Re: [meta-virtualization][kirkstone][PATCH] kubernetes: Backport fix for CVE-2024-3177
The .patch file doesn't apply on the v1.23.17 version currently in kirkstone.
recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch
CVE-2024-3177.patch
can't find file to patch at input line 20
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--
|From 3f0922513d235d8bdebe79f0d07da769c04211b8 Mon Sep 17 00:00:00 2001
|From: Rita Zhang
|Date: Mon, 25 Mar 2024 10:33:41 -0700
|Subject: [PATCH] Add envFrom to serviceaccount admission plugin
|
|Signed-off-by: Rita Zhang
|
|Upstream-Status: Backport
[https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8]
|CVE: CVE-2024-3177
|Signed-off-by: Ashish Sharma
|
| .../pkg/admission/serviceaccount/admission.go | 21 +++
| .../serviceaccount/admission_test.go | 122 --
| 2 files changed, 132 insertions(+), 11 deletions(-)
|
|diff --git a/plugin/pkg/admission/serviceaccount/admission.go
b/plugin/pkg/admission/serviceaccount/admission.go
|index c844a051c24b..3f4338128e53 100644
|--- a/plugin/pkg/admission/serviceaccount/admission.go
|+++ b/plugin/pkg/admission/serviceaccount/admission.go
--
No file to patch. Skipping patch.
3 out of 3 hunks ignored
can't find file to patch at input line 66
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--
|diff --git a/plugin/pkg/admission/serviceaccount/admission_test.go
b/plugin/pkg/admission/serviceaccount/admission_test.go
|index bf15f870d75a..4dba6cd8b13e 100644
|--- a/plugin/pkg/admission/serviceaccount/admission_test.go
|+++ b/plugin/pkg/admission/serviceaccount/admission_test.go
--
No file to patch. Skipping patch.
6 out of 6 hunks ignored
Patch CVE-2024-3177.patch does not apply (enforce with -f)
stderr: ")
It would need to be applied in src/import subdirectory as other .patch
files here are. Will send a fix, but the original submitter should do
a better test before sending.
On Tue, May 14, 2024 at 4:28 AM Bruce Ashfield via
lists.yoctoproject.org
wrote:
>
> merged to kirkstone
>
> Bruce
>
> In message: [meta-virtualization][kirkstone][PATCH] kubernetes: Backport fix
> for CVE-2024-3177
> on 03/05/2024 Ashish Sharma via lists.yoctoproject.org wrote:
>
> > Upstream-Status: Backport
> > [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8]
> >
> > Signed-off-by: Ashish Sharma
> > ---
> > .../kubernetes/kubernetes/CVE-2024-3177.patch | 237 ++
> > .../kubernetes/kubernetes_git.bb | 1 +
> > 2 files changed, 238 insertions(+)
> > create mode 100644
> > recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
> >
> > diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
> > b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
> > new file mode 100644
> > index ..20b2ea8a
> > --- /dev/null
> > +++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
> > @@ -0,0 +1,237 @@
> > +From 3f0922513d235d8bdebe79f0d07da769c04211b8 Mon Sep 17 00:00:00 2001
> > +From: Rita Zhang
> > +Date: Mon, 25 Mar 2024 10:33:41 -0700
> > +Subject: [PATCH] Add envFrom to serviceaccount admission plugin
> > +
> > +Signed-off-by: Rita Zhang
> > +
> > +Upstream-Status: Backport
> > [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8]
> > +CVE: CVE-2024-3177
> > +Signed-off-by: Ashish Sharma
> > +
> > + .../pkg/admission/serviceaccount/admission.go | 21 +++
> > + .../serviceaccount/admission_test.go | 122 --
> > + 2 files changed, 132 insertions(+), 11 deletions(-)
> > +
> > +diff --git a/plugin/pkg/admission/serviceaccount/admission.go
> > b/plugin/pkg/admission/serviceaccount/admission.go
> > +index c844a051c24b..3f4338128e53 100644
> > +--- a/plugin/pkg/admission/serviceaccount/admission.go
> > b/plugin/pkg/admission/serviceaccount/admission.go
> > +@@ -337,6 +337,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount
> > *corev1.ServiceAccount, po
> > + }
> > + }
> > + }
> > ++for _, envFrom := range container.EnvFrom {
> > ++if envFrom.SecretRef != nil {
> > ++if
> > !mountableSecrets.Has(envFrom.SecretRef.Name) {
> > ++return fmt.Errorf("init container %s
> > with envFrom referencing secret.secretName=\"%s\" is not allowed because
> > service account %s does not reference that secret", container.Name,
> > envFrom.SecretRef.Name, serviceAccount.Name)
