Skip to content

Commit e3f4f69

Browse files
CBL-Mariner-Botrealsdx
CBL-Mariner-Bot
and
realsdx
authored
[AUTO-CHERRYPICK] Fix CVE-2024-10220 for kubernetes - branch main (#11905)
Co-authored-by: Sudipta Pandit <sudpandit@microsoft.com>
1 parent c41788f commit e3f4f69

2 files changed

Lines changed: 58 additions & 1 deletion

File tree

SPECS/kubernetes/CVE-2024-10220.patch

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
From 6622b002f70a153100d1c286fbcea721160da192 Mon Sep 17 00:00:00 2001
2+
From: Imre Rad <imrer@google.com>
3+
Date: Thu, 25 Apr 2024 14:21:51 +0000
4+
Subject: [PATCH] gitRepo volume: directory must be max 1 level deep
5+
6+
More details on Hackerone #2266560
7+
---
8+
pkg/volume/git_repo/git_repo.go | 6 ++++++
9+
pkg/volume/git_repo/git_repo_test.go | 14 ++++++++++++++
10+
2 files changed, 20 insertions(+)
11+
12+
diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go
13+
index 995018d900727..b3827b92ad0f0 100644
14+
--- a/pkg/volume/git_repo/git_repo.go
15+
+++ b/pkg/volume/git_repo/git_repo.go
16+
@@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error {
17+
if err := validateNonFlagArgument(src.Directory, "directory"); err != nil {
18+
return err
19+
}
20+
+ if (src.Revision != "") && (src.Directory != "") {
21+
+ cleanedDir := filepath.Clean(src.Directory)
22+
+ if strings.Contains(cleanedDir, "/") || (strings.Contains(cleanedDir, "\\")) {
23+
+ return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory)
24+
+ }
25+
+ }
26+
return nil
27+
}
28+
29+
diff --git a/pkg/volume/git_repo/git_repo_test.go b/pkg/volume/git_repo/git_repo_test.go
30+
index 5b1461be892a1..650f765cc4884 100644
31+
--- a/pkg/volume/git_repo/git_repo_test.go
32+
+++ b/pkg/volume/git_repo/git_repo_test.go
33+
@@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) {
34+
},
35+
isExpectedFailure: true,
36+
},
37+
+ {
38+
+ name: "invalid-revision-directory-combo",
39+
+ vol: &v1.Volume{
40+
+ Name: "vol1",
41+
+ VolumeSource: v1.VolumeSource{
42+
+ GitRepo: &v1.GitRepoVolumeSource{
43+
+ Repository: gitURL,
44+
+ Revision: "main",
45+
+ Directory: "foo/bar",
46+
+ },
47+
+ },
48+
+ },
49+
+ isExpectedFailure: true,
50+
+ },
51+
}
52+
53+
for _, scenario := range scenarios {

SPECS/kubernetes/kubernetes.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
Summary: Microsoft Kubernetes
1111
Name: kubernetes
1212
Version: 1.28.4
13-
Release: 13%{?dist}
13+
Release: 14%{?dist}
1414
License: ASL 2.0
1515
Vendor: Microsoft Corporation
1616
Distribution: Mariner
@@ -25,6 +25,7 @@ Patch3: CVE-2023-45288.patch
2525
Patch4: CVE-2024-28180.patch
2626
Patch5: CVE-2024-24786.patch
2727
Patch6: CVE-2024-45338.patch
28+
Patch7: CVE-2024-10220.patch
2829
BuildRequires: flex-devel
2930
BuildRequires: glibc-static >= 2.35-7%{?dist}
3031
BuildRequires: golang
@@ -271,6 +272,9 @@ fi
271272
%{_exec_prefix}/local/bin/pause
272273

273274
%changelog
275+
* Tue Jan 07 2025 Sudipta Pandit <sudpandit@microsoft.com> - 1.28.4-14
276+
- Add patch for CVE-2024-10220
277+
274278
* Fri Jan 03 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.28.4-13
275279
- Add patch for CVE-2024-45338
276280

0 commit comments

Comments
 (0)