kubernetes: Fix for CVE-2024-10220kirkstone

Upstream-Status: Backport from https://github.com/kubernetes/kubernetes/commit/6622b002f70a153100d1c286fbcea721160da192 Reference: https://github.com/kubernetes/kubernetes/issues/128885 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-11-17 10:30:23 +0530
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2025-11-19 18:28:22 -0500
commit: c474ae21b11a816be607eb7b44d2cf77d1125bce (patch)
tree: 44da9b1363bb4c2a0b326777a36d08d5979b6d99
parent: 2cb05ca093c2c09bfab836e782c527f88a935a05 (diff)
download: meta-virtualization-c474ae21b11a816be607eb7b44d2cf77d1125bce.tar.gz
2 files changed, 58 insertions, 0 deletions
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch b/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
new file mode 100644
index 00000000..c0e371af
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
@@ -0,0 +1,57 @@
+From 6622b002f70a153100d1c286fbcea721160da192 Mon Sep 17 00:00:00 2001
+From: Imre Rad <imrer@google.com>
+Date: Thu, 25 Apr 2024 14:21:51 +0000
+Subject: [PATCH] gitRepo volume: directory must be max 1 level deep
+More details on Hackerone #2266560
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/6622b002f70a153100d1c286fbcea721160da192]
+CVE: CVE-2024-10220
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/volume/git_repo/git_repo.go      |  6 ++++++
+ pkg/volume/git_repo/git_repo_test.go | 14 ++++++++++++++
+ 2 files changed, 20 insertions(+)
+diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go
+index 995018d900727..b3827b92ad0f0 100644
+--- a/pkg/volume/git_repo/git_repo.go
+++ b/pkg/volume/git_repo/git_repo.go
+@@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error {
+        if err := validateNonFlagArgument(src.Directory, "directory"); err != nil {
+                return err
+        }
+       if (src.Revision != "") && (src.Directory != "") {
+               cleanedDir := filepath.Clean(src.Directory)
+               if strings.Contains(cleanedDir, "/") || (strings.Contains(cleanedDir, "\\")) {
+                       return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory)
+               }
+       }
+        return nil
+ }
+ 
+diff --git a/pkg/volume/git_repo/git_repo_test.go b/pkg/volume/git_repo/git_repo_test.go
+index 5b1461be892a1..650f765cc4884 100644
+--- a/pkg/volume/git_repo/git_repo_test.go
+++ b/pkg/volume/git_repo/git_repo_test.go
+@@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) {
+                        },
+                        isExpectedFailure: true,
+                },
+               {
+                       name: "invalid-revision-directory-combo",
+                       vol: &v1.Volume{
+                               Name: "vol1",
+                               VolumeSource: v1.VolumeSource{
+                                       GitRepo: &v1.GitRepoVolumeSource{
+                                               Repository: gitURL,
+                                               Revision:   "main",
+                                               Directory:  "foo/bar",
+                                       },
+                               },
+                       },
+                       isExpectedFailure: true,
+               },
+        }
+ 
+        for _, scenario := range scenarios {
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index 41f1ad73..dbfb3705 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -39,6 +39,7 @@ SRC_URI:append = " \
           file://CVE-2023-3955.patch;patchdir=src/import \
           file://CVE-2023-3676.patch;patchdir=src/import \
           file://CVE-2025-5187.patch;patchdir=src/import \
+           file://CVE-2024-10220.patch;patchdir=src/import \
          "
 DEPENDS += "rsync-native \
author	Vijay Anusuri <vanusuri@mvista.com>	2025-11-17 10:30:23 +0530
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2025-11-19 18:28:22 -0500
commit	c474ae21b11a816be607eb7b44d2cf77d1125bce (patch)
tree	44da9b1363bb4c2a0b326777a36d08d5979b6d99
parent	2cb05ca093c2c09bfab836e782c527f88a935a05 (diff)
download	meta-virtualization-c474ae21b11a816be607eb7b44d2cf77d1125bce.tar.gz

diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch b/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch new file mode 100644 index 00000000..c0e371af --- /dev/null +++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
@@ -0,0 +1,57 @@
		1	From 6622b002f70a153100d1c286fbcea721160da192 Mon Sep 17 00:00:00 2001
		2	From: Imre Rad <imrer@google.com>
		3	Date: Thu, 25 Apr 2024 14:21:51 +0000
		4	Subject: [PATCH] gitRepo volume: directory must be max 1 level deep
		5
		6	More details on Hackerone #2266560
		7
		8	Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/6622b002f70a153100d1c286fbcea721160da192]
		9	CVE: CVE-2024-10220
		10	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		11	---
		12	pkg/volume/git_repo/git_repo.go \| 6 ++++++
		13	pkg/volume/git_repo/git_repo_test.go \| 14 ++++++++++++++
		14	2 files changed, 20 insertions(+)
		15
		16	diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go
		17	index 995018d900727..b3827b92ad0f0 100644
		18	--- a/pkg/volume/git_repo/git_repo.go
		19	+++ b/pkg/volume/git_repo/git_repo.go
		20	@@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error {
		21	if err := validateNonFlagArgument(src.Directory, "directory"); err != nil {
		22	return err
		23	}
		24	+ if (src.Revision != "") && (src.Directory != "") {
		25	+ cleanedDir := filepath.Clean(src.Directory)
		26	+ if strings.Contains(cleanedDir, "/") \|\| (strings.Contains(cleanedDir, "\\")) {
		27	+ return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory)
		28	+ }
		29	+ }
		30	return nil
		31	}
		32
		33	diff --git a/pkg/volume/git_repo/git_repo_test.go b/pkg/volume/git_repo/git_repo_test.go
		34	index 5b1461be892a1..650f765cc4884 100644
		35	--- a/pkg/volume/git_repo/git_repo_test.go
		36	+++ b/pkg/volume/git_repo/git_repo_test.go
		37	@@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) {
		38	},
		39	isExpectedFailure: true,
		40	},
		41	+ {
		42	+ name: "invalid-revision-directory-combo",
		43	+ vol: &v1.Volume{
		44	+ Name: "vol1",
		45	+ VolumeSource: v1.VolumeSource{
		46	+ GitRepo: &v1.GitRepoVolumeSource{
		47	+ Repository: gitURL,
		48	+ Revision: "main",
		49	+ Directory: "foo/bar",
		50	+ },
		51	+ },
		52	+ },
		53	+ isExpectedFailure: true,
		54	+ },
		55	}
		56
		57	for _, scenario := range scenarios {


diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb index 41f1ad73..dbfb3705 100644 --- a/recipes-containers/kubernetes/kubernetes_git.bb +++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -39,6 +39,7 @@ SRC_URI:append = " \
39	file://CVE-2023-3955.patch;patchdir=src/import \	39	file://CVE-2023-3955.patch;patchdir=src/import \
40	file://CVE-2023-3676.patch;patchdir=src/import \	40	file://CVE-2023-3676.patch;patchdir=src/import \
41	file://CVE-2025-5187.patch;patchdir=src/import \	41	file://CVE-2025-5187.patch;patchdir=src/import \
		42	file://CVE-2024-10220.patch;patchdir=src/import \
42	"	43	"
43		44
44	DEPENDS += "rsync-native \	45	DEPENDS += "rsync-native \