kubernetes: Fix for CVE-2025-5187

Upstream-commit: https://github.com/kubernetes/kubernetes/commit/2e6eaa1fbedd776ea9357b4f472c66dec01955b5 Reference: https://github.com/kubernetes/kubernetes/pull/133467 https://github.com/aks-lts/kubernetes/pull/62/commits/152330ef541b23a027c779597496b62c287fb363 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-10-23 18:43:04 +0530
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2025-11-05 23:18:46 -0500
commit: e8de051a53f979040eaa641d7b69d8fd00275b9a (patch)
tree: bced8dd64d1952b3f2c848032fff31c02f564497
parent: 16155ae737d96f0f53721ad7270c3fe19729d496 (diff)
download: meta-virtualization-e8de051a53f979040eaa641d7b69d8fd00275b9a.tar.gz
2 files changed, 95 insertions, 0 deletions
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2025-5187.patch b/recipes-containers/kubernetes/kubernetes/CVE-2025-5187.patch
new file mode 100644
index 00000000..a3042224
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2025-5187.patch
@@ -0,0 +1,94 @@
+From 922f15f1b75eada00309e02b7dd61f73e1736f3f Mon Sep 17 00:00:00 2001
+From: Sergey Kanzhelev <S.Kanzhelev@live.com>
+Date: Thu, 22 May 2025 17:54:10 +0000
+Subject: [PATCH] do not allow the node to update it's owner reference
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/2e6eaa1fbedd776ea9357b4f472c66dec01955b5]
+CVE: CVE-2025-5187
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ .../admission/noderestriction/admission.go    |  5 +++
+ .../noderestriction/admission_test.go         | 36 +++++++++++++++----
+ 2 files changed, 35 insertions(+), 6 deletions(-)
+diff --git a/plugin/pkg/admission/noderestriction/admission.go b/plugin/pkg/admission/noderestriction/admission.go
+index 0a0d48d131f..8dc3ee7e66e 100644
+--- a/plugin/pkg/admission/noderestriction/admission.go
+++ b/plugin/pkg/admission/noderestriction/admission.go
+@@ -441,6 +441,11 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error {
+                        return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify taints", nodeName))
+                }
+ 
+               // Don't allow a node to update its own ownerReferences.
+               if !apiequality.Semantic.DeepEqual(node.OwnerReferences, oldNode.OwnerReferences) {
+                   return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify ownerReferences", nodeName))
+               }
+
+                // Don't allow a node to update labels outside the allowed set.
+                // This would allow a node to add or modify its labels in a way that would let it steer privileged workloads to itself.
+                modifiedLabels := getModifiedLabels(node.Labels, oldNode.Labels)
+diff --git a/plugin/pkg/admission/noderestriction/admission_test.go b/plugin/pkg/admission/noderestriction/admission_test.go
+index 6a4ccf2d948..1b51c75c4c1 100644
+--- a/plugin/pkg/admission/noderestriction/admission_test.go
+++ b/plugin/pkg/admission/noderestriction/admission_test.go
+@@ -235,10 +235,14 @@ func (a *admitTestCase) run(t *testing.T) {
+ 
+ func Test_nodePlugin_Admit(t *testing.T) {
+        var (
+-               mynode = &user.DefaultInfo{Name: "system:node:mynode", Groups: []string{"system:nodes"}}
+-               bob    = &user.DefaultInfo{Name: "bob"}
+               trueRef = true
+               mynode  = &user.DefaultInfo{Name: "system:node:mynode", Groups: []string{"system:nodes"}}
+               bob     = &user.DefaultInfo{Name: "bob"}
+
+               mynodeObjMeta          = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid"}
+               mynodeObjMetaOwnerRefA = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid", OwnerReferences: []metav1.OwnerReference{{Name: "fooerA", Controller: &trueRef}}}
+               mynodeObjMetaOwnerRefB = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid", OwnerReferences: []metav1.OwnerReference{{Name: "fooerB", Controller: &trueRef}}}
+ 
+-               mynodeObjMeta    = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid"}
+                mynodeObj        = &api.Node{ObjectMeta: mynodeObjMeta}
+                mynodeObjConfigA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{ConfigSource: &api.NodeConfigSource{
+                        ConfigMap: &api.ConfigMapNodeConfigSource{
+@@ -255,9 +259,11 @@ func Test_nodePlugin_Admit(t *testing.T) {
+                                KubeletConfigKey: "kubelet",
+                        }}}}
+ 
+-               mynodeObjTaintA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}}
+-               mynodeObjTaintB = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}}
+-               othernodeObj    = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}}
+               mynodeObjTaintA    = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}}
+               mynodeObjTaintB    = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}}
+               mynodeObjOwnerRefA = &api.Node{ObjectMeta: mynodeObjMetaOwnerRefA}
