kubernetes: Backport fix for CVE-2021-25735 and CVE-2021-25737

Upstream-commit: https://github.com/kubernetes/kubernetes/commit/e612ebfdff22e4bd27ad8345f7c82f074bfedf26 & https://github.com/kubernetes/kubernetes/commit/d57f0641d60b73934ebc2cdf4b6a63182217d10c & https://github.com/kubernetes/kubernetes/commit/901e8e07e1f031456ecd7fefce965aaa05916825 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-09-27 16:18:40 +0530
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2023-10-02 16:16:25 +0000
commit: 35c723774ee06b3c1831f00a2cbf25cbeae132e1 (patch)
tree: 6ba591bfaf2ad614ea6f3d5661ec2f69402cdf08 /recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch
parent: 0dbb8593fa38ac2a04fcac04ff3e35611e849824 (diff)
download: meta-virtualization-35c723774ee06b3c1831f00a2cbf25cbeae132e1.tar.gz
1 files changed, 128 insertions, 0 deletions
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch b/recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch
new file mode 100644
index 00000000..d1a97971
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch
@@ -0,0 +1,128 @@
+From 901e8e07e1f031456ecd7fefce965aaa05916825 Mon Sep 17 00:00:00 2001
+From: Rob Scott <robertjscott@google.com>
+Date: Fri, 9 Apr 2021 15:24:17 -0700
+Subject: [PATCH] Updating EndpointSlice validation to match Endpoints
+ validation
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/901e8e07e1f031456ecd7fefce965aaa05916825]
+CVE: CVE-2021-25737
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/apis/core/validation/validation.go        | 18 ++++++----
+ pkg/apis/discovery/validation/validation.go   |  2 ++
+ .../discovery/validation/validation_test.go   | 34 +++++++++++++++++--
+ 3 files changed, 45 insertions(+), 9 deletions(-)
+diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go
+index 3daeb139d590d..c65cdd40f9061 100644
+--- a/src/import/pkg/apis/core/validation/validation.go
+++ b/src/import/pkg/apis/core/validation/validation.go
+@@ -4014,7 +4014,7 @@ func ValidateService(service *core.Service, allowAppProtocol bool) field.ErrorLi
+                                allErrs = append(allErrs, field.Invalid(idxPath, ip, msgs[i]))
+                        }
+                } else {
+-                       allErrs = append(allErrs, validateNonSpecialIP(ip, idxPath)...)
+                       allErrs = append(allErrs, ValidateNonSpecialIP(ip, idxPath)...)
+                }
+        }
+ 
+@@ -5572,15 +5572,19 @@ func validateEndpointAddress(address *core.EndpointAddress, fldPath *field.Path)
+                        allErrs = append(allErrs, field.Invalid(fldPath.Child("nodeName"), *address.NodeName, msg))
+                }
+        }
+-       allErrs = append(allErrs, validateNonSpecialIP(address.IP, fldPath.Child("ip"))...)
+       allErrs = append(allErrs, ValidateNonSpecialIP(address.IP, fldPath.Child("ip"))...)
+        return allErrs
+ }
+ 
+-func validateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList {
+-       // We disallow some IPs as endpoints or external-ips.  Specifically,
+-       // unspecified and loopback addresses are nonsensical and link-local
+-       // addresses tend to be used for node-centric purposes (e.g. metadata
+-       // service).
+// ValidateNonSpecialIP is used to validate Endpoints, EndpointSlices, and
+// external IPs. Specifically, this disallows unspecified and loopback addresses
+// are nonsensical and link-local addresses tend to be used for node-centric
+// purposes (e.g. metadata service).
