2 files changed, 93 insertions, 0 deletions
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2021-20206.patch b/recipes-containers/kubernetes/kubernetes/CVE-2021-20206.patch
new file mode 100644
index 00000000..dc4e9029
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2021-20206.patch
@@ -0,0 +1,92 @@
+From 5e8f9a8a72351e2fb5bcea3e3c58c935314557b6 Mon Sep 17 00:00:00 2001
+From: Navid Shaikh <navids@vmware.com>
+Date: Thu, 6 May 2021 15:41:08 +0530
+Subject: [PATCH] Bump containernetworking/cni to v0.8.1
+ Fix CVE-2021-20206
+CVE: CVE-2021-20206
+Upstream-Status: Backport [185f65fbddb5239666c0c67fb335589b7570f60c]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ go.mod                                                       | 4 ++--
+ go.sum                                                       | 4 ++--
+ vendor/github.com/containernetworking/cni/pkg/invoke/find.go | 5 +++++
+ vendor/modules.txt                                           | 2 +-
+ 4 files changed, 10 insertions(+), 5 deletions(-)
+diff --git a/src/import/go.mod b/src/import/go.mod
+index e0ba549ab40..d4cc9ce01a9 100644
+--- a/src/import/go.mod
+++ b/src/import/go.mod
+@@ -28,7 +28,7 @@ require (
+        github.com/clusterhq/flocker-go v0.0.0-20160920122132-2b8b7259d313
+        github.com/codegangsta/negroni v1.0.0 // indirect
+        github.com/container-storage-interface/spec v1.2.0
+-       github.com/containernetworking/cni v0.8.0
+       github.com/containernetworking/cni v0.8.1
+        github.com/coredns/corefile-migration v1.0.10
+        github.com/coreos/go-oidc v2.1.0+incompatible
+        github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e
+@@ -214,7 +214,7 @@ replace (
+        github.com/containerd/go-runc => github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3
+        github.com/containerd/ttrpc => github.com/containerd/ttrpc v1.0.2
+        github.com/containerd/typeurl => github.com/containerd/typeurl v1.0.1
+-       github.com/containernetworking/cni => github.com/containernetworking/cni v0.8.0
+       github.com/containernetworking/cni => github.com/containernetworking/cni v0.8.1
+        github.com/coredns/corefile-migration => github.com/coredns/corefile-migration v1.0.10
+        github.com/coreos/bbolt => github.com/coreos/bbolt v1.3.2
+        github.com/coreos/etcd => github.com/coreos/etcd v3.3.13+incompatible
+diff --git a/src/import/go.sum b/src/import/go.sum
+index 288f4554b1f..9168f49c859 100644
+--- a/src/import/go.sum
+++ b/src/import/go.sum
+@@ -113,8 +113,8 @@ github.com/containerd/ttrpc v1.0.2 h1:2/O3oTZN36q2xRolk0a2WWGgh7/Vf/liElg5hFYLX9
+ github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
+ github.com/containerd/typeurl v1.0.1 h1:PvuK4E3D5S5q6IqsPDCy928FhP0LUIGcmZ/Yhgp5Djw=
+ github.com/containerd/typeurl v1.0.1/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg=
+-github.com/containernetworking/cni v0.8.0 h1:BT9lpgGoH4jw3lFC7Odz2prU5ruiYKcgAjMCbgybcKI=
+-github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
+github.com/containernetworking/cni v0.8.1 h1:7zpDnQ3T3s4ucOuJ/ZCLrYBxzkg0AELFfII3Epo9TmI=
+github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
+ github.com/coredns/corefile-migration v1.0.10 h1:7HI4r5S5Fne749a+JDxUZppqBpYoZK8Q53ZVK9cn3aM=
+ github.com/coredns/corefile-migration v1.0.10/go.mod h1:RMy/mXdeDlYwzt0vdMEJvT2hGJ2I86/eO0UdXmH9XNI=
+ github.com/coreos/bbolt v1.3.2 h1:wZwiHHUieZCquLkDL0B8UhzreNWsPHooDAG3q34zk0s=
+diff --git a/src/import/vendor/github.com/containernetworking/cni/pkg/invoke/find.go b/src/import/vendor/github.com/containernetworking/cni/pkg/invoke/find.go
+index e815404c859..e62029eb788 100644
+--- a/src/import/vendor/github.com/containernetworking/cni/pkg/invoke/find.go
+++ b/src/import/vendor/github.com/containernetworking/cni/pkg/invoke/find.go
+@@ -18,6 +18,7 @@ import (