+               mynodeObjOwnerRefB = &api.Node{ObjectMeta: mynodeObjMetaOwnerRefB}
+               othernodeObj       = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}}
+ 
+                coremymirrorpod, v1mymirrorpod           = makeTestPod("ns", "mymirrorpod", "mynode", true)
+                coreothermirrorpod, v1othermirrorpod     = makeTestPod("ns", "othermirrorpod", "othernode", true)
+@@ -1029,6 +1035,24 @@ func Test_nodePlugin_Admit(t *testing.T) {
+                        attributes: admission.NewAttributesRecord(setForbiddenUpdateLabels(mynodeObj, "new"), setForbiddenUpdateLabels(mynodeObj, "old"), nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
+                        err:        `is not allowed to modify labels: foo.node-restriction.kubernetes.io/foo, node-restriction.kubernetes.io/foo, other.k8s.io/foo, other.kubernetes.io/foo`,
+                },
+               {
+                       name:       "forbid update of my node: add owner reference",
+                       podsGetter: existingPods,
+                       attributes: admission.NewAttributesRecord(mynodeObjOwnerRefA, mynodeObj, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
+                       err:        "node \"mynode\" is not allowed to modify ownerReferences",
+               },
+               {
+                       name:       "forbid update of my node: remove owner reference",
+                       podsGetter: existingPods,
+                       attributes: admission.NewAttributesRecord(mynodeObj, mynodeObjOwnerRefA, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
+                       err:        "node \"mynode\" is not allowed to modify ownerReferences",
+               },
+               {
+                       name:       "forbid update of my node: change owner reference",
+                       podsGetter: existingPods,
+                       attributes: admission.NewAttributesRecord(mynodeObjOwnerRefA, mynodeObjOwnerRefB, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
+                       err:        "node \"mynode\" is not allowed to modify ownerReferences",
+               },
+ 
+                // Other node object
+                {
+-- 
+2.25.1
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index 9d6179e0..41f1ad73 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -38,6 +38,7 @@ SRC_URI:append = " \
           file://CVE-2024-3177.patch;patchdir=src/import \
           file://CVE-2023-3955.patch;patchdir=src/import \
           file://CVE-2023-3676.patch;patchdir=src/import \
+           file://CVE-2025-5187.patch;patchdir=src/import \
          "
 DEPENDS += "rsync-native \
author	Vijay Anusuri <vanusuri@mvista.com>	2025-10-23 18:43:04 +0530
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2025-11-05 23:18:46 -0500
commit	e8de051a53f979040eaa641d7b69d8fd00275b9a (patch)
tree	bced8dd64d1952b3f2c848032fff31c02f564497
parent	16155ae737d96f0f53721ad7270c3fe19729d496 (diff)
download	meta-virtualization-e8de051a53f979040eaa641d7b69d8fd00275b9a.tar.gz

diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2025-5187.patch b/recipes-containers/kubernetes/kubernetes/CVE-2025-5187.patch new file mode 100644 index 00000000..a3042224 --- /dev/null +++ b/recipes-containers/kubernetes/kubernetes/CVE-2025-5187.patch
@@ -0,0 +1,94 @@
		1	From 922f15f1b75eada00309e02b7dd61f73e1736f3f Mon Sep 17 00:00:00 2001
		2	From: Sergey Kanzhelev <S.Kanzhelev@live.com>
		3	Date: Thu, 22 May 2025 17:54:10 +0000
		4	Subject: [PATCH] do not allow the node to update it's owner reference
		5
		6	Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/2e6eaa1fbedd776ea9357b4f472c66dec01955b5]
		7	CVE: CVE-2025-5187
		8	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		9	---
		10	.../admission/noderestriction/admission.go \| 5 +++
		11	.../noderestriction/admission_test.go \| 36 +++++++++++++++----
		12	2 files changed, 35 insertions(+), 6 deletions(-)
		13
		14	diff --git a/plugin/pkg/admission/noderestriction/admission.go b/plugin/pkg/admission/noderestriction/admission.go
		15	index 0a0d48d131f..8dc3ee7e66e 100644
		16	--- a/plugin/pkg/admission/noderestriction/admission.go
		17	+++ b/plugin/pkg/admission/noderestriction/admission.go
		18	@@ -441,6 +441,11 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error {
		19	return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify taints", nodeName))
		20	}
		21
		22	+ // Don't allow a node to update its own ownerReferences.
		23	+ if !apiequality.Semantic.DeepEqual(node.OwnerReferences, oldNode.OwnerReferences) {
		24	+ return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify ownerReferences", nodeName))
		25	+ }
		26	+
		27	// Don't allow a node to update labels outside the allowed set.
		28	// This would allow a node to add or modify its labels in a way that would let it steer privileged workloads to itself.
