Signed-off-by: Muminul Islam <[email protected]> --- .../kubernetes/CVE-2018-1002105.patch | 87 +++++++++++++++++++ .../kubernetes/kubernetes_git.bb | 1 + 2 files changed, 88 insertions(+) create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2018-1002105.patch
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2018-1002105.patch b/recipes-containers/kubernetes/kubernetes/CVE-2018-1002105.patch new file mode 100644 index 0000000..9901bb2 --- /dev/null +++ b/recipes-containers/kubernetes/kubernetes/CVE-2018-1002105.patch @@ -0,0 +1,87 @@ +From b2c05ca842b97090df424e0401968ba8d7ee3ecb Mon Sep 17 00:00:00 2001 +From: Jordan Liggitt <[email protected]> +Date: Mon, 5 Nov 2018 23:50:35 -0500 +Subject: [PATCH] Verify backend upgraded connection +Reply-To: [email protected] + +Signed-off-by: Muminul Islam <[email protected]> + +CVE: CVE-2018-1002105 + +Upstream-Status: Backport +--- + .../pkg/util/proxy/upgradeaware.go | 37 +++++++++++++++++++ + 1 file changed, 37 insertions(+) + +diff --git a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go +index 4d5cd34d48..b14819079c 100644 +--- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go ++++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go +@@ -17,6 +17,7 @@ limitations under the License. + package proxy + + import ( ++ "bufio" + "bytes" + "context" + "fmt" +@@ -269,6 +270,18 @@ func (h *UpgradeAwareHandler) tryUpgrade(w http.ResponseWriter, req *http.Reques + } + defer backendConn.Close() + ++ // determine the http response code from the backend by reading from rawResponse+backendConn ++ rawResponseCode, headerBytes, err := getResponseCode(io.MultiReader(bytes.NewReader(rawResponse), backendConn)) ++ if err != nil { ++ klog.V(6).Infof("Proxy connection error: %v", err) ++ h.Responder.Error(w, req, err) ++ return true ++ } ++ if len(headerBytes) > len(rawResponse) { ++ // we read beyond the bytes stored in rawResponse, update rawResponse to the full set of bytes read from the backend ++ rawResponse = headerBytes ++ } ++ + // Once the connection is hijacked, the ErrorResponder will no longer work, so + // hijacking should be the last step in the upgrade. + requestHijacker, ok := w.(http.Hijacker) +@@ -293,6 +306,17 @@ func (h *UpgradeAwareHandler) tryUpgrade(w http.ResponseWriter, req *http.Reques + } + } + ++ if rawResponseCode != http.StatusSwitchingProtocols { ++ // If the backend did not upgrade the request, finish echoing the response from the backend to the client and return, closing the connection. ++ klog.V(6).Infof("Proxy upgrade error, status code %d", rawResponseCode) ++ _, err := io.Copy(requestHijackedConn, backendConn) ++ if err != nil && !strings.Contains(err.Error(), "use of closed network connection") { ++ klog.Errorf("Error proxying data from backend to client: %v", err) ++ } ++ // Indicate we handled the request ++ return true ++ } ++ + // Proxy the connection. This is bidirectional, so we need a goroutine + // to copy in each direction. Once one side of the connection exits, we + // exit the function which performs cleanup and in the process closes +@@ -354,6 +378,19 @@ func (h *UpgradeAwareHandler) DialForUpgrade(req *http.Request) (net.Conn, error + return dial(updatedReq, h.UpgradeTransport) + } + ++// getResponseCode reads a http response from the given reader, returns the status code, ++// the bytes read from the reader, and any error encountered ++func getResponseCode(r io.Reader) (int, []byte, error) { ++ rawResponse := bytes.NewBuffer(make([]byte, 0, 256)) ++ // Save the bytes read while reading the response headers into the rawResponse buffer ++ resp, err := http.ReadResponse(bufio.NewReader(io.TeeReader(r, rawResponse)), nil) ++ if err != nil { ++ return 0, nil, err ++ } ++ // return the http status code and the raw bytes consumed from the reader in the process ++ return resp.StatusCode, rawResponse.Bytes(), nil ++} ++ + // dial dials the backend at req.URL and writes req to it. + func dial(req *http.Request, transport http.RoundTripper) (net.Conn, error) { + conn, err := DialURL(req.Context(), req.URL, transport) +-- +2.23.0 + diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb index a0e0e47..b587e16 100644 --- a/recipes-containers/kubernetes/kubernetes_git.bb +++ b/recipes-containers/kubernetes/kubernetes_git.bb @@ -12,6 +12,7 @@ SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=master;name=kuberne file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \ file://0001-cross-don-t-build-tests-by-default.patch \ file://0001-fix-compiling-failure-execvp-bin-bash-Argument-list-.patch \ + file://CVE-2018-1002105.patch \ " DEPENDS += "rsync-native \ -- 2.23.0 -- _______________________________________________ meta-virtualization mailing list [email protected] https://lists.yoctoproject.org/listinfo/meta-virtualization
