3 files changed, 127 insertions, 0 deletions
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2023-3676.patch b/recipes-containers/kubernetes/kubernetes/CVE-2023-3676.patch
new file mode 100644
index 00000000..835a43b4
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2023-3676.patch
@@ -0,0 +1,46 @@
+From c80d622eed1c499139c51bd47c8dc756682fbe66 Mon Sep 17 00:00:00 2001
+From: James Sturtevant <jstur@microsoft.com>
+Date: Thu, 20 Jul 2023 17:00:29 +0000
+Subject: [PATCH] Use env varaibles for passing path
+The subpath could be passed a powershell subexpression which would be executed by kubelet with privilege.  Switching to pass the arguments via environment variables means the subexpression won't be evaluated.
+Signed-off-by: James Sturtevant <jstur@microsoft.com>
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/a53faf5e17ed0b0771a605c6401ba4cbf297b59a]
+CVE: CVE-2023-3676
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/volume/util/subpath/subpath_windows.go | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+diff --git a/pkg/volume/util/subpath/subpath_windows.go b/pkg/volume/util/subpath/subpath_windows.go
+index e7f77d07f7557..c9b67aa8c78ff 100644
+--- a/pkg/volume/util/subpath/subpath_windows.go
+++ b/pkg/volume/util/subpath/subpath_windows.go
+@@ -76,8 +76,10 @@ func getUpperPath(path string) string {
+ // Check whether a directory/file is a link type or not
+ // LinkType could be SymbolicLink, Junction, or HardLink
+ func isLinkPath(path string) (bool, error) {
+-       cmd := fmt.Sprintf("(Get-Item -LiteralPath %q).LinkType", path)
+-       output, err := exec.Command("powershell", "/c", cmd).CombinedOutput()
+       cmd := exec.Command("powershell", "/c", "$ErrorActionPreference = 'Stop'; (Get-Item -Force -LiteralPath $env:linkpath).LinkType")
+       cmd.Env = append(os.Environ(), fmt.Sprintf("linkpath=%s", path))
+       klog.V(8).Infof("Executing command: %q", cmd.String())
+       output, err := cmd.CombinedOutput()
+        if err != nil {
+                return false, err
+        }
+@@ -114,8 +116,10 @@ func evalSymlink(path string) (string, error) {
+                }
+        }
+        // This command will give the target path of a given symlink
+-       cmd := fmt.Sprintf("(Get-Item -LiteralPath %q).Target", upperpath)
+-       output, err := exec.Command("powershell", "/c", cmd).CombinedOutput()
+       cmd := exec.Command("powershell", "/c", "$ErrorActionPreference = 'Stop'; (Get-Item -Force -LiteralPath $env:linkpath).Target")
+       cmd.Env = append(os.Environ(), fmt.Sprintf("linkpath=%s", upperpath))
+       klog.V(8).Infof("Executing command: %q", cmd.String())
+       output, err := cmd.CombinedOutput()
+        if err != nil {
+                return "", err
+        }
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2023-3955.patch b/recipes-containers/kubernetes/kubernetes/CVE-2023-3955.patch
new file mode 100644
index 00000000..6f2518cf
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2023-3955.patch
@@ -0,0 +1,79 @@
+From 5f89e4c983f0a55e6cc21ca05436496a208d8eb7 Mon Sep 17 00:00:00 2001
+From: James Sturtevant <jstur@microsoft.com>
+Date: Mon, 17 Jul 2023 14:24:02 -0700
+Subject: [PATCH] Use environment varaibles for parameters in Powershell
+As a defense in depth, pass parameters to powershell via environment variables.
