5 files changed, 69 insertions, 11 deletions
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch b/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
new file mode 100644
index 00000000..c0e371af
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
@@ -0,0 +1,57 @@
+From 6622b002f70a153100d1c286fbcea721160da192 Mon Sep 17 00:00:00 2001
+From: Imre Rad <imrer@google.com>
+Date: Thu, 25 Apr 2024 14:21:51 +0000
+Subject: [PATCH] gitRepo volume: directory must be max 1 level deep
+More details on Hackerone #2266560
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/6622b002f70a153100d1c286fbcea721160da192]
+CVE: CVE-2024-10220
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/volume/git_repo/git_repo.go      |  6 ++++++
+ pkg/volume/git_repo/git_repo_test.go | 14 ++++++++++++++
+ 2 files changed, 20 insertions(+)
+diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go
+index 995018d900727..b3827b92ad0f0 100644
+--- a/pkg/volume/git_repo/git_repo.go
+++ b/pkg/volume/git_repo/git_repo.go
+@@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error {
+        if err := validateNonFlagArgument(src.Directory, "directory"); err != nil {
+                return err
+        }
+       if (src.Revision != "") && (src.Directory != "") {
+               cleanedDir := filepath.Clean(src.Directory)
+               if strings.Contains(cleanedDir, "/") || (strings.Contains(cleanedDir, "\\")) {
+                       return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory)
+               }
+       }
+        return nil
+ }
+ 
+diff --git a/pkg/volume/git_repo/git_repo_test.go b/pkg/volume/git_repo/git_repo_test.go
+index 5b1461be892a1..650f765cc4884 100644
+--- a/pkg/volume/git_repo/git_repo_test.go
+++ b/pkg/volume/git_repo/git_repo_test.go
+@@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) {
+                        },
+                        isExpectedFailure: true,
+                },
+               {
+                       name: "invalid-revision-directory-combo",
+                       vol: &v1.Volume{
+                               Name: "vol1",
+                               VolumeSource: v1.VolumeSource{
+                                       GitRepo: &v1.GitRepoVolumeSource{
+                                               Repository: gitURL,
+                                               Revision:   "main",
+                                               Directory:  "foo/bar",
+                                       },
+                               },
+                       },
+                       isExpectedFailure: true,
+               },
+        }
+ 
+        for _, scenario := range scenarios {
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index 41f1ad73..dbfb3705 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -39,6 +39,7 @@ SRC_URI:append = " \
           file://CVE-2023-3955.patch;patchdir=src/import \
           file://CVE-2023-3676.patch;patchdir=src/import \
           file://CVE-2025-5187.patch;patchdir=src/import \
+           file://CVE-2024-10220.patch;patchdir=src/import \
          "
 DEPENDS += "rsync-native \
diff --git a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
index 4d35e58e..df9e1d8e 100644
--- a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
+++ b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
@@ -15,12 +15,12 @@ Index: git/src/import/Makefile
 ===================================================================
 --- git.orig/src/import/Makefile
 +++ git/src/import/Makefile
-@@ -20,7 +20,7 @@
+@@ -24,7 +24,7 @@
-                endif
+                GO_BUILDMODE := "-buildmode=pie"
        endif
 endif
-GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
+-GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) \
-+GO_BUILD := $(GO) build $(GOBUILDFLAGS) -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
+GO_BUILD := $(GO) build $(GOBUILDFLAGS) -trimpath $(GO_BUILDMODE) \
-        -ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
+        $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
- GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \
+        -ldflags "$(LDFLAGS_COMMON) $(EXTRA_LDFLAGS)"
-        -ldflags "-extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
+ 
diff --git a/recipes-containers/runc/runc-docker_git.bb b/recipes-containers/runc/runc-docker_git.bb
index 97373a72..16bc6639 100644
--- a/recipes-containers/runc/runc-docker_git.bb
+++ b/recipes-containers/runc/runc-docker_git.bb
@@ -2,13 +2,13 @@ include runc.inc
 # Note: this rev is before the required protocol field, update when all components
 #       have been updated to match.
-SRCREV_runc-docker = "974efd2dfca0abec041a3708a2b66bfac6bd2484"
+SRCREV_runc-docker = "068337925cd4286782c1c576132590992cc8c728"
 SRC_URI = "git://github.com/opencontainers/runc;branch=release-1.1;name=runc-docker;protocol=https \
           file://0001-runc-Add-console-socket-dev-null.patch \
           file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
           file://0001-runc-docker-SIGUSR1-daemonize.patch \
          "
-RUNC_VERSION = "1.1.4"
+RUNC_VERSION = "1.1.15"
 CVE_PRODUCT = "runc"
diff --git a/recipes-containers/runc/runc-opencontainers_git.bb b/recipes-containers/runc/runc-opencontainers_git.bb
index 59ddca9b..00077985 100644
--- a/recipes-containers/runc/runc-opencontainers_git.bb
+++ b/recipes-containers/runc/runc-opencontainers_git.bb
@@ -1,10 +1,10 @@
 include runc.inc
-SRCREV = "974efd2dfca0abec041a3708a2b66bfac6bd2484"
+SRCREV = "068337925cd4286782c1c576132590992cc8c728"
 SRC_URI = " \
    git://github.com/opencontainers/runc;branch=release-1.1;protocol=https \
    file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
    "
-RUNC_VERSION = "1.1.4"
+RUNC_VERSION = "1.1.15"
 CVE_PRODUCT = "runc"

diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch b/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch new file mode 100644 index 00000000..c0e371af --- /dev/null +++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-10220.patch
@@ -0,0 +1,57 @@
		1	From 6622b002f70a153100d1c286fbcea721160da192 Mon Sep 17 00:00:00 2001
		2	From: Imre Rad <imrer@google.com>
		3	Date: Thu, 25 Apr 2024 14:21:51 +0000
		4	Subject: [PATCH] gitRepo volume: directory must be max 1 level deep
		5
		6	More details on Hackerone #2266560
		7
		8	Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/6622b002f70a153100d1c286fbcea721160da192]
		9	CVE: CVE-2024-10220
		10	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		11	---
		12	pkg/volume/git_repo/git_repo.go \| 6 ++++++
		13	pkg/volume/git_repo/git_repo_test.go \| 14 ++++++++++++++
		14	2 files changed, 20 insertions(+)
		15
		16	diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go
		17	index 995018d900727..b3827b92ad0f0 100644
		18	--- a/pkg/volume/git_repo/git_repo.go
		19	+++ b/pkg/volume/git_repo/git_repo.go
		20	@@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error {
		21	if err := validateNonFlagArgument(src.Directory, "directory"); err != nil {
		22	return err
		23	}
		24	+ if (src.Revision != "") && (src.Directory != "") {
		25	+ cleanedDir := filepath.Clean(src.Directory)
		26	+ if strings.Contains(cleanedDir, "/") \|\| (strings.Contains(cleanedDir, "\\")) {
		27	+ return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory)
		28	+ }
		29	+ }
		30	return nil
		31	}
		32
		33	diff --git a/pkg/volume/git_repo/git_repo_test.go b/pkg/volume/git_repo/git_repo_test.go
		34	index 5b1461be892a1..650f765cc4884 100644
		35	--- a/pkg/volume/git_repo/git_repo_test.go
		36	+++ b/pkg/volume/git_repo/git_repo_test.go
		37	@@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) {
		38	},
		39	isExpectedFailure: true,
		40	},
		41	+ {
		42	+ name: "invalid-revision-directory-combo",
		43	+ vol: &v1.Volume{
		44	+ Name: "vol1",
		45	+ VolumeSource: v1.VolumeSource{
		46	+ GitRepo: &v1.GitRepoVolumeSource{
		47	+ Repository: gitURL,
		48	+ Revision: "main",
		49	+ Directory: "foo/bar",
		50	+ },
		51	+ },
		52	+ },
		53	+ isExpectedFailure: true,
		54	+ },
		55	}
		56
		57	for _, scenario := range scenarios {


diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb index 41f1ad73..dbfb3705 100644 --- a/recipes-containers/kubernetes/kubernetes_git.bb +++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -39,6 +39,7 @@ SRC_URI:append = " \
39	file://CVE-2023-3955.patch;patchdir=src/import \	39	file://CVE-2023-3955.patch;patchdir=src/import \
40	file://CVE-2023-3676.patch;patchdir=src/import \	40	file://CVE-2023-3676.patch;patchdir=src/import \
41	file://CVE-2025-5187.patch;patchdir=src/import \	41	file://CVE-2025-5187.patch;patchdir=src/import \
		42	file://CVE-2024-10220.patch;patchdir=src/import \
42	"	43	"
43		44
44	DEPENDS += "rsync-native \	45	DEPENDS += "rsync-native \


diff --git a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch index 4d35e58e..df9e1d8e 100644 --- a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch +++ b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
@@ -15,12 +15,12 @@ Index: git/src/import/Makefile
15	===================================================================	15	===================================================================
16	--- git.orig/src/import/Makefile	16	--- git.orig/src/import/Makefile
17	+++ git/src/import/Makefile	17	+++ git/src/import/Makefile
18	@@ -20,7 +20,7 @@	18	@@ -24,7 +24,7 @@
19	endif	19	GO_BUILDMODE := "-buildmode=pie"
20	endif	20	endif
21	endif	21	endif
22	-GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \	22	-GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) \
23	+GO_BUILD := $(GO) build $(GOBUILDFLAGS) -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \	23	+GO_BUILD := $(GO) build $(GOBUILDFLAGS) -trimpath $(GO_BUILDMODE) \
24	-ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"	24	$(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
25	GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \	25	-ldflags "$(LDFLAGS_COMMON) $(EXTRA_LDFLAGS)"
26	-ldflags "-extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"	26


diff --git a/recipes-containers/runc/runc-docker_git.bb b/recipes-containers/runc/runc-docker_git.bb index 97373a72..16bc6639 100644 --- a/recipes-containers/runc/runc-docker_git.bb +++ b/recipes-containers/runc/runc-docker_git.bb
@@ -2,13 +2,13 @@ include runc.inc
2		2
3	# Note: this rev is before the required protocol field, update when all components	3	# Note: this rev is before the required protocol field, update when all components
4	# have been updated to match.	4	# have been updated to match.
5	SRCREV_runc-docker = "974efd2dfca0abec041a3708a2b66bfac6bd2484"	5	SRCREV_runc-docker = "068337925cd4286782c1c576132590992cc8c728"
6	SRC_URI = "git://github.com/opencontainers/runc;branch=release-1.1;name=runc-docker;protocol=https \	6	SRC_URI = "git://github.com/opencontainers/runc;branch=release-1.1;name=runc-docker;protocol=https \
7	file://0001-runc-Add-console-socket-dev-null.patch \	7	file://0001-runc-Add-console-socket-dev-null.patch \
8	file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \	8	file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
9	file://0001-runc-docker-SIGUSR1-daemonize.patch \	9	file://0001-runc-docker-SIGUSR1-daemonize.patch \
10	"	10	"
11		11
12	RUNC_VERSION = "1.1.4"	12	RUNC_VERSION = "1.1.15"
13		13
14	CVE_PRODUCT = "runc"	14	CVE_PRODUCT = "runc"


diff --git a/recipes-containers/runc/runc-opencontainers_git.bb b/recipes-containers/runc/runc-opencontainers_git.bb index 59ddca9b..00077985 100644 --- a/recipes-containers/runc/runc-opencontainers_git.bb +++ b/recipes-containers/runc/runc-opencontainers_git.bb
@@ -1,10 +1,10 @@
1	include runc.inc	1	include runc.inc
2		2
3	SRCREV = "974efd2dfca0abec041a3708a2b66bfac6bd2484"	3	SRCREV = "068337925cd4286782c1c576132590992cc8c728"
4	SRC_URI = " \	4	SRC_URI = " \
5	git://github.com/opencontainers/runc;branch=release-1.1;protocol=https \	5	git://github.com/opencontainers/runc;branch=release-1.1;protocol=https \
6	file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \	6	file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
7	"	7	"
8	RUNC_VERSION = "1.1.4"	8	RUNC_VERSION = "1.1.15"
9		9
10	CVE_PRODUCT = "runc"	10	CVE_PRODUCT = "runc"