+//
+// IPv6 references
+// - https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
+// - https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml
+func ValidateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList {
+        allErrs := field.ErrorList{}
+        ip := net.ParseIP(ipAddress)
+        if ip == nil {
+diff --git a/pkg/apis/discovery/validation/validation.go b/pkg/apis/discovery/validation/validation.go
+index 810f2ca124d57..3aa5128359d7f 100644
+--- a/src/import/pkg/apis/discovery/validation/validation.go
+++ b/src/import/pkg/apis/discovery/validation/validation.go
+@@ -103,8 +103,10 @@ func validateEndpoints(endpoints []discovery.Endpoint, addrType discovery.Addres
+                                }
+                        case discovery.AddressTypeIPv4:
+                                allErrs = append(allErrs, validation.IsValidIPv4Address(addressPath.Index(i), address)...)
+                               allErrs = append(allErrs, apivalidation.ValidateNonSpecialIP(address, addressPath.Index(i))...)
+                        case discovery.AddressTypeIPv6:
+                                allErrs = append(allErrs, validation.IsValidIPv6Address(addressPath.Index(i), address)...)
+                               allErrs = append(allErrs, apivalidation.ValidateNonSpecialIP(address, addressPath.Index(i))...)
+                        case discovery.AddressTypeFQDN:
+                                allErrs = append(allErrs, validation.IsFullyQualifiedDomainName(addressPath.Index(i), address)...)
+                        }
+diff --git a/pkg/apis/discovery/validation/validation_test.go b/pkg/apis/discovery/validation/validation_test.go
+index 060545f93ab31..3c8a5465128a9 100644
+--- a/src/import/pkg/apis/discovery/validation/validation_test.go
+++ b/src/import/pkg/apis/discovery/validation/validation_test.go
+@@ -390,7 +390,7 @@ func TestValidateEndpointSlice(t *testing.T) {
+                        },
+                },
+                "bad-ipv4": {
+-                       expectedErrors: 2,
+                       expectedErrors: 3,
+                        endpointSlice: &discovery.EndpointSlice{
+                                ObjectMeta:  standardMeta,
+                                AddressType: discovery.AddressTypeIPv4,
+@@ -405,7 +405,7 @@ func TestValidateEndpointSlice(t *testing.T) {
+                        },
+                },
+                "bad-ipv6": {
+-                       expectedErrors: 2,
+                       expectedErrors: 4,
+                        endpointSlice: &discovery.EndpointSlice{
+                                ObjectMeta:  standardMeta,
+                                AddressType: discovery.AddressTypeIPv6,
+@@ -454,6 +454,36 @@ func TestValidateEndpointSlice(t *testing.T) {
+                        expectedErrors: 3,
+                        endpointSlice:  &discovery.EndpointSlice{},
+                },
+               "special-ipv4": {
+                       expectedErrors: 1,
+                       endpointSlice: &discovery.EndpointSlice{
+                               ObjectMeta:  standardMeta,
+                               AddressType: discovery.AddressTypeIPv4,
+                               Ports: []discovery.EndpointPort{{
+                                       Name:     utilpointer.StringPtr("http"),
+                                       Protocol: protocolPtr(api.ProtocolTCP),
+                               }},
+                               Endpoints: []discovery.Endpoint{{
+                                       Addresses: []string{"127.0.0.1"},
+                                       Hostname:  utilpointer.StringPtr("valid-123"),
+                               }},
+                       },
+               },
+               "special-ipv6": {
+                       expectedErrors: 1,
+                       endpointSlice: &discovery.EndpointSlice{
+                               ObjectMeta:  standardMeta,
+                               AddressType: discovery.AddressTypeIPv6,
+                               Ports: []discovery.EndpointPort{{
+                                       Name:     utilpointer.StringPtr("http"),
+                                       Protocol: protocolPtr(api.ProtocolTCP),
