The .patch file doesn't apply on the v1.23.17 version currently in kirkstone.
recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch CVE-2024-3177.patch can't find file to patch at input line 20 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |From 3f0922513d235d8bdebe79f0d07da769c04211b8 Mon Sep 17 00:00:00 2001 |From: Rita Zhang <rita.z.zh...@gmail.com> |Date: Mon, 25 Mar 2024 10:33:41 -0700 |Subject: [PATCH] Add envFrom to serviceaccount admission plugin | |Signed-off-by: Rita Zhang <rita.z.zh...@gmail.com> | |Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8] |CVE: CVE-2024-3177 |Signed-off-by: Ashish Sharma <asha...@mvista.com> | | .../pkg/admission/serviceaccount/admission.go | 21 +++ | .../serviceaccount/admission_test.go | 122 ++++++++++++++++-- | 2 files changed, 132 insertions(+), 11 deletions(-) | |diff --git a/plugin/pkg/admission/serviceaccount/admission.go b/plugin/pkg/admission/serviceaccount/admission.go |index c844a051c24b..3f4338128e53 100644 |--- a/plugin/pkg/admission/serviceaccount/admission.go |+++ b/plugin/pkg/admission/serviceaccount/admission.go -------------------------- No file to patch. Skipping patch. 3 out of 3 hunks ignored can't find file to patch at input line 66 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff --git a/plugin/pkg/admission/serviceaccount/admission_test.go b/plugin/pkg/admission/serviceaccount/admission_test.go |index bf15f870d75a..4dba6cd8b13e 100644 |--- a/plugin/pkg/admission/serviceaccount/admission_test.go |+++ b/plugin/pkg/admission/serviceaccount/admission_test.go -------------------------- No file to patch. Skipping patch. 6 out of 6 hunks ignored Patch CVE-2024-3177.patch does not apply (enforce with -f) stderr: ") It would need to be applied in src/import subdirectory as other .patch files here are. Will send a fix, but the original submitter should do a better test before sending. On Tue, May 14, 2024 at 4:28 AM Bruce Ashfield via lists.yoctoproject.org <bruce.ashfield=gmail....@lists.yoctoproject.org> wrote: > > merged to kirkstone > > Bruce > > In message: [meta-virtualization][kirkstone][PATCH] kubernetes: Backport fix > for CVE-2024-3177 > on 03/05/2024 Ashish Sharma via lists.yoctoproject.org wrote: > > > Upstream-Status: Backport > > [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8] > > > > Signed-off-by: Ashish Sharma <asha...@mvista.com> > > --- > > .../kubernetes/kubernetes/CVE-2024-3177.patch | 237 ++++++++++++++++++ > > .../kubernetes/kubernetes_git.bb | 1 + > > 2 files changed, 238 insertions(+) > > create mode 100644 > > recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch > > > > diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch > > b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch > > new file mode 100644 > > index 00000000..20b2ea8a > > --- /dev/null > > +++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch > > @@ -0,0 +1,237 @@ > > +From 3f0922513d235d8bdebe79f0d07da769c04211b8 Mon Sep 17 00:00:00 2001 > > +From: Rita Zhang <rita.z.zh...@gmail.com> > > +Date: Mon, 25 Mar 2024 10:33:41 -0700 > > +Subject: [PATCH] Add envFrom to serviceaccount admission plugin > > + > > +Signed-off-by: Rita Zhang <rita.z.zh...@gmail.com> > > + > > +Upstream-Status: Backport > > [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8] > > +CVE: CVE-2024-3177 > > +Signed-off-by: Ashish Sharma <asha...@mvista.com> > > + > > + .../pkg/admission/serviceaccount/admission.go | 21 +++ > > + .../serviceaccount/admission_test.go | 122 ++++++++++++++++-- > > + 2 files changed, 132 insertions(+), 11 deletions(-) > > + > > +diff --git a/plugin/pkg/admission/serviceaccount/admission.go > > b/plugin/pkg/admission/serviceaccount/admission.go > > +index c844a051c24b..3f4338128e53 100644 > > +--- a/plugin/pkg/admission/serviceaccount/admission.go > > ++++ b/plugin/pkg/admission/serviceaccount/admission.go > > +@@ -337,6 +337,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount > > *corev1.ServiceAccount, po > > + } > > + } > > + } > > ++ for _, envFrom := range container.EnvFrom { > > ++ if envFrom.SecretRef != nil { > > ++ if > > !mountableSecrets.Has(envFrom.SecretRef.Name) { > > ++ return fmt.Errorf("init container %s > > with envFrom referencing secret.secretName=\"%s\" is not allowed because > > service account %s does not reference that secret", container.Name, > > envFrom.SecretRef.Name, serviceAccount.Name) > > ++ } > > ++ } > > ++ } > > + } > > + > > + for _, container := range pod.Spec.Containers { > > +@@ -347,6 +354,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount > > *corev1.ServiceAccount, po > > + } > > + } > > + } > > ++ for _, envFrom := range container.EnvFrom { > > ++ if envFrom.SecretRef != nil { > > ++ if > > !mountableSecrets.Has(envFrom.SecretRef.Name) { > > ++ return fmt.Errorf("container %s with > > envFrom referencing secret.secretName=\"%s\" is not allowed because service > > account %s does not reference that secret", container.Name, > > envFrom.SecretRef.Name, serviceAccount.Name) > > ++ } > > ++ } > > ++ } > > + } > > + > > + // limit pull secret references as well > > +@@ -388,6 +402,13 @@ func (s *Plugin) > > limitEphemeralContainerSecretReferences(pod *api.Pod, a admissi > > + } > > + } > > + } > > ++ for _, envFrom := range container.EnvFrom { > > ++ if envFrom.SecretRef != nil { > > ++ if > > !mountableSecrets.Has(envFrom.SecretRef.Name) { > > ++ return fmt.Errorf("ephemeral > > container %s with envFrom referencing secret.secretName=\"%s\" is not > > allowed because service account %s does not reference that secret", > > container.Name, envFrom.SecretRef.Name, serviceAccount.Name) > > ++ } > > ++ } > > ++ } > > + } > > + return nil > > + } > > +diff --git a/plugin/pkg/admission/serviceaccount/admission_test.go > > b/plugin/pkg/admission/serviceaccount/admission_test.go > > +index bf15f870d75a..4dba6cd8b13e 100644 > > +--- a/plugin/pkg/admission/serviceaccount/admission_test.go > > ++++ b/plugin/pkg/admission/serviceaccount/admission_test.go > > +@@ -521,6 +521,25 @@ func TestAllowsReferencedSecret(t *testing.T) { > > + t.Errorf("Unexpected error: %v", err) > > + } > > + > > ++ pod2 = &api.Pod{ > > ++ Spec: api.PodSpec{ > > ++ Containers: []api.Container{ > > ++ { > > ++ Name: "container-1", > > ++ EnvFrom: []api.EnvFromSource{ > > ++ { > > ++ SecretRef: > > &api.SecretEnvSource{ > > ++ > > LocalObjectReference: api.LocalObjectReference{ > > ++ Name: > > "foo"}}}}, > > ++ }, > > ++ }, > > ++ }, > > ++ } > > ++ attrs = admission.NewAttributesRecord(pod2, nil, > > api.Kind("Pod").WithVersion("version"), ns, "myname", > > api.Resource("pods").WithVersion("version"), "", admission.Create, > > &metav1.CreateOptions{}, false, nil) > > ++ if err := admissiontesting.WithReinvocationTesting(t, > > admit).Admit(context.TODO(), attrs, nil); err != nil { > > ++ t.Errorf("Unexpected error: %v", err) > > ++ } > > ++ > > + pod2 = &api.Pod{ > > + Spec: api.PodSpec{ > > + InitContainers: []api.Container{ > > +@@ -545,6 +564,25 @@ func TestAllowsReferencedSecret(t *testing.T) { > > + t.Errorf("Unexpected error: %v", err) > > + } > > + > > ++ pod2 = &api.Pod{ > > ++ Spec: api.PodSpec{ > > ++ InitContainers: []api.Container{ > > ++ { > > ++ Name: "container-1", > > ++ EnvFrom: []api.EnvFromSource{ > > ++ { > > ++ SecretRef: > > &api.SecretEnvSource{ > > ++ > > LocalObjectReference: api.LocalObjectReference{ > > ++ Name: > > "foo"}}}}, > > ++ }, > > ++ }, > > ++ }, > > ++ } > > ++ attrs = admission.NewAttributesRecord(pod2, nil, > > api.Kind("Pod").WithVersion("version"), ns, "myname", > > api.Resource("pods").WithVersion("version"), "", admission.Create, > > &metav1.CreateOptions{}, false, nil) > > ++ if err := admissiontesting.WithReinvocationTesting(t, > > admit).Admit(context.TODO(), attrs, nil); err != nil { > > ++ t.Errorf("Unexpected error: %v", err) > > ++ } > > ++ > > + pod2 = &api.Pod{ > > + Spec: api.PodSpec{ > > + ServiceAccountName: DefaultServiceAccountName, > > +@@ -572,6 +610,28 @@ func TestAllowsReferencedSecret(t *testing.T) { > > + if err := admit.Validate(context.TODO(), attrs, nil); err != nil { > > + t.Errorf("Unexpected error: %v", err) > > + } > > ++ > > ++ pod2 = &api.Pod{ > > ++ Spec: api.PodSpec{ > > ++ ServiceAccountName: DefaultServiceAccountName, > > ++ EphemeralContainers: []api.EphemeralContainer{ > > ++ { > > ++ EphemeralContainerCommon: > > api.EphemeralContainerCommon{ > > ++ Name: "container-2", > > ++ EnvFrom: []api.EnvFromSource{{ > > ++ SecretRef: > > &api.SecretEnvSource{ > > ++ > > LocalObjectReference: api.LocalObjectReference{ > > ++ Name: > > "foo"}}}}, > > ++ }, > > ++ }, > > ++ }, > > ++ }, > > ++ } > > ++ // validate enforces restrictions on secret mounts when > > operation==update and subresource==ephemeralcontainers" > > ++ attrs = admission.NewAttributesRecord(pod2, nil, > > api.Kind("Pod").WithVersion("version"), ns, "myname", > > api.Resource("pods").WithVersion("version"), "ephemeralcontainers", > > admission.Update, &metav1.UpdateOptions{}, false, nil) > > ++ if err := admit.Validate(context.TODO(), attrs, nil); err != nil { > > ++ t.Errorf("Unexpected error: %v", err) > > ++ } > > + } > > + > > + func TestRejectsUnreferencedSecretVolumes(t *testing.T) { > > +@@ -628,25 +688,20 @@ func TestRejectsUnreferencedSecretVolumes(t > > *testing.T) { > > + > > + pod2 = &api.Pod{ > > + Spec: api.PodSpec{ > > +- InitContainers: []api.Container{ > > ++ Containers: []api.Container{ > > + { > > + Name: "container-1", > > +- Env: []api.EnvVar{ > > ++ EnvFrom: []api.EnvFromSource{ > > + { > > +- Name: "env-1", > > +- ValueFrom: > > &api.EnvVarSource{ > > +- SecretKeyRef: > > &api.SecretKeySelector{ > > +- > > LocalObjectReference: api.LocalObjectReference{Name: "foo"}, > > +- }, > > +- }, > > +- }, > > +- }, > > ++ SecretRef: > > &api.SecretEnvSource{ > > ++ > > LocalObjectReference: api.LocalObjectReference{ > > ++ Name: > > "foo"}}}}, > > + }, > > + }, > > + }, > > + } > > + attrs = admission.NewAttributesRecord(pod2, nil, > > api.Kind("Pod").WithVersion("version"), ns, "myname", > > api.Resource("pods").WithVersion("version"), "", admission.Create, > > &metav1.CreateOptions{}, false, nil) > > +- if err := admissiontesting.WithReinvocationTesting(t, > > admit).Admit(context.TODO(), attrs, nil); err == nil || > > !strings.Contains(err.Error(), "with envVar") { > > ++ if err := admissiontesting.WithReinvocationTesting(t, > > admit).Admit(context.TODO(), attrs, nil); err == nil || > > !strings.Contains(err.Error(), "with envFrom") { > > + t.Errorf("Unexpected error: %v", err) > > + } > > + > > +@@ -679,6 +734,30 @@ func TestRejectsUnreferencedSecretVolumes(t > > *testing.T) { > > + t.Errorf("validate only enforces restrictions on secret > > mounts when operation==create and subresource==''. Unexpected error: %v", > > err) > > + } > > + > > ++ pod2 = &api.Pod{ > > ++ Spec: api.PodSpec{ > > ++ ServiceAccountName: DefaultServiceAccountName, > > ++ InitContainers: []api.Container{ > > ++ { > > ++ Name: "container-1", > > ++ EnvFrom: []api.EnvFromSource{ > > ++ { > > ++ SecretRef: > > &api.SecretEnvSource{ > > ++ > > LocalObjectReference: api.LocalObjectReference{ > > ++ Name: > > "foo"}}}}, > > ++ }, > > ++ }, > > ++ }, > > ++ } > > ++ attrs = admission.NewAttributesRecord(pod2, nil, > > api.Kind("Pod").WithVersion("version"), ns, "myname", > > api.Resource("pods").WithVersion("version"), "", admission.Update, > > &metav1.UpdateOptions{}, false, nil) > > ++ if err := admissiontesting.WithReinvocationTesting(t, > > admit).Admit(context.TODO(), attrs, nil); err != nil { > > ++ t.Errorf("admit only enforces restrictions on secret mounts > > when operation==create. Unexpected error: %v", err) > > ++ } > > ++ attrs = admission.NewAttributesRecord(pod2, nil, > > api.Kind("Pod").WithVersion("version"), ns, "myname", > > api.Resource("pods").WithVersion("version"), "", admission.Create, > > &metav1.CreateOptions{}, false, nil) > > ++ if err := admit.Validate(context.TODO(), attrs, nil); err == nil || > > !strings.Contains(err.Error(), "with envFrom") { > > ++ t.Errorf("validate only enforces restrictions on secret > > mounts when operation==create and subresource==''. Unexpected error: %v", > > err) > > ++ } > > ++ > > + pod2 = &api.Pod{ > > + Spec: api.PodSpec{ > > + ServiceAccountName: DefaultServiceAccountName, > > +@@ -709,6 +788,27 @@ func TestRejectsUnreferencedSecretVolumes(t > > *testing.T) { > > + if err := admit.Validate(context.TODO(), attrs, nil); err == nil || > > !strings.Contains(err.Error(), "with envVar") { > > + t.Errorf("validate enforces restrictions on secret mounts > > when operation==update and subresource==ephemeralcontainers. Unexpected > > error: %v", err) > > + } > > ++ > > ++ pod2 = &api.Pod{ > > ++ Spec: api.PodSpec{ > > ++ ServiceAccountName: DefaultServiceAccountName, > > ++ EphemeralContainers: []api.EphemeralContainer{ > > ++ { > > ++ EphemeralContainerCommon: > > api.EphemeralContainerCommon{ > > ++ Name: "container-2", > > ++ EnvFrom: []api.EnvFromSource{{ > > ++ SecretRef: > > &api.SecretEnvSource{ > > ++ > > LocalObjectReference: api.LocalObjectReference{ > > ++ Name: > > "foo"}}}}, > > ++ }, > > ++ }, > > ++ }, > > ++ }, > > ++ } > > ++ attrs = admission.NewAttributesRecord(pod2, nil, > > api.Kind("Pod").WithVersion("version"), ns, "myname", > > api.Resource("pods").WithVersion("version"), "ephemeralcontainers", > > admission.Update, &metav1.UpdateOptions{}, false, nil) > > ++ if err := admit.Validate(context.TODO(), attrs, nil); err == nil || > > !strings.Contains(err.Error(), "with envFrom") { > > ++ t.Errorf("validate enforces restrictions on secret mounts > > when operation==update and subresource==ephemeralcontainers. Unexpected > > error: %v", err) > > ++ } > > + } > > + > > + func TestAllowUnreferencedSecretVolumesForPermissiveSAs(t *testing.T) { > > diff --git a/recipes-containers/kubernetes/kubernetes_git.bb > > b/recipes-containers/kubernetes/kubernetes_git.bb > > index b0c87c47..78d1cd2a 100644 > > --- a/recipes-containers/kubernetes/kubernetes_git.bb > > +++ b/recipes-containers/kubernetes/kubernetes_git.bb > > @@ -35,6 +35,7 @@ SRC_URI:append = " \ > > file://cni-containerd-net.conflist \ > > file://k8s-init \ > > file://99-kubernetes.conf \ > > + file://CVE-2024-3177.patch \ > > " > > > > DEPENDS += "rsync-native \ > > -- > > 2.35.7 > > > > > > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#8729): https://lists.yoctoproject.org/g/meta-virtualization/message/8729 Mute This Topic: https://lists.yoctoproject.org/mt/105882014/21656 Group Owner: meta-virtualization+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-