diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2023-09-27 16:18:40 +0530 |
---|---|---|
committer | Bruce Ashfield <bruce.ashfield@gmail.com> | 2023-10-02 16:16:25 +0000 |
commit | 35c723774ee06b3c1831f00a2cbf25cbeae132e1 (patch) | |
tree | 6ba591bfaf2ad614ea6f3d5661ec2f69402cdf08 /recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch | |
parent | 0dbb8593fa38ac2a04fcac04ff3e35611e849824 (diff) | |
download | meta-virtualization-35c723774ee06b3c1831f00a2cbf25cbeae132e1.tar.gz |
kubernetes: Backport fix for CVE-2021-25735 and CVE-2021-25737
Upstream-commit:
https://github.com/kubernetes/kubernetes/commit/e612ebfdff22e4bd27ad8345f7c82f074bfedf26
&
https://github.com/kubernetes/kubernetes/commit/d57f0641d60b73934ebc2cdf4b6a63182217d10c
& https://github.com/kubernetes/kubernetes/commit/901e8e07e1f031456ecd7fefce965aaa05916825
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Diffstat (limited to 'recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch')
-rw-r--r-- | recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch | 128 |
1 files changed, 128 insertions, 0 deletions
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch b/recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch new file mode 100644 index 00000000..d1a97971 --- /dev/null +++ b/recipes-containers/kubernetes/kubernetes/CVE-2021-25737.patch | |||
@@ -0,0 +1,128 @@ | |||
1 | From 901e8e07e1f031456ecd7fefce965aaa05916825 Mon Sep 17 00:00:00 2001 | ||
2 | From: Rob Scott <robertjscott@google.com> | ||
3 | Date: Fri, 9 Apr 2021 15:24:17 -0700 | ||
4 | Subject: [PATCH] Updating EndpointSlice validation to match Endpoints | ||
5 | validation | ||
6 | |||
7 | Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/901e8e07e1f031456ecd7fefce965aaa05916825] | ||
8 | CVE: CVE-2021-25737 | ||
9 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
10 | --- | ||
11 | pkg/apis/core/validation/validation.go | 18 ++++++---- | ||
12 | pkg/apis/discovery/validation/validation.go | 2 ++ | ||
13 | .../discovery/validation/validation_test.go | 34 +++++++++++++++++-- | ||
14 | 3 files changed, 45 insertions(+), 9 deletions(-) | ||
15 | |||
16 | diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go | ||
17 | index 3daeb139d590d..c65cdd40f9061 100644 | ||
18 | --- a/src/import/pkg/apis/core/validation/validation.go | ||
19 | +++ b/src/import/pkg/apis/core/validation/validation.go | ||
20 | @@ -4014,7 +4014,7 @@ func ValidateService(service *core.Service, allowAppProtocol bool) field.ErrorLi | ||
21 | allErrs = append(allErrs, field.Invalid(idxPath, ip, msgs[i])) | ||
22 | } | ||
23 | } else { | ||
24 | - allErrs = append(allErrs, validateNonSpecialIP(ip, idxPath)...) | ||
25 | + allErrs = append(allErrs, ValidateNonSpecialIP(ip, idxPath)...) | ||
26 | } | ||
27 | } | ||
28 | |||
29 | @@ -5572,15 +5572,19 @@ func validateEndpointAddress(address *core.EndpointAddress, fldPath *field.Path) | ||
30 | allErrs = append(allErrs, field.Invalid(fldPath.Child("nodeName"), *address.NodeName, msg)) | ||
31 | } | ||
32 | } | ||
33 | - allErrs = append(allErrs, validateNonSpecialIP(address.IP, fldPath.Child("ip"))...) | ||
34 | + allErrs = append(allErrs, ValidateNonSpecialIP(address.IP, fldPath.Child("ip"))...) | ||
35 | return allErrs | ||
36 | } | ||
37 | |||
38 | -func validateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList { | ||
39 | - // We disallow some IPs as endpoints or external-ips. Specifically, | ||
40 | - // unspecified and loopback addresses are nonsensical and link-local | ||
41 | - // addresses tend to be used for node-centric purposes (e.g. metadata | ||
42 | - // service). | ||
43 | +// ValidateNonSpecialIP is used to validate Endpoints, EndpointSlices, and | ||
44 | +// external IPs. Specifically, this disallows unspecified and loopback addresses | ||
45 | +// are nonsensical and link-local addresses tend to be used for node-centric | ||