+Signed-off-by: James Sturtevant <jstur@microsoft.com>
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/7da6d72c05dffb3b87e62e2bc8c3228ea12ba1b9]
+CVE: CVE-2023-3955
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/volume/util/util.go                       | 12 +++++++----
+ .../src/k8s.io/mount-utils/mount_windows.go   | 20 +++++++++++++------
+ 2 files changed, 22 insertions(+), 10 deletions(-)
+diff --git a/pkg/volume/util/util.go b/pkg/volume/util/util.go
+index dffdfd6d899c1..cd70a52d277db 100644
+--- a/pkg/volume/util/util.go
+++ b/pkg/volume/util/util.go
+@@ -656,11 +656,15 @@ func HasMountRefs(mountPath string, mountRefs []string) bool {
+ func WriteVolumeCache(deviceMountPath string, exec utilexec.Interface) error {
+        // If runtime os is windows, execute Write-VolumeCache powershell command on the disk
+        if runtime.GOOS == "windows" {
+-               cmd := fmt.Sprintf("Get-Volume -FilePath %s | Write-Volumecache", deviceMountPath)
+-               output, err := exec.Command("powershell", "/c", cmd).CombinedOutput()
+-               klog.Infof("command (%q) execeuted: %v, output: %q", cmd, err, string(output))
+               cmdString := "Get-Volume -FilePath $env:mountpath | Write-Volumecache"
+               cmd := exec.Command("powershell", "/c", cmdString)
+               env := append(os.Environ(), fmt.Sprintf("mountpath=%s", deviceMountPath))
+               cmd.SetEnv(env)
+               klog.Infof("Executing command: %q", cmdString)
+               output, err := cmd.CombinedOutput()
+               klog.Infof("command (%q) execeuted: %v, output: %q", cmdString, err, string(output))
+                if err != nil {
+-                       return fmt.Errorf("command (%q) failed: %v, output: %q", cmd, err, string(output))
+                       return fmt.Errorf("command (%q) failed: %v, output: %q", cmdString, err, string(output))
+                }
+        }
+        // For linux runtime, it skips because unmount will automatically flush disk data
+diff --git a/staging/src/k8s.io/mount-utils/mount_windows.go b/staging/src/k8s.io/mount-utils/mount_windows.go
+index c7fcde5fc98f4..d96bf2237899f 100644
+--- a/staging/src/k8s.io/mount-utils/mount_windows.go
+++ b/staging/src/k8s.io/mount-utils/mount_windows.go
+@@ -278,10 +278,16 @@ func (mounter *SafeFormatAndMount) formatAndMountSensitive(source string, target
+                fstype = "NTFS"
+        }
+ 
+-       // format disk if it is unformatted(raw)
+-       cmd := fmt.Sprintf("Get-Disk -Number %s | Where partitionstyle -eq 'raw' | Initialize-Disk -PartitionStyle GPT -PassThru"+
+-               " | New-Partition -UseMaximumSize | Format-Volume -FileSystem %s -Confirm:$false", source, fstype)
+-       if output, err := mounter.Exec.Command("powershell", "/c", cmd).CombinedOutput(); err != nil {
+       cmdString := "Get-Disk -Number $env:source | Where partitionstyle -eq 'raw' | Initialize-Disk -PartitionStyle GPT -PassThru" +
+               " | New-Partition -UseMaximumSize | Format-Volume -FileSystem $env:fstype -Confirm:$false"
+       cmd := mounter.Exec.Command("powershell", "/c", cmdString)
+       env := append(os.Environ(),
+               fmt.Sprintf("source=%s", source),
+               fmt.Sprintf("fstype=%s", fstype),
+       )
+       cmd.SetEnv(env)
+       klog.V(8).Infof("Executing command: %q", cmdString)
+       if output, err := cmd.CombinedOutput(); err != nil {
+                return fmt.Errorf("diskMount: format disk failed, error: %v, output: %q", err, string(output))
+        }
+        klog.V(4).Infof("diskMount: Disk successfully formatted, disk: %q, fstype: %q", source, fstype)
+@@ -303,8 +309,10 @@ func (mounter *SafeFormatAndMount) formatAndMountSensitive(source string, target
+ 
+ // ListVolumesOnDisk - returns back list of volumes(volumeIDs) in the disk (requested in diskID).