		29	modifiedLabels := getModifiedLabels(node.Labels, oldNode.Labels)
		30	diff --git a/plugin/pkg/admission/noderestriction/admission_test.go b/plugin/pkg/admission/noderestriction/admission_test.go
		31	index 6a4ccf2d948..1b51c75c4c1 100644
		32	--- a/plugin/pkg/admission/noderestriction/admission_test.go
		33	+++ b/plugin/pkg/admission/noderestriction/admission_test.go
		34	@@ -235,10 +235,14 @@ func (a admitTestCase) run(t testing.T) {
		35
		36	func Test_nodePlugin_Admit(t *testing.T) {
		37	var (
		38	- mynode = &user.DefaultInfo{Name: "system:node:mynode", Groups: []string{"system:nodes"}}
		39	- bob = &user.DefaultInfo{Name: "bob"}
		40	+ trueRef = true
		41	+ mynode = &user.DefaultInfo{Name: "system:node:mynode", Groups: []string{"system:nodes"}}
		42	+ bob = &user.DefaultInfo{Name: "bob"}
		43	+
		44	+ mynodeObjMeta = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid"}
		45	+ mynodeObjMetaOwnerRefA = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid", OwnerReferences: []metav1.OwnerReference{{Name: "fooerA", Controller: &trueRef}}}
		46	+ mynodeObjMetaOwnerRefB = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid", OwnerReferences: []metav1.OwnerReference{{Name: "fooerB", Controller: &trueRef}}}
		47
		48	- mynodeObjMeta = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid"}
		49	mynodeObj = &api.Node{ObjectMeta: mynodeObjMeta}
		50	mynodeObjConfigA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{ConfigSource: &api.NodeConfigSource{
		51	ConfigMap: &api.ConfigMapNodeConfigSource{
		52	@@ -255,9 +259,11 @@ func Test_nodePlugin_Admit(t *testing.T) {
		53	KubeletConfigKey: "kubelet",
		54	}}}}
		55
		56	- mynodeObjTaintA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}}
		57	- mynodeObjTaintB = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}}
		58	- othernodeObj = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}}
		59	+ mynodeObjTaintA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}}
		60	+ mynodeObjTaintB = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}}
		61	+ mynodeObjOwnerRefA = &api.Node{ObjectMeta: mynodeObjMetaOwnerRefA}
		62	+ mynodeObjOwnerRefB = &api.Node{ObjectMeta: mynodeObjMetaOwnerRefB}
		63	+ othernodeObj = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}}
		64
		65	coremymirrorpod, v1mymirrorpod = makeTestPod("ns", "mymirrorpod", "mynode", true)
		66	coreothermirrorpod, v1othermirrorpod = makeTestPod("ns", "othermirrorpod", "othernode", true)
		67	@@ -1029,6 +1035,24 @@ func Test_nodePlugin_Admit(t *testing.T) {
		68	attributes: admission.NewAttributesRecord(setForbiddenUpdateLabels(mynodeObj, "new"), setForbiddenUpdateLabels(mynodeObj, "old"), nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
		69	err: `is not allowed to modify labels: foo.node-restriction.kubernetes.io/foo, node-restriction.kubernetes.io/foo, other.k8s.io/foo, other.kubernetes.io/foo`,
		70	},
		71	+ {
		72	+ name: "forbid update of my node: add owner reference",
		73	+ podsGetter: existingPods,
		74	+ attributes: admission.NewAttributesRecord(mynodeObjOwnerRefA, mynodeObj, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
		75	+ err: "node \"mynode\" is not allowed to modify ownerReferences",
		76	+ },
		77	+ {
		78	+ name: "forbid update of my node: remove owner reference",
		79	+ podsGetter: existingPods,
		80	+ attributes: admission.NewAttributesRecord(mynodeObj, mynodeObjOwnerRefA, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
		81	+ err: "node \"mynode\" is not allowed to modify ownerReferences",
		82	+ },
		83	+ {
		84	+ name: "forbid update of my node: change owner reference",
		85	+ podsGetter: existingPods,
		86	+ attributes: admission.NewAttributesRecord(mynodeObjOwnerRefA, mynodeObjOwnerRefB, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
		87	+ err: "node \"mynode\" is not allowed to modify ownerReferences",
		88	+ },
		89
		90	// Other node object
		91	{
		92	--
		93	2.25.1
		94


diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb index 9d6179e0..41f1ad73 100644 --- a/recipes-containers/kubernetes/kubernetes_git.bb +++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -38,6 +38,7 @@ SRC_URI:append = " \
38	file://CVE-2024-3177.patch;patchdir=src/import \	38	file://CVE-2024-3177.patch;patchdir=src/import \
39	file://CVE-2023-3955.patch;patchdir=src/import \	39	file://CVE-2023-3955.patch;patchdir=src/import \
40	file://CVE-2023-3676.patch;patchdir=src/import \	40	file://CVE-2023-3676.patch;patchdir=src/import \
		41	file://CVE-2025-5187.patch;patchdir=src/import \
41	"	42	"
42		43
43	DEPENDS += "rsync-native \	44	DEPENDS += "rsync-native \