* [meta-virtualization][hardnott][PATCH 1/2] kubernetes: fix CVE-2021-25737
@ 2021-06-10 14:26 sakib.sajal
2021-06-10 14:26 ` [meta-virtualization][hardnott][PATCH 2/2] kubernetes: fix CVE-2021-20206 sakib.sajal
0 siblings, 1 reply; 2+ messages in thread
From: sakib.sajal @ 2021-06-10 14:26 UTC (permalink / raw)
To: meta-virtualization
Updating EndpointSlice validation to match Endpoints validation
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
.../kubernetes/CVE-2021-25737.patch | 213 ++++++++++++++++++
.../kubernetes/kubernetes_git.bb | 1 +
2 files changed, 214 insertions(+)
create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch b/recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch
new file mode 100644
index 0000000..43358d5
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch
@@ -0,0 +1,213 @@
+From dd95bba6cd1dfec0985d3e1068c12713597cbe4a Mon Sep 17 00:00:00 2001
+From: Rob Scott <robertjscott@google.com>
+Date: Fri, 9 Apr 2021 15:24:17 -0700
+Subject: [PATCH] Updating EndpointSlice validation to match Endpoints
+ validation
+
+Upstream-Status: Backport [dd95bba6cd1dfec0985d3e1068c12713597cbe4a]
+CVE: CVE-2021-25737
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+
+---
+ pkg/apis/core/validation/validation.go | 18 ++++---
+ pkg/apis/core/validation/validation_test.go | 40 +++++++++++++++
+ pkg/apis/discovery/validation/validation.go | 2 +
+ .../discovery/validation/validation_test.go | 51 +++++++++++++++++--
+ 4 files changed, 101 insertions(+), 10 deletions(-)
+
+diff --git a/src/import/pkg/apis/core/validation/validation.go b/src/import/pkg/apis/core/validation/validation.go
+index fd3477176a4..197be6388c7 100644
+--- a/src/import/pkg/apis/core/validation/validation.go
++++ b/src/import/pkg/apis/core/validation/validation.go
+@@ -4239,7 +4239,7 @@ func ValidateService(service *core.Service) field.ErrorList {
+ allErrs = append(allErrs, field.Invalid(idxPath, ip, msgs[i]))
+ }
+ } else {
+- allErrs = append(allErrs, validateNonSpecialIP(ip, idxPath)...)
++ allErrs = append(allErrs, ValidateNonSpecialIP(ip, idxPath)...)
+ }
+ }
+
+@@ -5703,15 +5703,19 @@ func validateEndpointAddress(address *core.EndpointAddress, fldPath *field.Path)
+ allErrs = append(allErrs, field.Invalid(fldPath.Child("nodeName"), *address.NodeName, msg))
+ }
+ }
+- allErrs = append(allErrs, validateNonSpecialIP(address.IP, fldPath.Child("ip"))...)
++ allErrs = append(allErrs, ValidateNonSpecialIP(address.IP, fldPath.Child("ip"))...)
+ return allErrs
+ }
+
+-func validateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList {
+- // We disallow some IPs as endpoints or external-ips. Specifically,
+- // unspecified and loopback addresses are nonsensical and link-local
+- // addresses tend to be used for node-centric purposes (e.g. metadata
+- // service).
++// ValidateNonSpecialIP is used to validate Endpoints, EndpointSlices, and
++// external IPs. Specifically, this disallows unspecified and loopback addresses
++// are nonsensical and link-local addresses tend to be used for node-centric
++// purposes (e.g. metadata service).
++//
++// IPv6 references
++// - https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
++// - https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml
++func ValidateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList {
+ allErrs := field.ErrorList{}
+ ip := net.ParseIP(ipAddress)
+ if ip == nil {
+diff --git a/src/import/pkg/apis/core/validation/validation_test.go b/src/import/pkg/apis/core/validation/validation_test.go
+index bfdb5237241..f379cd47368 100644
+--- a/src/import/pkg/apis/core/validation/validation_test.go
++++ b/src/import/pkg/apis/core/validation/validation_test.go
+@@ -16915,3 +16915,43 @@ func TestValidatePodTemplateSpecSeccomp(t *testing.T) {
+ asserttestify.Equal(t, test.expectedErr, err, "TestCase[%d]: %s", i, test.description)
+ }
+ }
++
++func TestValidateNonSpecialIP(t *testing.T) {
++ fp := field.NewPath("ip")
++
++ // Valid values.