+ func listVolumesOnDisk(diskID string) (volumeIDs []string, err error) {
+-       cmd := fmt.Sprintf("(Get-Disk -DeviceId %s | Get-Partition | Get-Volume).UniqueId", diskID)
+-       output, err := exec.Command("powershell", "/c", cmd).CombinedOutput()
+       cmd := exec.Command("powershell", "/c", "(Get-Disk -DeviceId $env:diskID | Get-Partition | Get-Volume).UniqueId")
+       cmd.Env = append(os.Environ(), fmt.Sprintf("diskID=%s", diskID))
+       klog.V(8).Infof("Executing command: %q", cmd.String())
+       output, err := cmd.CombinedOutput()
+        klog.V(4).Infof("listVolumesOnDisk id from %s: %s", diskID, string(output))
+        if err != nil {
+                return []string{}, fmt.Errorf("error list volumes on disk. cmd: %s, output: %s, error: %v", cmd, string(output), err)
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index f374892a..9d6179e0 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -36,6 +36,8 @@ SRC_URI:append = " \
           file://k8s-init \
           file://99-kubernetes.conf \
           file://CVE-2024-3177.patch;patchdir=src/import \
+           file://CVE-2023-3955.patch;patchdir=src/import \
+           file://CVE-2023-3676.patch;patchdir=src/import \
          "
 DEPENDS += "rsync-native \

diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2023-3676.patch b/recipes-containers/kubernetes/kubernetes/CVE-2023-3676.patch new file mode 100644 index 00000000..835a43b4 --- /dev/null +++ b/recipes-containers/kubernetes/kubernetes/CVE-2023-3676.patch
@@ -0,0 +1,46 @@
		1	From c80d622eed1c499139c51bd47c8dc756682fbe66 Mon Sep 17 00:00:00 2001
		2	From: James Sturtevant <jstur@microsoft.com>
		3	Date: Thu, 20 Jul 2023 17:00:29 +0000
		4	Subject: [PATCH] Use env varaibles for passing path
		5
		6	The subpath could be passed a powershell subexpression which would be executed by kubelet with privilege. Switching to pass the arguments via environment variables means the subexpression won't be evaluated.
		7
		8	Signed-off-by: James Sturtevant <jstur@microsoft.com>
		9
		10	Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/a53faf5e17ed0b0771a605c6401ba4cbf297b59a]
		11	CVE: CVE-2023-3676
		12	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		13	---
		14	pkg/volume/util/subpath/subpath_windows.go \| 12 ++++++++----
		15	1 file changed, 8 insertions(+), 4 deletions(-)
		16
		17	diff --git a/pkg/volume/util/subpath/subpath_windows.go b/pkg/volume/util/subpath/subpath_windows.go
		18	index e7f77d07f7557..c9b67aa8c78ff 100644
		19	--- a/pkg/volume/util/subpath/subpath_windows.go
		20	+++ b/pkg/volume/util/subpath/subpath_windows.go
		21	@@ -76,8 +76,10 @@ func getUpperPath(path string) string {
		22	// Check whether a directory/file is a link type or not
		23	// LinkType could be SymbolicLink, Junction, or HardLink
		24	func isLinkPath(path string) (bool, error) {
		25	- cmd := fmt.Sprintf("(Get-Item -LiteralPath %q).LinkType", path)
		26	- output, err := exec.Command("powershell", "/c", cmd).CombinedOutput()
		27	+ cmd := exec.Command("powershell", "/c", "$ErrorActionPreference = 'Stop'; (Get-Item -Force -LiteralPath $env:linkpath).LinkType")
		28	+ cmd.Env = append(os.Environ(), fmt.Sprintf("linkpath=%s", path))
		29	+ klog.V(8).Infof("Executing command: %q", cmd.String())
