-
Notifications
You must be signed in to change notification settings - Fork 564
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix CVE-2024-10220 for kubernetes (#11804)
Co-authored-by: Riken Maharjan <[email protected]>
- Loading branch information
Showing
2 changed files
with
58 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| From 6622b002f70a153100d1c286fbcea721160da192 Mon Sep 17 00:00:00 2001 | ||
| From: Imre Rad <[email protected]> | ||
| Date: Thu, 25 Apr 2024 14:21:51 +0000 | ||
| Subject: [PATCH] gitRepo volume: directory must be max 1 level deep | ||
|
|
||
| More details on Hackerone #2266560 | ||
| --- | ||
| pkg/volume/git_repo/git_repo.go | 6 ++++++ | ||
| pkg/volume/git_repo/git_repo_test.go | 14 ++++++++++++++ | ||
| 2 files changed, 20 insertions(+) | ||
|
|
||
| diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go | ||
| index 995018d900727..b3827b92ad0f0 100644 | ||
| --- a/pkg/volume/git_repo/git_repo.go | ||
| +++ b/pkg/volume/git_repo/git_repo.go | ||
| @@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error { | ||
| if err := validateNonFlagArgument(src.Directory, "directory"); err != nil { | ||
| return err | ||
| } | ||
| + if (src.Revision != "") && (src.Directory != "") { | ||
| + cleanedDir := filepath.Clean(src.Directory) | ||
| + if strings.Contains(cleanedDir, "/") || (strings.Contains(cleanedDir, "\\")) { | ||
| + return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory) | ||
| + } | ||
| + } | ||
| return nil | ||
| } | ||
|
|
||
| diff --git a/pkg/volume/git_repo/git_repo_test.go b/pkg/volume/git_repo/git_repo_test.go | ||
| index 5b1461be892a1..650f765cc4884 100644 | ||
| --- a/pkg/volume/git_repo/git_repo_test.go | ||
| +++ b/pkg/volume/git_repo/git_repo_test.go | ||
| @@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) { | ||
| }, | ||
| isExpectedFailure: true, | ||
| }, | ||
| + { | ||
| + name: "invalid-revision-directory-combo", | ||
| + vol: &v1.Volume{ | ||
| + Name: "vol1", | ||
| + VolumeSource: v1.VolumeSource{ | ||
| + GitRepo: &v1.GitRepoVolumeSource{ | ||
| + Repository: gitURL, | ||
| + Revision: "main", | ||
| + Directory: "foo/bar", | ||
| + }, | ||
| + }, | ||
| + }, | ||
| + isExpectedFailure: true, | ||
| + }, | ||
| } | ||
|
|
||
| for _, scenario := range scenarios { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -10,7 +10,7 @@ | |
| Summary: Microsoft Kubernetes | ||
| Name: kubernetes | ||
| Version: 1.28.4 | ||
| Release: 13%{?dist} | ||
| Release: 14%{?dist} | ||
| License: ASL 2.0 | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Mariner | ||
|
|
@@ -25,6 +25,7 @@ Patch3: CVE-2023-45288.patch | |
| Patch4: CVE-2024-28180.patch | ||
| Patch5: CVE-2024-24786.patch | ||
| Patch6: CVE-2024-45338.patch | ||
| Patch7: CVE-2024-10220.patch | ||
| BuildRequires: flex-devel | ||
| BuildRequires: glibc-static >= 2.35-7%{?dist} | ||
| BuildRequires: golang | ||
|
|
@@ -271,6 +272,9 @@ fi | |
| %{_exec_prefix}/local/bin/pause | ||
|
|
||
| %changelog | ||
| * Tue Jan 07 2025 Sudipta Pandit <[email protected]> - 1.28.4-14 | ||
| - Add patch for CVE-2024-10220 | ||
|
|
||
| * Fri Jan 03 2025 Sumedh Sharma <[email protected]> - 1.28.4-13 | ||
| - Add patch for CVE-2024-45338 | ||
|
|
||
|
|
||