++ for _, tc := range []struct {
++ desc string
++ ip string
++ }{
++ {"ipv4", "10.1.2.3"},
++ {"ipv6", "2000::1"},
++ } {
++ t.Run(tc.desc, func(t *testing.T) {
++ errs := ValidateNonSpecialIP(tc.ip, fp)
++ if len(errs) != 0 {
++ t.Errorf("ValidateNonSpecialIP(%q, ...) = %v; want nil", tc.ip, errs)
++ }
++ })
++ }
++ // Invalid cases
++ for _, tc := range []struct {
++ desc string
++ ip string
++ }{
++ {"ipv4 unspecified", "0.0.0.0"},
++ {"ipv6 unspecified", "::0"},
++ {"ipv4 localhost", "127.0.0.0"},
++ {"ipv4 localhost", "127.255.255.255"},
++ {"ipv6 localhost", "::1"},
++ {"ipv6 link local", "fe80::"},
++ {"ipv6 local multicast", "ff02::"},
++ } {
++ t.Run(tc.desc, func(t *testing.T) {
++ errs := ValidateNonSpecialIP(tc.ip, fp)
++ if len(errs) == 0 {
++ t.Errorf("ValidateNonSpecialIP(%q, ...) = nil; want non-nil (errors)", tc.ip)
++ }
++ })
++ }
++}
+diff --git a/src/import/pkg/apis/discovery/validation/validation.go b/src/import/pkg/apis/discovery/validation/validation.go
+index 8499e7a696a..d1fa4c8ce0f 100644
+--- a/src/import/pkg/apis/discovery/validation/validation.go
++++ b/src/import/pkg/apis/discovery/validation/validation.go
+@@ -96,8 +96,10 @@ func validateEndpoints(endpoints []discovery.Endpoint, addrType discovery.Addres
+ switch addrType {
+ case discovery.AddressTypeIPv4:
+ allErrs = append(allErrs, validation.IsValidIPv4Address(addressPath.Index(i), address)...)
++ allErrs = append(allErrs, apivalidation.ValidateNonSpecialIP(address, addressPath.Index(i))...)
+ case discovery.AddressTypeIPv6:
+ allErrs = append(allErrs, validation.IsValidIPv6Address(addressPath.Index(i), address)...)
++ allErrs = append(allErrs, apivalidation.ValidateNonSpecialIP(address, addressPath.Index(i))...)
+ case discovery.AddressTypeFQDN:
+ allErrs = append(allErrs, validation.IsFullyQualifiedDomainName(addressPath.Index(i), address)...)
+ }
+diff --git a/src/import/pkg/apis/discovery/validation/validation_test.go b/src/import/pkg/apis/discovery/validation/validation_test.go
+index 5c7d478eb7e..0d944b59d12 100644
+--- a/src/import/pkg/apis/discovery/validation/validation_test.go
++++ b/src/import/pkg/apis/discovery/validation/validation_test.go
+@@ -52,6 +52,21 @@ func TestValidateEndpointSlice(t *testing.T) {
+ }},
+ },
+ },
++ "good-ipv6": {
++ expectedErrors: 0,
++ endpointSlice: &discovery.EndpointSlice{
++ ObjectMeta: standardMeta,
++ AddressType: discovery.AddressTypeIPv6,
++ Ports: []discovery.EndpointPort{{
++ Name: utilpointer.StringPtr("http"),
++ Protocol: protocolPtr(api.ProtocolTCP),
++ }},
++ Endpoints: []discovery.Endpoint{{
++ Addresses: []string{"a00:100::4"},
++ Hostname: utilpointer.StringPtr("valid-123"),
++ }},
++ },
++ },
+ "good-fqdns": {
+ expectedErrors: 0,
+ endpointSlice: &discovery.EndpointSlice{
+@@ -375,7 +390,7 @@ func TestValidateEndpointSlice(t *testing.T) {
+ },
+ },
+ "bad-ip": {
+- expectedErrors: 1,
++ expectedErrors: 2,
+ endpointSlice: &discovery.EndpointSlice{
+ ObjectMeta: standardMeta,
+ AddressType: discovery.AddressTypeIPv4,
+@@ -390,7 +405,7 @@ func TestValidateEndpointSlice(t *testing.T) {
+ },
+ },
+ "bad-ipv4": {
+- expectedErrors: 2,
++ expectedErrors: 3,
+ endpointSlice: &discovery.EndpointSlice{
+ ObjectMeta: standardMeta,
+ AddressType: discovery.AddressTypeIPv4,
+@@ -405,7 +420,7 @@ func TestValidateEndpointSlice(t *testing.T) {
+ },
+ },
+ "bad-ipv6": {
+- expectedErrors: 2,
++ expectedErrors: 4,
+ endpointSlice: &discovery.EndpointSlice{
+ ObjectMeta: standardMeta,
+ AddressType: discovery.AddressTypeIPv6,
+@@ -454,6 +469,36 @@ func TestValidateEndpointSlice(t *testing.T) {
+ expectedErrors: 3,
+ endpointSlice: &discovery.EndpointSlice{},
+ },
++ "special-ipv4": {
++ expectedErrors: 1,
++ endpointSlice: &discovery.EndpointSlice{
++ ObjectMeta: standardMeta,
++ AddressType: discovery.AddressTypeIPv4,