> > ++}
> > ++}
> > ++}
> > + }
> > +
> > + for _, container := range pod.Spec.Containers {
> > +@@ -347,6 +354,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount
> > *corev1.ServiceAccount, po
> >
Re: [meta-virtualization][kirkstone][PATCH] kubernetes: Backport fix for CVE-2024-3177
merged to kirkstone
Bruce
In message: [meta-virtualization][kirkstone][PATCH] kubernetes: Backport fix
for CVE-2024-3177
on 03/05/2024 Ashish Sharma via lists.yoctoproject.org wrote:
> Upstream-Status: Backport
> [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8]
>
> Signed-off-by: Ashish Sharma
> ---
> .../kubernetes/kubernetes/CVE-2024-3177.patch | 237 ++
> .../kubernetes/kubernetes_git.bb | 1 +
> 2 files changed, 238 insertions(+)
> create mode 100644
> recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
>
> diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
> b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
> new file mode 100644
> index ..20b2ea8a
> --- /dev/null
> +++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
> @@ -0,0 +1,237 @@
> +From 3f0922513d235d8bdebe79f0d07da769c04211b8 Mon Sep 17 00:00:00 2001
> +From: Rita Zhang
> +Date: Mon, 25 Mar 2024 10:33:41 -0700
> +Subject: [PATCH] Add envFrom to serviceaccount admission plugin
> +
> +Signed-off-by: Rita Zhang
> +
> +Upstream-Status: Backport
> [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8]
> +CVE: CVE-2024-3177
> +Signed-off-by: Ashish Sharma
> +
> + .../pkg/admission/serviceaccount/admission.go | 21 +++
> + .../serviceaccount/admission_test.go | 122 --
> + 2 files changed, 132 insertions(+), 11 deletions(-)
> +
> +diff --git a/plugin/pkg/admission/serviceaccount/admission.go
> b/plugin/pkg/admission/serviceaccount/admission.go
> +index c844a051c24b..3f4338128e53 100644
> +--- a/plugin/pkg/admission/serviceaccount/admission.go
> b/plugin/pkg/admission/serviceaccount/admission.go
> +@@ -337,6 +337,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount
> *corev1.ServiceAccount, po
> + }
> + }
> + }
> ++for _, envFrom := range container.EnvFrom {
> ++if envFrom.SecretRef != nil {
> ++if
> !mountableSecrets.Has(envFrom.SecretRef.Name) {
> ++return fmt.Errorf("init container %s
> with envFrom referencing secret.secretName=\"%s\" is not allowed because
> service account %s does not reference that secret", container.Name,
> envFrom.SecretRef.Name, serviceAccount.Name)
> ++}
> ++}
> ++}
> + }
> +
> + for _, container := range pod.Spec.Containers {
> +@@ -347,6 +354,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount
> *corev1.ServiceAccount, po
> + }
> + }
> + }
> ++for _, envFrom := range container.EnvFrom {
> ++if envFrom.SecretRef != nil {
> ++if
> !mountableSecrets.Has(envFrom.SecretRef.Name) {
> ++return fmt.Errorf("container %s with
> envFrom referencing secret.secretName=\"%s\" is not allowed because service
> account %s does not reference that secret", container.Name,
> envFrom.SecretRef.Name, serviceAccount.Name)
> ++}
> ++}
> ++}
> + }
> +
> + // limit pull secret references as well
> +@@ -388,6 +402,13 @@ func (s *Plugin)
> limitEphemeralContainerSecretReferences(pod *api.Pod, a admissi
> + }
> + }
> + }
> ++for _, envFrom := range container.EnvFrom {
> ++if envFrom.SecretRef != nil {
> ++if
> !mountableSecrets.Has(envFrom.SecretRef.Name) {
> ++return fmt.Errorf("ephemeral container
> %s with envFrom referencing secret.secretName=\"%s\" is not allowed because
> service account %s does not reference that secret", container.Name,
> envFrom.SecretRef.Name, serviceAccount.Name)
> ++}
> ++}
> ++}
> + }
> + return nil
> + }
> +diff --git a/plugin/pkg/admission/serviceaccount/admission_test.go
> b/plugin/pkg/admission/serviceaccount/admission_test.go
> +index bf15f870d75a..4dba6cd8b13e 100644
> +--- a/plugin/pkg/admission/serviceaccount/admission_test.go
> b/plugin/pkg/admission/serviceaccount/admission_test.go
> +@@ -521,6 +521,25 @@ func TestAllowsReferencedSecret(t *testing.T) {
> + t.Errorf("Unexpected error: %v", err)
> + }
> +
> ++pod2 = {
> ++Spec: api.PodSpec{
> ++Containers: []api.Container{
> ++{
> ++Name: "container-1",
> ++EnvFrom: []api.EnvFromSource{
> ++{
> ++