+                               }},
+                               Endpoints: []discovery.Endpoint{{
+                                       Addresses: []string{"fe80::9656:d028:8652:66b6"},
+                                       Hostname:  utilpointer.StringPtr("valid-123"),
+                               }},
+                       },
+               },
+        }
+ 
+        for name, testCase := range testCases {
author	Vijay Anusuri <vanusuri@mvista.com>	2023-09-27 16:18:40 +0530
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2023-10-02 16:16:25 +0000
commit	35c723774ee06b3c1831f00a2cbf25cbeae132e1 (patch)
tree	6ba591bfaf2ad614ea6f3d5661ec2f69402cdf08 /recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch
parent	0dbb8593fa38ac2a04fcac04ff3e35611e849824 (diff)
download	meta-virtualization-35c723774ee06b3c1831f00a2cbf25cbeae132e1.tar.gz

diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch b/recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch new file mode 100644 index 00000000..d1a97971 --- /dev/null +++ b/recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch
@@ -0,0 +1,128 @@
	1	From 901e8e07e1f031456ecd7fefce965aaa05916825 Mon Sep 17 00:00:00 2001
	2	From: Rob Scott <robertjscott@google.com>
	3	Date: Fri, 9 Apr 2021 15:24:17 -0700
	4	Subject: [PATCH] Updating EndpointSlice validation to match Endpoints
	5	validation
	6
	7	Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/901e8e07e1f031456ecd7fefce965aaa05916825]
	8	CVE: CVE-2021-25737
	9	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	10	---
	11	pkg/apis/core/validation/validation.go \| 18 ++++++----
	12	pkg/apis/discovery/validation/validation.go \| 2 ++
	13	.../discovery/validation/validation_test.go \| 34 +++++++++++++++++--
	14	3 files changed, 45 insertions(+), 9 deletions(-)
	15
	16	diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go
	17	index 3daeb139d590d..c65cdd40f9061 100644
	18	--- a/src/import/pkg/apis/core/validation/validation.go
	19	+++ b/src/import/pkg/apis/core/validation/validation.go
	20	@@ -4014,7 +4014,7 @@ func ValidateService(service *core.Service, allowAppProtocol bool) field.ErrorLi
	21	allErrs = append(allErrs, field.Invalid(idxPath, ip, msgs[i]))
	22	}
	23	} else {
	24	- allErrs = append(allErrs, validateNonSpecialIP(ip, idxPath)...)
	25	+ allErrs = append(allErrs, ValidateNonSpecialIP(ip, idxPath)...)
	26	}
	27	}
	28
	29	@@ -5572,15 +5572,19 @@ func validateEndpointAddress(address core.EndpointAddress, fldPath field.Path)
	30	allErrs = append(allErrs, field.Invalid(fldPath.Child("nodeName"), *address.NodeName, msg))
	31	}
	32	}
	33	- allErrs = append(allErrs, validateNonSpecialIP(address.IP, fldPath.Child("ip"))...)
	34	+ allErrs = append(allErrs, ValidateNonSpecialIP(address.IP, fldPath.Child("ip"))...)
	35	return allErrs
	36	}
	37
	38	-func validateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList {
	39	- // We disallow some IPs as endpoints or external-ips. Specifically,
	40	- // unspecified and loopback addresses are nonsensical and link-local
	41	- // addresses tend to be used for node-centric purposes (e.g. metadata
	42	- // service).
	43	+// ValidateNonSpecialIP is used to validate Endpoints, EndpointSlices, and
	44	+// external IPs. Specifically, this disallows unspecified and loopback addresses
	45	+// are nonsensical and link-local addresses tend to be used for node-centric
	46	+// purposes (e.g. metadata service).
	47	+//
	48	+// IPv6 references
	49	+// - https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
	50	+// - https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml
	51	+func ValidateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList {
	52	allErrs := field.ErrorList{}
	53	ip := net.ParseIP(ipAddress)
	54	if ip == nil {
	55	diff --git a/pkg/apis/discovery/validation/validation.go b/pkg/apis/discovery/validation/validation.go
	56	index 810f2ca124d57..3aa5128359d7f 100644
	57	--- a/src/import/pkg/apis/discovery/validation/validation.go
	58	+++ b/src/import/pkg/apis/discovery/validation/validation.go
	59	@@ -103,8 +103,10 @@ func validateEndpoints(endpoints []discovery.Endpoint, addrType discovery.Addres
	60	}
	61	case discovery.AddressTypeIPv4:
	62	allErrs = append(allErrs, validation.IsValidIPv4Address(addressPath.Index(i), address)...)