++ Ports: []discovery.EndpointPort{{
++ Name: utilpointer.StringPtr("http"),
++ Protocol: protocolPtr(api.ProtocolTCP),
++ }},
++ Endpoints: []discovery.Endpoint{{
++ Addresses: []string{"127.0.0.1"},
++ Hostname: utilpointer.StringPtr("valid-123"),
++ }},
++ },
++ },
++ "special-ipv6": {
++ expectedErrors: 1,
++ endpointSlice: &discovery.EndpointSlice{
++ ObjectMeta: standardMeta,
++ AddressType: discovery.AddressTypeIPv6,
++ Ports: []discovery.EndpointPort{{
++ Name: utilpointer.StringPtr("http"),
++ Protocol: protocolPtr(api.ProtocolTCP),
++ }},
++ Endpoints: []discovery.Endpoint{{
++ Addresses: []string{"fe80::9656:d028:8652:66b6"},
++ Hostname: utilpointer.StringPtr("valid-123"),
++ }},
++ },
++ },
+ }
+
+ for name, testCase := range testCases {
+--
+2.25.1
+
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index bc694a2..57cadfe 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.20;name=k
file://0001-generate-bindata-unset-GOBIN.patch \
file://0001-build-golang.sh-convert-remaining-go-calls-to-use.patch \
file://0001-Makefile.generated_files-Fix-race-issue-for-installi.patch \
+ file://CVE-2021-25737.patch \
"
DEPENDS += "rsync-native \
--
2.29.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [meta-virtualization][hardnott][PATCH 2/2] kubernetes: fix CVE-2021-20206
2021-06-10 14:26 [meta-virtualization][hardnott][PATCH 1/2] kubernetes: fix CVE-2021-25737 sakib.sajal
@ 2021-06-10 14:26 ` sakib.sajal
0 siblings, 0 replies; 2+ messages in thread
From: sakib.sajal @ 2021-06-10 14:26 UTC (permalink / raw)
To: meta-virtualization
Bump containernetworking/cni to v0.8.1
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
.../kubernetes/CVE-2021-20206.patch | 97 +++++++++++++++++++
.../kubernetes/kubernetes_git.bb | 1 +
2 files changed, 98 insertions(+)
create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2021-20206.patch
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2021-20206.patch b/recipes-containers/kubernetes/kubernetes/CVE-2021-20206.patch
new file mode 100644
index 0000000..7bdd735
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2021-20206.patch
@@ -0,0 +1,97 @@
+From 1ff7fc0a0b8e5ee0bff0c7ba979efcd1ecdb9a39 Mon Sep 17 00:00:00 2001
+From: Navid Shaikh <navids@vmware.com>
+Date: Thu, 6 May 2021 15:41:08 +0530
+Subject: [PATCH] Bump containernetworking/cni to v0.8.1
+
+ Fix CVE-2021-20206
+
+Upstream-Status: Backport [185f65fbddb5239666c0c67fb335589b7570f60c]
+CVE: CVE-2021-20206
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ go.mod | 4 ++--
+ go.sum | 4 ++--
+ vendor/github.com/containernetworking/cni/pkg/invoke/find.go | 5 +++++
+ vendor/modules.txt | 4 ++--
+ 4 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/src/import/go.mod b/src/import/go.mod
+index e0ba549ab40..d4cc9ce01a9 100644
+--- a/src/import/go.mod
++++ b/src/import/go.mod
+@@ -28,7 +28,7 @@ require (
+ github.com/clusterhq/flocker-go v0.0.0-20160920122132-2b8b7259d313
+ github.com/codegangsta/negroni v1.0.0 // indirect
+ github.com/container-storage-interface/spec v1.2.0
+- github.com/containernetworking/cni v0.8.0
++ github.com/containernetworking/cni v0.8.1
+ github.com/coredns/corefile-migration v1.0.10
+ github.com/coreos/go-oidc v2.1.0+incompatible
+ github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e
+@@ -214,7 +214,7 @@ replace (
+ github.com/containerd/go-runc => github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3
+ github.com/containerd/ttrpc => github.com/containerd/ttrpc v1.0.2
+ github.com/containerd/typeurl => github.com/containerd/typeurl v1.0.1
+- github.com/containernetworking/cni => github.com/containernetworking/cni v0.8.0
++ github.com/containernetworking/cni => github.com/containernetworking/cni v0.8.1
+ github.com/coredns/corefile-migration => github.com/coredns/corefile-migration v1.0.10
