From e8de051a53f979040eaa641d7b69d8fd00275b9a Mon Sep 17 00:00:00 2001
From: Vijay Anusuri <vanusuri@mvista.com>
Date: Thu, 23 Oct 2025 18:43:04 +0530
Subject: kubernetes: Fix for CVE-2025-5187

Upstream-commit: https://github.com/kubernetes/kubernetes/commit/2e6eaa1fbedd776ea9357b4f472c66dec01955b5

Reference: https://github.com/kubernetes/kubernetes/pull/133467
           https://github.com/aks-lts/kubernetes/pull/62/commits/152330ef541b23a027c779597496b62c287fb363

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 .../kubernetes/kubernetes/CVE-2025-5187.patch      | 94 ++++++++++++++++++++++
 recipes-containers/kubernetes/kubernetes_git.bb    |  1 +
 2 files changed, 95 insertions(+)
 create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2025-5187.patch

diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2025-5187.patch b/recipes-containers/kubernetes/kubernetes/CVE-2025-5187.patch
new file mode 100644
index 00000000..a3042224
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2025-5187.patch
@@ -0,0 +1,94 @@
+From 922f15f1b75eada00309e02b7dd61f73e1736f3f Mon Sep 17 00:00:00 2001
+From: Sergey Kanzhelev <S.Kanzhelev@live.com>
+Date: Thu, 22 May 2025 17:54:10 +0000
+Subject: [PATCH] do not allow the node to update it's owner reference
+
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/2e6eaa1fbedd776ea9357b4f472c66dec01955b5]
+CVE: CVE-2025-5187
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ .../admission/noderestriction/admission.go    |  5 +++
+ .../noderestriction/admission_test.go         | 36 +++++++++++++++----
+ 2 files changed, 35 insertions(+), 6 deletions(-)
+
+diff --git a/plugin/pkg/admission/noderestriction/admission.go b/plugin/pkg/admission/noderestriction/admission.go
+index 0a0d48d131f..8dc3ee7e66e 100644
+--- a/plugin/pkg/admission/noderestriction/admission.go
++++ b/plugin/pkg/admission/noderestriction/admission.go
+@@ -441,6 +441,11 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error {
+ 			return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify taints", nodeName))
+ 		}
+ 
++		// Don't allow a node to update its own ownerReferences.
++		if !apiequality.Semantic.DeepEqual(node.OwnerReferences, oldNode.OwnerReferences) {
++		    return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify ownerReferences", nodeName))
++		}
++
+ 		// Don't allow a node to update labels outside the allowed set.
+ 		// This would allow a node to add or modify its labels in a way that would let it steer privileged workloads to itself.
+ 		modifiedLabels := getModifiedLabels(node.Labels, oldNode.Labels)
+diff --git a/plugin/pkg/admission/noderestriction/admission_test.go b/plugin/pkg/admission/noderestriction/admission_test.go
+index 6a4ccf2d948..1b51c75c4c1 100644
+--- a/plugin/pkg/admission/noderestriction/admission_test.go
++++ b/plugin/pkg/admission/noderestriction/admission_test.go
+@@ -235,10 +235,14 @@ func (a *admitTestCase) run(t *testing.T) {
+ 
+ func Test_nodePlugin_Admit(t *testing.T) {
+ 	var (
+-		mynode = &user.DefaultInfo{Name: "system:node:mynode", Groups: []string{"system:nodes"}}
+-		bob    = &user.DefaultInfo{Name: "bob"}
++		trueRef = true
++		mynode  = &user.DefaultInfo{Name: "system:node:mynode", Groups: []string{"system:nodes"}}
++		bob     = &user.DefaultInfo{Name: "bob"}
++
++		mynodeObjMeta          = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid"}
++		mynodeObjMetaOwnerRefA = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid", OwnerReferences: []metav1.OwnerReference{{Name: "fooerA", Controller: &trueRef}}}
++		mynodeObjMetaOwnerRefB = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid", OwnerReferences: []metav1.OwnerReference{{Name: "fooerB", Controller: &trueRef}}}
+ 
+-		mynodeObjMeta    = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid"}
+ 		mynodeObj        = &api.Node{ObjectMeta: mynodeObjMeta}
+ 		mynodeObjConfigA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{ConfigSource: &api.NodeConfigSource{
+ 			ConfigMap: &api.ConfigMapNodeConfigSource{
+@@ -255,9 +259,11 @@ func Test_nodePlugin_Admit(t *testing.T) {
+ 				KubeletConfigKey: "kubelet",
+ 			}}}}
+ 
+-		mynodeObjTaintA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}}
+-		mynodeObjTaintB = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}}
+-		othernodeObj    = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}}
++		mynodeObjTaintA    = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}}
++		mynodeObjTaintB    = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}}
++		mynodeObjOwnerRefA = &api.Node{ObjectMeta: mynodeObjMetaOwnerRefA}
++		mynodeObjOwnerRefB = &api.Node{ObjectMeta: mynodeObjMetaOwnerRefB}
++		othernodeObj       = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}}
+ 
+ 		coremymirrorpod, v1mymirrorpod           = makeTestPod("ns", "mymirrorpod", "mynode", true)
+ 		coreothermirrorpod, v1othermirrorpod     = makeTestPod("ns", "othermirrorpod", "othernode", true)
+@@ -1029,6 +1035,24 @@ func Test_nodePlugin_Admit(t *testing.T) {
+ 			attributes: admission.NewAttributesRecord(setForbiddenUpdateLabels(mynodeObj, "new"), setForbiddenUpdateLabels(mynodeObj, "old"), nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
+ 			err:        `is not allowed to modify labels: foo.node-restriction.kubernetes.io/foo, node-restriction.kubernetes.io/foo, other.k8s.io/foo, other.kubernetes.io/foo`,
+ 		},
++		{
++			name:       "forbid update of my node: add owner reference",
++			podsGetter: existingPods,
++			attributes: admission.NewAttributesRecord(mynodeObjOwnerRefA, mynodeObj, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
++			err:        "node \"mynode\" is not allowed to modify ownerReferences",
++		},
++		{
++			name:       "forbid update of my node: remove owner reference",
++			podsGetter: existingPods,
++			attributes: admission.NewAttributesRecord(mynodeObj, mynodeObjOwnerRefA, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
++			err:        "node \"mynode\" is not allowed to modify ownerReferences",
++		},
++		{
++			name:       "forbid update of my node: change owner reference",
++			podsGetter: existingPods,
++			attributes: admission.NewAttributesRecord(mynodeObjOwnerRefA, mynodeObjOwnerRefB, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
++			err:        "node \"mynode\" is not allowed to modify ownerReferences",
++		},
+ 
+ 		// Other node object
+ 		{
+-- 
+2.25.1
+
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index 9d6179e0..41f1ad73 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -38,6 +38,7 @@ SRC_URI:append = " \
            file://CVE-2024-3177.patch;patchdir=src/import \
            file://CVE-2023-3955.patch;patchdir=src/import \
            file://CVE-2023-3676.patch;patchdir=src/import \
+           file://CVE-2025-5187.patch;patchdir=src/import \
           "
 
 DEPENDS += "rsync-native \
-- 
cgit v1.2.3-54-g00ecf