		30	+ output, err := cmd.CombinedOutput()
		31	if err != nil {
		32	return false, err
		33	}
		34	@@ -114,8 +116,10 @@ func evalSymlink(path string) (string, error) {
		35	}
		36	}
		37	// This command will give the target path of a given symlink
		38	- cmd := fmt.Sprintf("(Get-Item -LiteralPath %q).Target", upperpath)
		39	- output, err := exec.Command("powershell", "/c", cmd).CombinedOutput()
		40	+ cmd := exec.Command("powershell", "/c", "$ErrorActionPreference = 'Stop'; (Get-Item -Force -LiteralPath $env:linkpath).Target")
		41	+ cmd.Env = append(os.Environ(), fmt.Sprintf("linkpath=%s", upperpath))
		42	+ klog.V(8).Infof("Executing command: %q", cmd.String())
		43	+ output, err := cmd.CombinedOutput()
		44	if err != nil {
		45	return "", err
		46	}


diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2023-3955.patch b/recipes-containers/kubernetes/kubernetes/CVE-2023-3955.patch new file mode 100644 index 00000000..6f2518cf --- /dev/null +++ b/recipes-containers/kubernetes/kubernetes/CVE-2023-3955.patch
@@ -0,0 +1,79 @@
		1	From 5f89e4c983f0a55e6cc21ca05436496a208d8eb7 Mon Sep 17 00:00:00 2001
		2	From: James Sturtevant <jstur@microsoft.com>
		3	Date: Mon, 17 Jul 2023 14:24:02 -0700
		4	Subject: [PATCH] Use environment varaibles for parameters in Powershell
		5
		6	As a defense in depth, pass parameters to powershell via environment variables.
		7
		8	Signed-off-by: James Sturtevant <jstur@microsoft.com>
		9
		10	Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/7da6d72c05dffb3b87e62e2bc8c3228ea12ba1b9]
		11	CVE: CVE-2023-3955
		12	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		13	---
		14	pkg/volume/util/util.go \| 12 +++++++----
		15	.../src/k8s.io/mount-utils/mount_windows.go \| 20 +++++++++++++------
		16	2 files changed, 22 insertions(+), 10 deletions(-)
		17
		18	diff --git a/pkg/volume/util/util.go b/pkg/volume/util/util.go
		19	index dffdfd6d899c1..cd70a52d277db 100644
		20	--- a/pkg/volume/util/util.go
		21	+++ b/pkg/volume/util/util.go
		22	@@ -656,11 +656,15 @@ func HasMountRefs(mountPath string, mountRefs []string) bool {
		23	func WriteVolumeCache(deviceMountPath string, exec utilexec.Interface) error {
		24	// If runtime os is windows, execute Write-VolumeCache powershell command on the disk
		25	if runtime.GOOS == "windows" {
		26	- cmd := fmt.Sprintf("Get-Volume -FilePath %s \| Write-Volumecache", deviceMountPath)
		27	- output, err := exec.Command("powershell", "/c", cmd).CombinedOutput()
		28	- klog.Infof("command (%q) execeuted: %v, output: %q", cmd, err, string(output))
		29	+ cmdString := "Get-Volume -FilePath $env:mountpath \| Write-Volumecache"
		30	+ cmd := exec.Command("powershell", "/c", cmdString)
		31	+ env := append(os.Environ(), fmt.Sprintf("mountpath=%s", deviceMountPath))
		32	+ cmd.SetEnv(env)
		33	+ klog.Infof("Executing command: %q", cmdString)
		34	+ output, err := cmd.CombinedOutput()
		35	+ klog.Infof("command (%q) execeuted: %v, output: %q", cmdString, err, string(output))
		36	if err != nil {
		37	- return fmt.Errorf("command (%q) failed: %v, output: %q", cmd, err, string(output))
		38	+ return fmt.Errorf("command (%q) failed: %v, output: %q", cmdString, err, string(output))
		39	}
		40	}
