2 files changed, 167 insertions, 0 deletions
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
new file mode 100644
index 00000000..9388f18d
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
@@ -0,0 +1,166 @@
+From b907f9e11892ddab1e71095e3d41bf76e63c3873 Mon Sep 17 00:00:00 2001
+From: Nikolaos Moraitis <nmoraiti@redhat.com>
+Date: Fri, 11 Sep 2020 11:36:27 +0200
+Subject: [PATCH] avoid potential secret leaking while reading .dockercfg
+There are a lot of scenarios where an invalid .dockercfg file
+will still contain secrets. This commit removes logging of the
+contents to avoid any potential leaking and manages the actual error
+by printing to the user the actual location of the invalid file.
+Signed-off-by: Nikolaos Moraitis <nmoraiti@redhat.com>
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634]
+CVE: CVE-2020-8564
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/credentialprovider/config.go      | 16 +++--
+ pkg/credentialprovider/config_test.go | 93 +++++++++++++++++++++++++++
+ 2 files changed, 102 insertions(+), 7 deletions(-)
+diff --git a/pkg/credentialprovider/config.go b/pkg/credentialprovider/config.go
+index 377383aa903..b256bd8e7f0 100644
+--- a/src/import/pkg/credentialprovider/config.go
+++ b/src/import/pkg/credentialprovider/config.go
+@@ -114,10 +114,14 @@ func ReadDockercfgFile(searchPaths []string) (cfg DockerConfig, err error) {
+                        continue
+                }
+                cfg, err := readDockerConfigFileFromBytes(contents)
+-               if err == nil {
+-                       klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
+-                       return cfg, nil
+               if err != nil {
+                       klog.V(4).Infof("couldn't get the config from %q contents: %v", absDockerConfigFileLocation, err)
+                       continue
+                }
+
+               klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
+               return cfg, nil
+
+        }
+        return nil, fmt.Errorf("couldn't find valid .dockercfg after checking in %v", searchPaths)
+ }
+@@ -224,8 +228,7 @@ func ReadDockerConfigFileFromUrl(url string, client *http.Client, header *http.H
+ 
+ func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
+        if err = json.Unmarshal(contents, &cfg); err != nil {
+-               klog.Errorf("while trying to parse blob %q: %v", contents, err)
+-               return nil, err
+               return nil, errors.New("error occurred while trying to unmarshal json")
+        }
+        return
+ }
+@@ -233,8 +236,7 @@ func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error
+ func readDockerConfigJsonFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
+        var cfgJson DockerConfigJson
+        if err = json.Unmarshal(contents, &cfgJson); err != nil {
+-               klog.Errorf("while trying to parse blob %q: %v", contents, err)
+-               return nil, err
+               return nil, errors.New("error occurred while trying to unmarshal json")
+        }
+        cfg = cfgJson.Auths
+        return
+diff --git a/pkg/credentialprovider/config_test.go b/pkg/credentialprovider/config_test.go
+index c310dc33dce..6974076984f 100644
+--- a/src/import/pkg/credentialprovider/config_test.go
+++ b/src/import/pkg/credentialprovider/config_test.go
+@@ -304,3 +304,96 @@ func TestDockerConfigEntryJSONCompatibleEncode(t *testing.T) {
+                }
+        }
+ }
+
+func TestReadDockerConfigFileFromBytes(t *testing.T) {
+       testCases := []struct {
+               id               string
+               input            []byte
+               expectedCfg      DockerConfig
+               errorExpected    bool
+               expectedErrorMsg string
+       }{
+               {
+                       id:    "valid input, no error expected",
+                       input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}}`),
+                       expectedCfg: DockerConfig(map[string]DockerConfigEntry{
+                               "http://foo.example.com": {
+                                       Username: "foo",
+                                       Password: "bar",
+                                       Email:    "foo@example.com",
+                               },
+                       }),
+               },
+               {
+                       id:               "invalid input, error expected",
+                       input:            []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"`),
+                       errorExpected:    true,
+                       expectedErrorMsg: "error occurred while trying to unmarshal json",
+               },
+       }
+
+       for _, tc := range testCases {
+               cfg, err := readDockerConfigFileFromBytes(tc.input)
+               if err != nil && !tc.errorExpected {
+                       t.Fatalf("Error was not expected: %v", err)
+               }
+               if err != nil && tc.errorExpected {
+                       if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