+        "fmt"
+        "os"
+        "path/filepath"
+       "strings"
+ )
+ 
+ // FindInPath returns the full path of the plugin by searching in the provided path
+@@ -26,6 +27,10 @@ func FindInPath(plugin string, paths []string) (string, error) {
+                return "", fmt.Errorf("no plugin name provided")
+        }
+ 
+       if strings.ContainsRune(plugin, os.PathSeparator) {
+               return "", fmt.Errorf("invalid plugin name: %s", plugin)
+       }
+
+        if len(paths) == 0 {
+                return "", fmt.Errorf("no paths provided")
+        }
+diff --git a/src/import/vendor/modules.txt b/src/import/vendor/modules.txt
+index 6a263b51686..c3b68a5f547 100644
+--- a/src/import/vendor/modules.txt
+++ b/src/import/vendor/modules.txt
+@@ -257,7 +257,7 @@ github.com/containerd/containerd/pkg/dialer
+ github.com/containerd/ttrpc
+ # github.com/containerd/ttrpc => github.com/containerd/ttrpc v1.0.2
+ # github.com/containerd/typeurl => github.com/containerd/typeurl v1.0.1
+-# github.com/containernetworking/cni v0.8.0 => github.com/containernetworking/cni v0.8.0
+# github.com/containernetworking/cni v0.8.1 => github.com/containernetworking/cni v0.8.1
+ ## explicit
+ # github.com/containernetworking/cni => github.com/containernetworking/cni v0.8.0
+ github.com/containernetworking/cni/libcni
+-- 
+2.25.1
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index bc694a27..7b9aab84 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.20;name=k
           file://0001-generate-bindata-unset-GOBIN.patch \
           file://0001-build-golang.sh-convert-remaining-go-calls-to-use.patch \
           file://0001-Makefile.generated_files-Fix-race-issue-for-installi.patch \
+           file://CVE-2021-20206.patch \
          "
 DEPENDS += "rsync-native \

diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2021-20206.patch b/recipes-containers/kubernetes/kubernetes/CVE-2021-20206.patch new file mode 100644 index 00000000..dc4e9029 --- /dev/null +++ b/recipes-containers/kubernetes/kubernetes/CVE-2021-20206.patch
@@ -0,0 +1,92 @@
		1	From 5e8f9a8a72351e2fb5bcea3e3c58c935314557b6 Mon Sep 17 00:00:00 2001
		2	From: Navid Shaikh <navids@vmware.com>
		3	Date: Thu, 6 May 2021 15:41:08 +0530
		4	Subject: [PATCH] Bump containernetworking/cni to v0.8.1
		5
		6	Fix CVE-2021-20206
		7	CVE: CVE-2021-20206
		8	Upstream-Status: Backport [185f65fbddb5239666c0c67fb335589b7570f60c]
		9	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		10	---
		11	go.mod \| 4 ++--
		12	go.sum \| 4 ++--
		13	vendor/github.com/containernetworking/cni/pkg/invoke/find.go \| 5 +++++
		14	vendor/modules.txt \| 2 +-
		15	4 files changed, 10 insertions(+), 5 deletions(-)
		16
		17	diff --git a/src/import/go.mod b/src/import/go.mod
		18	index e0ba549ab40..d4cc9ce01a9 100644
		19	--- a/src/import/go.mod
		20	+++ b/src/import/go.mod
		21	@@ -28,7 +28,7 @@ require (
		22	github.com/clusterhq/flocker-go v0.0.0-20160920122132-2b8b7259d313
		23	github.com/codegangsta/negroni v1.0.0 // indirect
		24	github.com/container-storage-interface/spec v1.2.0
		25	- github.com/containernetworking/cni v0.8.0
		26	+ github.com/containernetworking/cni v0.8.1
		27	github.com/coredns/corefile-migration v1.0.10
		28	github.com/coreos/go-oidc v2.1.0+incompatible
		29	github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e
		30	@@ -214,7 +214,7 @@ replace (
		31	github.com/containerd/go-runc => github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3
		32	github.com/containerd/ttrpc => github.com/containerd/ttrpc v1.0.2
		33	github.com/containerd/typeurl => github.com/containerd/typeurl v1.0.1
		34	- github.com/containernetworking/cni => github.com/containernetworking/cni v0.8.0
		35	+ github.com/containernetworking/cni => github.com/containernetworking/cni v0.8.1
