercfg file > +will still contain secrets. This commit removes logging of the > +contents to avoid any potential leaking and manages the actual error > +by printing to the user the actual location of the invalid file. > + > +Signed-off-by: Nikolaos Moraitis <[email protected]> > + > +Upstream-Status: Backport > [https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634] > +CVE: CVE-2020-8564 > +Signed-off-by: Vijay Anusuri <[email protected]> > +--- > + pkg/credentialprovider/config.go | 16 +++-- > + pkg/credentialprovider/config_test.go | 93 +++++++++++++++++++++++++++ > + 2 files changed, 102 insertions(+), 7 deletions(-) > + > +diff --git a/pkg/credentialprovider/config.go > b/pkg/credentialprovider/config.go > +index 377383aa903..b256bd8e7f0 100644 > +--- a/src/import/pkg/credentialprovider/config.go > ++++ b/src/import/pkg/credentialprovider/config.go > +@@ -114,10 +114,14 @@ func ReadDockercfgFile(searchPaths []string) (cfg > DockerConfig, err error) { > + continue > + } > + cfg, err := readDockerConfigFileFromBytes(contents) > +- if err == nil { > +- klog.V(4).Infof("found .dockercfg at %s", > absDockerConfigFileLocation) > +- return cfg, nil > ++ if err != nil { > ++ klog.V(4).Infof("couldn't get the config from %q > contents: %v", absDockerConfigFileLocation, err) > ++ continue > + } > ++ > ++ klog.V(4).Infof("found .dockercfg at %s", > absDockerConfigFileLocation) > ++ return cfg, nil > ++ > + } > + return nil, fmt.Errorf("couldn't find valid .dockercfg after checking > in %v", searchPaths) > + } > +@@ -224,8 +228,7 @@ func ReadDockerConfigFileFromUrl(url string, client > *http.Client, header *http.H > + > + func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err > error) { > + if err = json.Unmarshal(contents, &cfg); err != nil { > +- klog.Errorf("while trying to parse blob %q: %v", contents, err) > +- return nil, err > ++ return nil, errors.New("error occurred while trying to > unmarshal json") > + } > + return > + } > +@@ -233,8 +236,7 @@ func readDockerConfigFileFromBytes(contents []byte) (cfg > DockerConfig, err error > + func readDockerConfigJsonFileFromBytes(contents []byte) (cfg DockerConfig, > err error) { > + var cfgJson DockerConfigJson > + if err = json.Unmarshal(contents, &cfgJson); err != nil { > +- klog.Errorf("while trying to parse blob %q: %v", contents, err) > +- return nil, err > ++ return nil, errors.New("error occurred while trying to > unmarshal json") > + } > + cfg = cfgJson.Auths > + return > +diff --git a/pkg/credentialprovider/config_test.go > b/pkg/credentialprovider/config_test.go > +index c310dc33dce..6974076984f 100644 > +--- a/src/import/pkg/credentialprovider/config_test.go > ++++ b/src/import/pkg/credentialprovider/config_test.go > +@@ -304,3 +304,96 @@ func TestDockerConfigEntryJSONCompatibleEncode(t > *testing.T) { > + } > + } > + } > ++ > ++func TestReadDockerConfigFileFromBytes(t *testing.T) { > ++ testCases := []struct { > ++ id string > ++ input []byte > ++ expectedCfg DockerConfig > ++ errorExpected bool > ++ expectedErrorMsg string > ++ }{ > ++ { > ++ id: "valid input, no error expected", > ++ input: []byte(`{"http://foo.example.com":{"username": > "foo", "password": "bar", "email": "[email protected]"}}`), > ++ expectedCfg: DockerConfig(map[string]DockerConfigEntry{ > ++ "http://foo.example.com": { > ++ Username: "foo", > ++ Password: "bar", > ++ Email: "[email protected]", > ++ }, > ++ }), > ++ }, > ++ { > ++ id: "invalid input, error expected", > ++ input: > []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", > "email": "[email protected]"`), > ++ errorExpected: true, > ++ expectedErrorMsg: "error occurred while trying to > unmarshal json", > ++ }, > ++ } > ++ > ++ for _, tc := range testCases { > ++ cfg, err := readDockerConfigFileFromBytes(tc.input) > ++ if err != nil && !tc.errorExpected { > ++ t.Fatalf("Error was not expected: %v", err) > ++ } > ++ if err != nil && tc.errorExpected { > ++ if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) > { > ++ t.Fatalf("Expected error message: `%s` got > `%s`", tc.expectedErrorMsg, err.Error()) > ++ } > ++ } else { > ++ if !reflect.DeepEqual(cfg, tc.expectedCfg) { > ++ t.Fatalf("expected: %v got %v", tc.expectedCfg, > cfg) > ++ } > ++ } > ++ } > ++} > ++ > ++func TestReadDockerConfigJSONFileFromBytes(t *testing.T) { > ++ testCases := []struct { > ++ id string > ++ input []byte > ++ expectedCfg DockerConfig > ++ errorExpected bool > ++ expectedErrorMsg string > ++ }{ > ++ { > ++ id: "valid input, no error expected", > ++ input: []byte(`{"auths": > {"http://foo.example.com":{"username": "foo", "password": "bar", "email": > "[email protected]"}, "http://bar.example.com":{"username": "bar", "password": > "baz", "email": "[email protected]"}}}`), > ++ expectedCfg: DockerConfig(map[string]DockerConfigEntry{ > ++ "http://foo.example.com": { > ++ Username: "foo", > ++ Password: "bar", > ++ Email: "[email protected]", > ++ }, > ++ "http://bar.example.com": { > ++ Username: "bar", > ++ Password: "baz", > ++ Email: "[email protected]", > ++ }, > ++ }), > ++ }, > ++ { > ++ id: "invalid input, error expected", > ++ input: []byte(`{"auths": > {"http://foo.example.com":{"username": "foo", "password": "bar", "email": > "[email protected]"}, "http://bar.example.com":{"username": "bar", "password": > "baz", "email": "[email protected]"`), > ++ errorExpected: true, > ++ expectedErrorMsg: "error occurred while trying to > unmarshal json", > ++ }, > ++ } > ++ > ++ for _, tc := range testCases { > ++ cfg, err := readDockerConfigJSONFileFromBytes(tc.input) > ++ if err != nil && !tc.errorExpected { > ++ t.Fatalf("Error was not expected: %v", err) > ++ } > ++ if err != nil && tc.errorExpected { > ++ if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) > { > ++ t.Fatalf("Expected error message: `%s` got > `%s`", tc.expectedErrorMsg, err.Error()) > ++ } > ++ } else { > ++ if !reflect.DeepEqual(cfg, tc.expectedCfg) { > ++ t.Fatalf("expected: %v got %v", tc.expectedCfg, > cfg) > ++ } > ++ } > ++ } > ++} > +-- > +2.25.1 > + > diff --git a/recipes-containers/kubernetes/kubernetes_git.bb > b/recipes-containers/kubernetes/kubernetes_git.bb > index 8c286e2..c73f988 100644 > --- a/recipes-containers/kubernetes/kubernetes_git.bb > +++ b/recipes-containers/kubernetes/kubernetes_git.bb > @@ -11,6 +11,7 @@ SRCREV_kubernetes = > "f45fc1861acab22eb6a4697e3fb831e85ef5ff9c" > SRC_URI = > "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=kubernetes;protocol=https > \ > file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \ > file://0001-cross-don-t-build-tests-by-default.patch \ > + file://CVE-2020-8564.patch \ > " > > DEPENDS += "rsync-native \ > -- > 2.25.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#8215): https://lists.yoctoproject.org/g/meta-virtualization/message/8215 Mute This Topic: https://lists.yoctoproject.org/mt/100815936/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/leave/6693005/21656/1014668956/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
