packages/kubernetes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-10220

Browse Source 
Signed-off-by: liuxu <liuxu156@huawei.com>
(cherry picked from commit 02485f7220d5756b18d1837705923206654482f2)
This commit is contained in:
liuxu 2024-12-05 11:06:32 +08:00 committed by openeuler-sync-bot
parent dfe9c8459e
commit d8045b9569
2 changed files with 64 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
0007-gitRepo-volume-directory-must-be-max-1-level-deep.patch Normal file
View File

@ -0,0 +1,56 @@
From c7846fd24c16266a3bfd86315171f5b4d5f0c9c9 Mon Sep 17 00:00:00 2001
From: Imre Rad <imrer@google.com>
Date: Thu, 25 Apr 2024 14:21:51 +0000
Subject: [PATCH] gitRepo volume: directory must be max 1 level deep
More details on Hackerone #2266560
---
pkg/volume/git_repo/git_repo.go | 6 ++++++
pkg/volume/git_repo/git_repo_test.go | 14 ++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go
index 995018d9007..b3827b92ad0 100644
--- a/pkg/volume/git_repo/git_repo.go
+++ b/pkg/volume/git_repo/git_repo.go
@@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error {
if err := validateNonFlagArgument(src.Directory, "directory"); err != nil {
return err
}
+ if (src.Revision != "") && (src.Directory != "") {
+ cleanedDir := filepath.Clean(src.Directory)
+ if strings.Contains(cleanedDir, "/") || (strings.Contains(cleanedDir, "\\")) {
+ return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory)
+ }
+ }
return nil
}
diff --git a/pkg/volume/git_repo/git_repo_test.go b/pkg/volume/git_repo/git_repo_test.go
index 5b1461be892..650f765cc48 100644
--- a/pkg/volume/git_repo/git_repo_test.go
+++ b/pkg/volume/git_repo/git_repo_test.go
@@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) {
},
isExpectedFailure: true,
},
+ {
+ name: "invalid-revision-directory-combo",
+ vol: &v1.Volume{
+ Name: "vol1",
+ VolumeSource: v1.VolumeSource{
+ GitRepo: &v1.GitRepoVolumeSource{
+ Repository: gitURL,
+ Revision: "main",
+ Directory: "foo/bar",
+ },
+ },
+ },
+ isExpectedFailure: true,
+ },
}
for _, scenario := range scenarios {
--
2.34.1

9
kubernetes.spec
View File

@ -3,7 +3,7 @@
Name: kubernetes Name: kubernetes
Version: 1.29.1 Version: 1.29.1
Release: 8 Release: 9
Summary: Container cluster management Summary: Container cluster management
License: ASL 2.0 License: ASL 2.0
URL: https://k8s.io/kubernetes URL: https://k8s.io/kubernetes
@ -30,6 +30,7 @@ Patch0003: 0003-Add-envFrom-to-serviceaccount-admission-plugin.patch
Patch0004: 0004-Add-processStartTime-in-metrics-slis.patch Patch0004: 0004-Add-processStartTime-in-metrics-slis.patch
Patch0005: 0005-fix-a-bug-where-the-uploaded-kubelet-configuration-in-kube-system-kubelet-config-ConfigMap-does-not-respect-user.patch Patch0005: 0005-fix-a-bug-where-the-uploaded-kubelet-configuration-in-kube-system-kubelet-config-ConfigMap-does-not-respect-user.patch
Patch0006: 0006-adapt-go-version.patch Patch0006: 0006-adapt-go-version.patch
Patch0007: 0007-gitRepo-volume-directory-must-be-max-1-level-deep.patch
%ifarch riscv64 %ifarch riscv64
Patch1000: 1000-Add-riscv64-support-for-v1.29.1-kubernetes.patch Patch1000: 1000-Add-riscv64-support-for-v1.29.1-kubernetes.patch
%endif %endif
@ -274,6 +275,12 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \
%systemd_postun kubelet kube-proxy %systemd_postun kubelet kube-proxy
%changelog %changelog
* Thu Dec 05 2024 liuxu <liuxu156@huawei.com> - 1.29.1-9
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix CVE-2024-10220
* Thu Nov 28 2024 liuxu <liuxu156@huawei.com> - 1.29.1-8 * Thu Nov 28 2024 liuxu <liuxu156@huawei.com> - 1.29.1-8
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA