Fix CVE-2024-10220 for kubernetes (#11804)

Co-authored-by: Riken Maharjan <[email protected]> (cherry picked from commit 4603110)
microsoft · Jan 14, 2025 · 8bc0235 · 8bc0235
1 parent c41788f
commit 8bc0235
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 1 deletion.
diff --git a/SPECS/kubernetes/CVE-2024-10220.patch b/SPECS/kubernetes/CVE-2024-10220.patch
@@ -0,0 +1,53 @@
+From 6622b002f70a153100d1c286fbcea721160da192 Mon Sep 17 00:00:00 2001
+From: Imre Rad <[email protected]>
+Date: Thu, 25 Apr 2024 14:21:51 +0000
+Subject: [PATCH] gitRepo volume: directory must be max 1 level deep
+
+More details on Hackerone #2266560
+---
+ pkg/volume/git_repo/git_repo.go      |  6 ++++++
+ pkg/volume/git_repo/git_repo_test.go | 14 ++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go
+index 995018d900727..b3827b92ad0f0 100644
+--- a/pkg/volume/git_repo/git_repo.go
++++ b/pkg/volume/git_repo/git_repo.go
+@@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error {
+ 	if err := validateNonFlagArgument(src.Directory, "directory"); err != nil {
+ 		return err
+ 	}
++	if (src.Revision != "") && (src.Directory != "") {
++		cleanedDir := filepath.Clean(src.Directory)
++		if strings.Contains(cleanedDir, "/") || (strings.Contains(cleanedDir, "\\")) {
++			return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory)
++		}
++	}
+ 	return nil
+ }
+
+diff --git a/pkg/volume/git_repo/git_repo_test.go b/pkg/volume/git_repo/git_repo_test.go
+index 5b1461be892a1..650f765cc4884 100644
+--- a/pkg/volume/git_repo/git_repo_test.go
++++ b/pkg/volume/git_repo/git_repo_test.go
+@@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) {
+ 			},
+ 			isExpectedFailure: true,
+ 		},
++		{
++			name: "invalid-revision-directory-combo",
++			vol: &v1.Volume{
++				Name: "vol1",
++				VolumeSource: v1.VolumeSource{
++					GitRepo: &v1.GitRepoVolumeSource{
++						Repository: gitURL,
++						Revision:   "main",
++						Directory:  "foo/bar",
++					},
++				},
++			},
++			isExpectedFailure: true,
++		},
+ 	}
+
+ 	for _, scenario := range scenarios {
diff --git a/SPECS/kubernetes/kubernetes.spec b/SPECS/kubernetes/kubernetes.spec
@@ -10,7 +10,7 @@
 Summary:        Microsoft Kubernetes
 Name:           kubernetes
 Version:        1.28.4
-Release:        13%{?dist}
+Release:        14%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -25,6 +25,7 @@ Patch3:         CVE-2023-45288.patch
 Patch4:         CVE-2024-28180.patch
 Patch5:         CVE-2024-24786.patch
 Patch6:         CVE-2024-45338.patch
+Patch7:         CVE-2024-10220.patch
 BuildRequires:  flex-devel
 BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  golang
@@ -271,6 +272,9 @@ fi
 %{_exec_prefix}/local/bin/pause
 
 %changelog
+* Tue Jan 07 2025 Sudipta Pandit <[email protected]> - 1.28.4-14
+- Add patch for CVE-2024-10220
+
 * Fri Jan 03 2025 Sumedh Sharma <[email protected]> - 1.28.4-13
 - Add patch for CVE-2024-45338