+                               t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
+                       }
+               } else {
+                       if !reflect.DeepEqual(cfg, tc.expectedCfg) {
+                               t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
+                       }
+               }
+       }
+}
+
+func TestReadDockerConfigJSONFileFromBytes(t *testing.T) {
+       testCases := []struct {
+               id               string
+               input            []byte
+               expectedCfg      DockerConfig
+               errorExpected    bool
+               expectedErrorMsg string
+       }{
+               {
+                       id:    "valid input, no error expected",
+                       input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"}}}`),
+                       expectedCfg: DockerConfig(map[string]DockerConfigEntry{
+                               "http://foo.example.com": {
+                                       Username: "foo",
+                                       Password: "bar",
+                                       Email:    "foo@example.com",
+                               },
+                               "http://bar.example.com": {
+                                       Username: "bar",
+                                       Password: "baz",
+                                       Email:    "bar@example.com",
+                               },
+                       }),
+               },
+               {
+                       id:               "invalid input, error expected",
+                       input:            []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"`),
+                       errorExpected:    true,
+                       expectedErrorMsg: "error occurred while trying to unmarshal json",
+               },
+       }
+
+       for _, tc := range testCases {
+               cfg, err := readDockerConfigJSONFileFromBytes(tc.input)
+               if err != nil && !tc.errorExpected {
+                       t.Fatalf("Error was not expected: %v", err)
+               }
+               if err != nil && tc.errorExpected {
+                       if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
+                               t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
+                       }
+               } else {
+                       if !reflect.DeepEqual(cfg, tc.expectedCfg) {
+                               t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
+                       }
+               }
+       }
+}
+-- 
+2.25.1
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index 8c286e23..c73f9882 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -11,6 +11,7 @@ SRCREV_kubernetes = "f45fc1861acab22eb6a4697e3fb831e85ef5ff9c"
 SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=kubernetes;protocol=https \
           file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
           file://0001-cross-don-t-build-tests-by-default.patch \
+           file://CVE-2020-8564.patch \
          "
 DEPENDS += "rsync-native \

diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch new file mode 100644 index 00000000..9388f18d --- /dev/null +++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch
@@ -0,0 +1,166 @@
		1	From b907f9e11892ddab1e71095e3d41bf76e63c3873 Mon Sep 17 00:00:00 2001
		2	From: Nikolaos Moraitis <nmoraiti@redhat.com>
		3	Date: Fri, 11 Sep 2020 11:36:27 +0200
		4	Subject: [PATCH] avoid potential secret leaking while reading .dockercfg
		5
		6	There are a lot of scenarios where an invalid .dockercfg file
		7	will still contain secrets. This commit removes logging of the
		8	contents to avoid any potential leaking and manages the actual error
		9	by printing to the user the actual location of the invalid file.
		10
		11	Signed-off-by: Nikolaos Moraitis <nmoraiti@redhat.com>
		12
		13	Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634]
		14	CVE: CVE-2020-8564
		15	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		16	---
		17	pkg/credentialprovider/config.go \| 16 +++--
		18	pkg/credentialprovider/config_test.go \| 93 +++++++++++++++++++++++++++
		19	2 files changed, 102 insertions(+), 7 deletions(-)
		20
		21	diff --git a/pkg/credentialprovider/config.go b/pkg/credentialprovider/config.go
		22	index 377383aa903..b256bd8e7f0 100644
		23	--- a/src/import/pkg/credentialprovider/config.go
		24	+++ b/src/import/pkg/credentialprovider/config.go
		25	@@ -114,10 +114,14 @@ func ReadDockercfgFile(searchPaths []string) (cfg DockerConfig, err error) {
		26	continue
		27	}
		28	cfg, err := readDockerConfigFileFromBytes(contents)
		29	- if err == nil {
		30	- klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
		31	- return cfg, nil
		32	+ if err != nil {
		33	+ klog.V(4).Infof("couldn't get the config from %q contents: %v", absDockerConfigFileLocation, err)
		34	+ continue
		35	}
		36	+
		37	+ klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
		38	+ return cfg, nil
		39	+
		40	}
		41	return nil, fmt.Errorf("couldn't find valid .dockercfg after checking in %v", searchPaths)