		36	github.com/coredns/corefile-migration => github.com/coredns/corefile-migration v1.0.10
		37	github.com/coreos/bbolt => github.com/coreos/bbolt v1.3.2
		38	github.com/coreos/etcd => github.com/coreos/etcd v3.3.13+incompatible
		39	diff --git a/src/import/go.sum b/src/import/go.sum
		40	index 288f4554b1f..9168f49c859 100644
		41	--- a/src/import/go.sum
		42	+++ b/src/import/go.sum
		43	@@ -113,8 +113,8 @@ github.com/containerd/ttrpc v1.0.2 h1:2/O3oTZN36q2xRolk0a2WWGgh7/Vf/liElg5hFYLX9
		44	github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
		45	github.com/containerd/typeurl v1.0.1 h1:PvuK4E3D5S5q6IqsPDCy928FhP0LUIGcmZ/Yhgp5Djw=
		46	github.com/containerd/typeurl v1.0.1/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg=
		47	-github.com/containernetworking/cni v0.8.0 h1:BT9lpgGoH4jw3lFC7Odz2prU5ruiYKcgAjMCbgybcKI=
		48	-github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
		49	+github.com/containernetworking/cni v0.8.1 h1:7zpDnQ3T3s4ucOuJ/ZCLrYBxzkg0AELFfII3Epo9TmI=
		50	+github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
		51	github.com/coredns/corefile-migration v1.0.10 h1:7HI4r5S5Fne749a+JDxUZppqBpYoZK8Q53ZVK9cn3aM=
		52	github.com/coredns/corefile-migration v1.0.10/go.mod h1:RMy/mXdeDlYwzt0vdMEJvT2hGJ2I86/eO0UdXmH9XNI=
		53	github.com/coreos/bbolt v1.3.2 h1:wZwiHHUieZCquLkDL0B8UhzreNWsPHooDAG3q34zk0s=
		54	diff --git a/src/import/vendor/github.com/containernetworking/cni/pkg/invoke/find.go b/src/import/vendor/github.com/containernetworking/cni/pkg/invoke/find.go
		55	index e815404c859..e62029eb788 100644
		56	--- a/src/import/vendor/github.com/containernetworking/cni/pkg/invoke/find.go
		57	+++ b/src/import/vendor/github.com/containernetworking/cni/pkg/invoke/find.go
		58	@@ -18,6 +18,7 @@ import (
		59	"fmt"
		60	"os"
		61	"path/filepath"
		62	+ "strings"
		63	)
		64
		65	// FindInPath returns the full path of the plugin by searching in the provided path
		66	@@ -26,6 +27,10 @@ func FindInPath(plugin string, paths []string) (string, error) {
		67	return "", fmt.Errorf("no plugin name provided")
		68	}
		69
		70	+ if strings.ContainsRune(plugin, os.PathSeparator) {
		71	+ return "", fmt.Errorf("invalid plugin name: %s", plugin)
		72	+ }
		73	+
		74	if len(paths) == 0 {
		75	return "", fmt.Errorf("no paths provided")
		76	}
		77	diff --git a/src/import/vendor/modules.txt b/src/import/vendor/modules.txt
		78	index 6a263b51686..c3b68a5f547 100644
		79	--- a/src/import/vendor/modules.txt
		80	+++ b/src/import/vendor/modules.txt
		81	@@ -257,7 +257,7 @@ github.com/containerd/containerd/pkg/dialer
		82	github.com/containerd/ttrpc
		83	# github.com/containerd/ttrpc => github.com/containerd/ttrpc v1.0.2
		84	# github.com/containerd/typeurl => github.com/containerd/typeurl v1.0.1
		85	-# github.com/containernetworking/cni v0.8.0 => github.com/containernetworking/cni v0.8.0
		86	+# github.com/containernetworking/cni v0.8.1 => github.com/containernetworking/cni v0.8.1
		87	## explicit
		88	# github.com/containernetworking/cni => github.com/containernetworking/cni v0.8.0
		89	github.com/containernetworking/cni/libcni
		90	--
		91	2.25.1
		92


diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb index bc694a27..7b9aab84 100644 --- a/recipes-containers/kubernetes/kubernetes_git.bb +++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.20;name=k
16	file://0001-generate-bindata-unset-GOBIN.patch \	16	file://0001-generate-bindata-unset-GOBIN.patch \
17	file://0001-build-golang.sh-convert-remaining-go-calls-to-use.patch \	17	file://0001-build-golang.sh-convert-remaining-go-calls-to-use.patch \
18	file://0001-Makefile.generated_files-Fix-race-issue-for-installi.patch \	18	file://0001-Makefile.generated_files-Fix-race-issue-for-installi.patch \
		19	file://CVE-2021-20206.patch \
19	"	20	"
20		21
21	DEPENDS += "rsync-native \	22	DEPENDS += "rsync-native \