46 | +// purposes (e.g. metadata service). | ||
47 | +// | ||
48 | +// IPv6 references | ||
49 | +// - https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml | ||
50 | +// - https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml | ||
51 | +func ValidateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList { | ||
52 | allErrs := field.ErrorList{} | ||
53 | ip := net.ParseIP(ipAddress) | ||
54 | if ip == nil { | ||
55 | diff --git a/pkg/apis/discovery/validation/validation.go b/pkg/apis/discovery/validation/validation.go | ||
56 | index 810f2ca124d57..3aa5128359d7f 100644 | ||
57 | --- a/src/import/pkg/apis/discovery/validation/validation.go | ||
58 | +++ b/src/import/pkg/apis/discovery/validation/validation.go | ||
59 | @@ -103,8 +103,10 @@ func validateEndpoints(endpoints []discovery.Endpoint, addrType discovery.Addres | ||
60 | } | ||
61 | case discovery.AddressTypeIPv4: | ||
62 | allErrs = append(allErrs, validation.IsValidIPv4Address(addressPath.Index(i), address)...) | ||
63 | + allErrs = append(allErrs, apivalidation.ValidateNonSpecialIP(address, addressPath.Index(i))...) | ||
64 | case discovery.AddressTypeIPv6: | ||
65 | allErrs = append(allErrs, validation.IsValidIPv6Address(addressPath.Index(i), address)...) | ||
66 | + allErrs = append(allErrs, apivalidation.ValidateNonSpecialIP(address, addressPath.Index(i))...) | ||
67 | case discovery.AddressTypeFQDN: | ||
68 | allErrs = append(allErrs, validation.IsFullyQualifiedDomainName(addressPath.Index(i), address)...) | ||
69 | } | ||
70 | diff --git a/pkg/apis/discovery/validation/validation_test.go b/pkg/apis/discovery/validation/validation_test.go | ||
71 | index 060545f93ab31..3c8a5465128a9 100644 | ||
72 | --- a/src/import/pkg/apis/discovery/validation/validation_test.go | ||
73 | +++ b/src/import/pkg/apis/discovery/validation/validation_test.go | ||
74 | @@ -390,7 +390,7 @@ func TestValidateEndpointSlice(t *testing.T) { | ||
75 | }, | ||
76 | }, | ||
77 | "bad-ipv4": { | ||
78 | - expectedErrors: 2, | ||
79 | + expectedErrors: 3, | ||
80 | endpointSlice: &discovery.EndpointSlice{ | ||
81 | ObjectMeta: standardMeta, | ||
82 | AddressType: discovery.AddressTypeIPv4, | ||
83 | @@ -405,7 +405,7 @@ func TestValidateEndpointSlice(t *testing.T) { | ||
84 | }, | ||
85 | }, | ||
86 | "bad-ipv6": { | ||
87 | - expectedErrors: 2, | ||
88 | + expectedErrors: 4, | ||
89 | endpointSlice: &discovery.EndpointSlice{ | ||
90 | ObjectMeta: standardMeta, | ||
91 | AddressType: discovery.AddressTypeIPv6, | ||
92 | @@ -454,6 +454,36 @@ func TestValidateEndpointSlice(t *testing.T) { | ||
93 | expectedErrors: 3, | ||
94 | endpointSlice: &discovery.EndpointSlice{}, | ||
95 | }, | ||
96 | + "special-ipv4": { | ||
97 | + expectedErrors: 1, | ||
98 | + endpointSlice: &discovery.EndpointSlice{ | ||
99 | + ObjectMeta: standardMeta, | ||
100 | + AddressType: discovery.AddressTypeIPv4, | ||
101 | + Ports: []discovery.EndpointPort{{ | ||
102 | + Name: utilpointer.StringPtr("http"), | ||
103 | + Protocol: protocolPtr(api.ProtocolTCP), | ||
104 | + }}, | ||
105 | + Endpoints: []discovery.Endpoint{{ | ||
106 | + Addresses: []string{"127.0.0.1"}, | ||
107 | + Hostname: utilpointer.StringPtr("valid-123"), | ||
108 | + }}, | ||
109 | + }, | ||
110 | + }, | ||
111 | + "special-ipv6": { | ||
112 | + expectedErrors: 1, | ||
113 | + endpointSlice: &discovery.EndpointSlice{ | ||
114 | + ObjectMeta: standardMeta, | ||
115 | + AddressType: discovery.AddressTypeIPv6, | ||
116 | + Ports: []discovery.EndpointPort{{ | ||
117 | + Name: utilpointer.StringPtr("http"), | ||
118 | + Protocol: protocolPtr(api.ProtocolTCP), | ||
119 | + }}, | ||
120 | + Endpoints: []discovery.Endpoint{{ | ||
121 | + Addresses: []string{"fe80::9656:d028:8652:66b6"}, | ||
122 | + Hostname: utilpointer.StringPtr("valid-123"), | ||
123 | + }}, | ||
124 | + }, | ||
125 | + }, | ||
126 | } | ||
127 | |||
128 | for name, testCase := range testCases { | ||