	63	+ allErrs = append(allErrs, apivalidation.ValidateNonSpecialIP(address, addressPath.Index(i))...)
	64	case discovery.AddressTypeIPv6:
	65	allErrs = append(allErrs, validation.IsValidIPv6Address(addressPath.Index(i), address)...)
	66	+ allErrs = append(allErrs, apivalidation.ValidateNonSpecialIP(address, addressPath.Index(i))...)
	67	case discovery.AddressTypeFQDN:
	68	allErrs = append(allErrs, validation.IsFullyQualifiedDomainName(addressPath.Index(i), address)...)
	69	}
	70	diff --git a/pkg/apis/discovery/validation/validation_test.go b/pkg/apis/discovery/validation/validation_test.go
	71	index 060545f93ab31..3c8a5465128a9 100644
	72	--- a/src/import/pkg/apis/discovery/validation/validation_test.go
	73	+++ b/src/import/pkg/apis/discovery/validation/validation_test.go
	74	@@ -390,7 +390,7 @@ func TestValidateEndpointSlice(t *testing.T) {
	75	},
	76	},
	77	"bad-ipv4": {
	78	- expectedErrors: 2,
	79	+ expectedErrors: 3,
	80	endpointSlice: &discovery.EndpointSlice{
	81	ObjectMeta: standardMeta,
	82	AddressType: discovery.AddressTypeIPv4,
	83	@@ -405,7 +405,7 @@ func TestValidateEndpointSlice(t *testing.T) {
	84	},
	85	},
	86	"bad-ipv6": {
	87	- expectedErrors: 2,
	88	+ expectedErrors: 4,
	89	endpointSlice: &discovery.EndpointSlice{
	90	ObjectMeta: standardMeta,
	91	AddressType: discovery.AddressTypeIPv6,
	92	@@ -454,6 +454,36 @@ func TestValidateEndpointSlice(t *testing.T) {
	93	expectedErrors: 3,
	94	endpointSlice: &discovery.EndpointSlice{},
	95	},
	96	+ "special-ipv4": {
	97	+ expectedErrors: 1,
	98	+ endpointSlice: &discovery.EndpointSlice{
	99	+ ObjectMeta: standardMeta,
	100	+ AddressType: discovery.AddressTypeIPv4,
	101	+ Ports: []discovery.EndpointPort{{
	102	+ Name: utilpointer.StringPtr("http"),
	103	+ Protocol: protocolPtr(api.ProtocolTCP),
	104	+ }},
	105	+ Endpoints: []discovery.Endpoint{{
	106	+ Addresses: []string{"127.0.0.1"},
	107	+ Hostname: utilpointer.StringPtr("valid-123"),
	108	+ }},
	109	+ },
	110	+ },
	111	+ "special-ipv6": {
	112	+ expectedErrors: 1,
	113	+ endpointSlice: &discovery.EndpointSlice{
	114	+ ObjectMeta: standardMeta,
	115	+ AddressType: discovery.AddressTypeIPv6,
	116	+ Ports: []discovery.EndpointPort{{
	117	+ Name: utilpointer.StringPtr("http"),
	118	+ Protocol: protocolPtr(api.ProtocolTCP),
	119	+ }},
	120	+ Endpoints: []discovery.Endpoint{{
	121	+ Addresses: []string{"fe80::9656:d028:8652:66b6"},
	122	+ Hostname: utilpointer.StringPtr("valid-123"),
	123	+ }},
	124	+ },
	125	+ },
	126	}
	127
	128	for name, testCase := range testCases {