+ github.com/coreos/bbolt => github.com/coreos/bbolt v1.3.2
+ github.com/coreos/etcd => github.com/coreos/etcd v3.3.13+incompatible
+diff --git a/src/import/go.sum b/src/import/go.sum
+index 288f4554b1f..9168f49c859 100644
+--- a/src/import/go.sum
++++ b/src/import/go.sum
+@@ -113,8 +113,8 @@ github.com/containerd/ttrpc v1.0.2 h1:2/O3oTZN36q2xRolk0a2WWGgh7/Vf/liElg5hFYLX9
+ github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
+ github.com/containerd/typeurl v1.0.1 h1:PvuK4E3D5S5q6IqsPDCy928FhP0LUIGcmZ/Yhgp5Djw=
+ github.com/containerd/typeurl v1.0.1/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg=
+-github.com/containernetworking/cni v0.8.0 h1:BT9lpgGoH4jw3lFC7Odz2prU5ruiYKcgAjMCbgybcKI=
+-github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
++github.com/containernetworking/cni v0.8.1 h1:7zpDnQ3T3s4ucOuJ/ZCLrYBxzkg0AELFfII3Epo9TmI=
++github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
+ github.com/coredns/corefile-migration v1.0.10 h1:7HI4r5S5Fne749a+JDxUZppqBpYoZK8Q53ZVK9cn3aM=
+ github.com/coredns/corefile-migration v1.0.10/go.mod h1:RMy/mXdeDlYwzt0vdMEJvT2hGJ2I86/eO0UdXmH9XNI=
+ github.com/coreos/bbolt v1.3.2 h1:wZwiHHUieZCquLkDL0B8UhzreNWsPHooDAG3q34zk0s=
+diff --git a/src/import/vendor/github.com/containernetworking/cni/pkg/invoke/find.go b/src/import/vendor/github.com/containernetworking/cni/pkg/invoke/find.go
+index e815404c859..e62029eb788 100644
+--- a/src/import/vendor/github.com/containernetworking/cni/pkg/invoke/find.go
++++ b/src/import/vendor/github.com/containernetworking/cni/pkg/invoke/find.go
+@@ -18,6 +18,7 @@ import (
+ "fmt"
+ "os"
+ "path/filepath"
++ "strings"
+ )
+
+ // FindInPath returns the full path of the plugin by searching in the provided path
+@@ -26,6 +27,10 @@ func FindInPath(plugin string, paths []string) (string, error) {
+ return "", fmt.Errorf("no plugin name provided")
+ }
+
++ if strings.ContainsRune(plugin, os.PathSeparator) {
++ return "", fmt.Errorf("invalid plugin name: %s", plugin)
++ }
++
+ if len(paths) == 0 {
+ return "", fmt.Errorf("no paths provided")
+ }
+diff --git a/src/import/vendor/modules.txt b/src/import/vendor/modules.txt
+index 6a263b51686..f549467e77d 100644
+--- a/src/import/vendor/modules.txt
++++ b/src/import/vendor/modules.txt
+@@ -257,9 +257,9 @@ github.com/containerd/containerd/pkg/dialer
+ github.com/containerd/ttrpc
+ # github.com/containerd/ttrpc => github.com/containerd/ttrpc v1.0.2
+ # github.com/containerd/typeurl => github.com/containerd/typeurl v1.0.1
+-# github.com/containernetworking/cni v0.8.0 => github.com/containernetworking/cni v0.8.0
++# github.com/containernetworking/cni v0.8.1 => github.com/containernetworking/cni v0.8.1
+ ## explicit
+-# github.com/containernetworking/cni => github.com/containernetworking/cni v0.8.0
++# github.com/containernetworking/cni => github.com/containernetworking/cni v0.8.1
+ github.com/containernetworking/cni/libcni
+ github.com/containernetworking/cni/pkg/invoke
+ github.com/containernetworking/cni/pkg/types
+--
+2.25.1
+
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index 57cadfe..6120116 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.20;name=k
file://0001-build-golang.sh-convert-remaining-go-calls-to-use.patch \
file://0001-Makefile.generated_files-Fix-race-issue-for-installi.patch \
file://CVE-2021-25737.patch \
+ file://CVE-2021-20206.patch \
"
DEPENDS += "rsync-native \
--
2.29.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-06-10 14:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-10 14:26 [meta-virtualization][hardnott][PATCH 1/2] kubernetes: fix CVE-2021-25737 sakib.sajal
2021-06-10 14:26 ` [meta-virtualization][hardnott][PATCH 2/2] kubernetes: fix CVE-2021-20206 sakib.sajal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.