		42	}
		43	@@ -224,8 +228,7 @@ func ReadDockerConfigFileFromUrl(url string, client http.Client, header http.H
		44
		45	func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
		46	if err = json.Unmarshal(contents, &cfg); err != nil {
		47	- klog.Errorf("while trying to parse blob %q: %v", contents, err)
		48	- return nil, err
		49	+ return nil, errors.New("error occurred while trying to unmarshal json")
		50	}
		51	return
		52	}
		53	@@ -233,8 +236,7 @@ func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error
		54	func readDockerConfigJsonFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
		55	var cfgJson DockerConfigJson
		56	if err = json.Unmarshal(contents, &cfgJson); err != nil {
		57	- klog.Errorf("while trying to parse blob %q: %v", contents, err)
		58	- return nil, err
		59	+ return nil, errors.New("error occurred while trying to unmarshal json")
		60	}
		61	cfg = cfgJson.Auths
		62	return
		63	diff --git a/pkg/credentialprovider/config_test.go b/pkg/credentialprovider/config_test.go
		64	index c310dc33dce..6974076984f 100644
		65	--- a/src/import/pkg/credentialprovider/config_test.go
		66	+++ b/src/import/pkg/credentialprovider/config_test.go
		67	@@ -304,3 +304,96 @@ func TestDockerConfigEntryJSONCompatibleEncode(t *testing.T) {
		68	}
		69	}
		70	}
		71	+
		72	+func TestReadDockerConfigFileFromBytes(t *testing.T) {
		73	+ testCases := []struct {
		74	+ id string
		75	+ input []byte
		76	+ expectedCfg DockerConfig
		77	+ errorExpected bool
		78	+ expectedErrorMsg string
		79	+ }{
		80	+ {
		81	+ id: "valid input, no error expected",
		82	+ input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}}`),
		83	+ expectedCfg: DockerConfig(map[string]DockerConfigEntry{
		84	+ "http://foo.example.com": {
		85	+ Username: "foo",
		86	+ Password: "bar",
		87	+ Email: "foo@example.com",
		88	+ },
		89	+ }),
		90	+ },
		91	+ {
		92	+ id: "invalid input, error expected",
		93	+ input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"`),
		94	+ errorExpected: true,
		95	+ expectedErrorMsg: "error occurred while trying to unmarshal json",
		96	+ },
		97	+ }
		98	+
		99	+ for _, tc := range testCases {
		100	+ cfg, err := readDockerConfigFileFromBytes(tc.input)
		101	+ if err != nil && !tc.errorExpected {
		102	+ t.Fatalf("Error was not expected: %v", err)
		103	+ }
		104	+ if err != nil && tc.errorExpected {
		105	+ if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
		106	+ t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
		107	+ }
		108	+ } else {
		109	+ if !reflect.DeepEqual(cfg, tc.expectedCfg) {
		110	+ t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
		111	+ }
		112	+ }
		113	+ }
		114	+}
		115	+
		116	+func TestReadDockerConfigJSONFileFromBytes(t *testing.T) {
		117	+ testCases := []struct {
		118	+ id string
		119	+ input []byte
		120	+ expectedCfg DockerConfig
		121	+ errorExpected bool
		122	+ expectedErrorMsg string
		123	+ }{
		124	+ {
		125	+ id: "valid input, no error expected",
		126	+ input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"}}}`),
		127	+ expectedCfg: DockerConfig(map[string]DockerConfigEntry{
		128	+ "http://foo.example.com": {
		129	+ Username: "foo",
		130	+ Password: "bar",
		131	+ Email: "foo@example.com",
		132	+ },
		133	+ "http://bar.example.com": {
		134	+ Username: "bar",
		135	+ Password: "baz",
		136	+ Email: "bar@example.com",
		137	+ },
		138	+ }),
		139	+ },
		140	+ {
		141	+ id: "invalid input, error expected",
		142	+ input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"`),
		143	+ errorExpected: true,
		144	+ expectedErrorMsg: "error occurred while trying to unmarshal json",
		145	+ },
		146	+ }
		147	+
		148	+ for _, tc := range testCases {
		149	+ cfg, err := readDockerConfigJSONFileFromBytes(tc.input)
		150	+ if err != nil && !tc.errorExpected {
		151	+ t.Fatalf("Error was not expected: %v", err)
		152	+ }
		153	+ if err != nil && tc.errorExpected {
		154	+ if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
		155	+ t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
		156	+ }
		157	+ } else {
		158	+ if !reflect.DeepEqual(cfg, tc.expectedCfg) {
		159	+ t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
		160	+ }
		161	+ }
		162	+ }
		163	+}
		164	--
		165	2.25.1
		166


diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb index 8c286e23..c73f9882 100644 --- a/recipes-containers/kubernetes/kubernetes_git.bb +++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -11,6 +11,7 @@ SRCREV_kubernetes = "f45fc1861acab22eb6a4697e3fb831e85ef5ff9c"
11	SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=kubernetes;protocol=https \	11	SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=kubernetes;protocol=https \
12	file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \	12	file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
13	file://0001-cross-don-t-build-tests-by-default.patch \	13	file://0001-cross-don-t-build-tests-by-default.patch \
		14	file://CVE-2020-8564.patch \
14	"	15	"
15		16
16	DEPENDS += "rsync-native \	17	DEPENDS += "rsync-native \