Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE-2024-10220 for kubernetes #11804

Open
wants to merge 1 commit into
base: fasttrack/2.0
Choose a base branch
from
Open

Fix CVE-2024-10220 for kubernetes #11804

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions SPECS/kubernetes/CVE-2024-10220.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
From 6622b002f70a153100d1c286fbcea721160da192 Mon Sep 17 00:00:00 2001
From: Imre Rad <[email protected]>
Date: Thu, 25 Apr 2024 14:21:51 +0000
Subject: [PATCH] gitRepo volume: directory must be max 1 level deep

More details on Hackerone #2266560
---
pkg/volume/git_repo/git_repo.go | 6 ++++++
pkg/volume/git_repo/git_repo_test.go | 14 ++++++++++++++
2 files changed, 20 insertions(+)

diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go
index 995018d900727..b3827b92ad0f0 100644
--- a/pkg/volume/git_repo/git_repo.go
+++ b/pkg/volume/git_repo/git_repo.go
@@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error {
if err := validateNonFlagArgument(src.Directory, "directory"); err != nil {
return err
}
+ if (src.Revision != "") && (src.Directory != "") {
+ cleanedDir := filepath.Clean(src.Directory)
+ if strings.Contains(cleanedDir, "/") || (strings.Contains(cleanedDir, "\\")) {
+ return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory)
+ }
+ }
return nil
}

diff --git a/pkg/volume/git_repo/git_repo_test.go b/pkg/volume/git_repo/git_repo_test.go
index 5b1461be892a1..650f765cc4884 100644
--- a/pkg/volume/git_repo/git_repo_test.go
+++ b/pkg/volume/git_repo/git_repo_test.go
@@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) {
},
isExpectedFailure: true,
},
+ {
+ name: "invalid-revision-directory-combo",
+ vol: &v1.Volume{
+ Name: "vol1",
+ VolumeSource: v1.VolumeSource{
+ GitRepo: &v1.GitRepoVolumeSource{
+ Repository: gitURL,
+ Revision: "main",
+ Directory: "foo/bar",
+ },
+ },
+ },
+ isExpectedFailure: true,
+ },
}

for _, scenario := range scenarios {
6 changes: 5 additions & 1 deletion SPECS/kubernetes/kubernetes.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
Summary: Microsoft Kubernetes
Name: kubernetes
Version: 1.28.4
Release: 12%{?dist}
Release: 13%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Expand All @@ -24,6 +24,7 @@ Patch2: CVE-2023-5408.patch
Patch3: CVE-2023-45288.patch
Patch4: CVE-2024-28180.patch
Patch5: CVE-2024-24786.patch
Patch6: CVE-2024-10220.patch
BuildRequires: flex-devel
BuildRequires: glibc-static >= 2.35-7%{?dist}
BuildRequires: golang
Expand Down Expand Up @@ -270,6 +271,9 @@ fi
%{_exec_prefix}/local/bin/pause

%changelog
* Tue Jan 07 2025 Sudipta Pandit <[email protected]> - 1.28.4-13
- Add patch for CVE-2024-10220

* Mon Oct 14 2024 Henry Li <[email protected]> - 1.28.4-12
- Add patch to resolve CVE-2024-24786

Expand Down
Loading