		41	// For linux runtime, it skips because unmount will automatically flush disk data
		42	diff --git a/staging/src/k8s.io/mount-utils/mount_windows.go b/staging/src/k8s.io/mount-utils/mount_windows.go
		43	index c7fcde5fc98f4..d96bf2237899f 100644
		44	--- a/staging/src/k8s.io/mount-utils/mount_windows.go
		45	+++ b/staging/src/k8s.io/mount-utils/mount_windows.go
		46	@@ -278,10 +278,16 @@ func (mounter *SafeFormatAndMount) formatAndMountSensitive(source string, target
		47	fstype = "NTFS"
		48	}
		49
		50	- // format disk if it is unformatted(raw)
		51	- cmd := fmt.Sprintf("Get-Disk -Number %s \| Where partitionstyle -eq 'raw' \| Initialize-Disk -PartitionStyle GPT -PassThru"+
		52	- " \| New-Partition -UseMaximumSize \| Format-Volume -FileSystem %s -Confirm:$false", source, fstype)
		53	- if output, err := mounter.Exec.Command("powershell", "/c", cmd).CombinedOutput(); err != nil {
		54	+ cmdString := "Get-Disk -Number $env:source \| Where partitionstyle -eq 'raw' \| Initialize-Disk -PartitionStyle GPT -PassThru" +
		55	+ " \| New-Partition -UseMaximumSize \| Format-Volume -FileSystem $env:fstype -Confirm:$false"
		56	+ cmd := mounter.Exec.Command("powershell", "/c", cmdString)
		57	+ env := append(os.Environ(),
		58	+ fmt.Sprintf("source=%s", source),
		59	+ fmt.Sprintf("fstype=%s", fstype),
		60	+ )
		61	+ cmd.SetEnv(env)
		62	+ klog.V(8).Infof("Executing command: %q", cmdString)
		63	+ if output, err := cmd.CombinedOutput(); err != nil {
		64	return fmt.Errorf("diskMount: format disk failed, error: %v, output: %q", err, string(output))
		65	}
		66	klog.V(4).Infof("diskMount: Disk successfully formatted, disk: %q, fstype: %q", source, fstype)
		67	@@ -303,8 +309,10 @@ func (mounter *SafeFormatAndMount) formatAndMountSensitive(source string, target
		68
		69	// ListVolumesOnDisk - returns back list of volumes(volumeIDs) in the disk (requested in diskID).
		70	func listVolumesOnDisk(diskID string) (volumeIDs []string, err error) {
		71	- cmd := fmt.Sprintf("(Get-Disk -DeviceId %s \| Get-Partition \| Get-Volume).UniqueId", diskID)
		72	- output, err := exec.Command("powershell", "/c", cmd).CombinedOutput()
		73	+ cmd := exec.Command("powershell", "/c", "(Get-Disk -DeviceId $env:diskID \| Get-Partition \| Get-Volume).UniqueId")
		74	+ cmd.Env = append(os.Environ(), fmt.Sprintf("diskID=%s", diskID))
		75	+ klog.V(8).Infof("Executing command: %q", cmd.String())
		76	+ output, err := cmd.CombinedOutput()
		77	klog.V(4).Infof("listVolumesOnDisk id from %s: %s", diskID, string(output))
		78	if err != nil {
		79	return []string{}, fmt.Errorf("error list volumes on disk. cmd: %s, output: %s, error: %v", cmd, string(output), err)


diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb index f374892a..9d6179e0 100644 --- a/recipes-containers/kubernetes/kubernetes_git.bb +++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -36,6 +36,8 @@ SRC_URI:append = " \
36	file://k8s-init \	36	file://k8s-init \
37	file://99-kubernetes.conf \	37	file://99-kubernetes.conf \
38	file://CVE-2024-3177.patch;patchdir=src/import \	38	file://CVE-2024-3177.patch;patchdir=src/import \
		39	file://CVE-2023-3955.patch;patchdir=src/import \
		40	file://CVE-2023-3676.patch;patchdir=src/import \
39	"	41	"
40		42
41	DEPENDS += "rsync-native \	43	DEPENDS += "rsync-native \