[meta-virtualization] [PATCH v2] kubernetes: Security fix for CVE </CVE-2018-1002105>

Muminul Russell misla011 at fiu.edu
Tue Oct 1 16:26:54 PDT 2019 

The patch was failed due to the path. In the yocto build source file
location is different.

V2:
+--- a/src/import/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
++++ b/src/import/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go

V1:
--- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
++++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go

On Tue, Oct 1, 2019 at 1:58 PM Bruce Ashfield <bruce.ashfield at gmail.com> wrote:
>
> What's the delta from v1 ?
>
> Also, given that this isn't the final 1.16 kubernetes release, I'd
> rather version bump than apply patches.
>
> Bruce
>
>
> On Mon, Sep 30, 2019 at 6:16 PM Muminul Islam <misla011 at fiu.edu> wrote:
> >
> > Signed-off-by: Muminul Islam <muislam at microsoft.com>
> > ---
> >  .../kubernetes/CVE-2018-1002105.patch         | 87 +++++++++++++++++++
> >  .../kubernetes/kubernetes_git.bb              |  1 +
> >  2 files changed, 88 insertions(+)
> >  create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2018-1002105.patch
> >
> > diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2018-1002105.patch b/recipes-containers/kubernetes/kubernetes/CVE-2018-1002105.patch
> > new file mode 100644
> > index 0000000..505450c
> > --- /dev/null
> > +++ b/recipes-containers/kubernetes/kubernetes/CVE-2018-1002105.patch
> > @@ -0,0 +1,87 @@
> > +From b2c05ca842b97090df424e0401968ba8d7ee3ecb Mon Sep 17 00:00:00 2001
> > +From: Jordan Liggitt <liggitt at google.com>
> > +Date: Mon, 5 Nov 2018 23:50:35 -0500
> > +Subject: [PATCH] Verify backend upgraded connection
> > +Reply-To: muislam at microsoft.com
> > +
> > +Signed-off-by: Muminul Islam <muislam at microsoft.com>
> > +
> > +CVE: CVE-2018-1002105
> > +
> > +Upstream-Status: Backport
> > +---
> > + .../pkg/util/proxy/upgradeaware.go            | 37 +++++++++++++++++++
> > + 1 file changed, 37 insertions(+)
> > +
> > +diff --git a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
> > +index 4d5cd34d48..b14819079c 100644
> > +--- a/src/import/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
> > ++++ b/src/import/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
> > +@@ -17,6 +17,7 @@ limitations under the License.
> > + package proxy
> > +
> > + import (
> > ++      "bufio"
> > +       "bytes"
> > +       "context"
> > +       "fmt"
> > +@@ -269,6 +270,18 @@ func (h *UpgradeAwareHandler) tryUpgrade(w http.ResponseWriter, req *http.Reques
> > +       }
> > +       defer backendConn.Close()
> > +
> > ++      // determine the http response code from the backend by reading from rawResponse+backendConn
> > ++      rawResponseCode, headerBytes, err := getResponseCode(io.MultiReader(bytes.NewReader(rawResponse), backendConn))
> > ++      if err != nil {
> > ++              glog.V(6).Infof("Proxy connection error: %v", err)
> > ++              h.Responder.Error(w, req, err)
> > ++              return true
> > ++      }
> > ++      if len(headerBytes) > len(rawResponse) {
> > ++              // we read beyond the bytes stored in rawResponse, update rawResponse to the full set of bytes read from the backend
> > ++              rawResponse = headerBytes
> > ++      }
> > ++
> > +       // Once the connection is hijacked, the ErrorResponder will no longer work, so
> > +       // hijacking should be the last step in the upgrade.
> > +       requestHijacker, ok := w.(http.Hijacker)
> > +@@ -293,6 +306,17 @@ func (h *UpgradeAwareHandler) tryUpgrade(w http.ResponseWriter, req *http.Reques
> > +               }
> > +       }
> > +
> > ++      if rawResponseCode != http.StatusSwitchingProtocols {
> > ++              // If the backend did not upgrade the request, finish echoing the response from the backend to the client and return, closing the connection.
> > ++              glog.V(6).Infof("Proxy upgrade error, status code %d", rawResponseCode)
> > ++              _, err := io.Copy(requestHijackedConn, backendConn)
> > ++              if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
> > ++                      glog.Errorf("Error proxying data from backend to client: %v", err)
> > ++              }
> > ++              // Indicate we handled the request
> > ++              return true
> > ++      }
> > ++
> > +       // Proxy the connection. This is bidirectional, so we need a goroutine
> > +       // to copy in each direction. Once one side of the connection exits, we
> > +       // exit the function which performs cleanup and in the process closes
> > +@@ -354,6 +378,19 @@ func (h *UpgradeAwareHandler) DialForUpgrade(req *http.Request) (net.Conn, error
> > +       return dial(updatedReq, h.UpgradeTransport)
> > + }
> > +
> > ++// getResponseCode reads a http response from the given reader, returns the status code,
> > ++// the bytes read from the reader, and any error encountered
> > ++func getResponseCode(r io.Reader) (int, []byte, error) {
> > ++      rawResponse := bytes.NewBuffer(make([]byte, 0, 256))
> > ++      // Save the bytes read while reading the response headers into the rawResponse buffer
> > ++      resp, err := http.ReadResponse(bufio.NewReader(io.TeeReader(r, rawResponse)), nil)
> > ++      if err != nil {
> > ++              return 0, nil, err
> > ++      }
> > ++      // return the http status code and the raw bytes consumed from the reader in the process
> > ++      return resp.StatusCode, rawResponse.Bytes(), nil
> > ++}
> > ++
> > + // dial dials the backend at req.URL and writes req to it.
> > + func dial(req *http.Request, transport http.RoundTripper) (net.Conn, error) {
> > +       conn, err := DialURL(req.Context(), req.URL, transport)
> > +--
> > +2.23.0
> > +
> > diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
> > index a0e0e47..b587e16 100644
> > --- a/recipes-containers/kubernetes/kubernetes_git.bb
> > +++ b/recipes-containers/kubernetes/kubernetes_git.bb
> > @@ -12,6 +12,7 @@ SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=master;name=kuberne
> >             file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
> >             file://0001-cross-don-t-build-tests-by-default.patch \
> >             file://0001-fix-compiling-failure-execvp-bin-bash-Argument-list-.patch \
> > +           file://CVE-2018-1002105.patch \
> >            "
> >
> >  DEPENDS += "rsync-native \
> > --
> > 2.23.0
> >
> > --
> > _______________________________________________
> > meta-virtualization mailing list
> > meta-virtualization at yoctoproject.org
> > https://lists.yoctoproject.org/listinfo/meta-virtualization
>
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II
> --
> _______________________________________________
> meta-virtualization mailing list
> meta-virtualization at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/meta-virtualization

More information about the meta-virtualization mailing list