Re: [meta-virtualization][kirkstone][PATCH] kubernetes: Backport fix for CVE-2024-3177
The .patch file doesn't apply on the v1.23.17 version currently in kirkstone. recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch CVE-2024-3177.patch can't find file to patch at input line 20 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -- |From 3f0922513d235d8bdebe79f0d07da769c04211b8 Mon Sep 17 00:00:00 2001 |From: Rita Zhang |Date: Mon, 25 Mar 2024 10:33:41 -0700 |Subject: [PATCH] Add envFrom to serviceaccount admission plugin | |Signed-off-by: Rita Zhang | |Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8] |CVE: CVE-2024-3177 |Signed-off-by: Ashish Sharma | | .../pkg/admission/serviceaccount/admission.go | 21 +++ | .../serviceaccount/admission_test.go | 122 -- | 2 files changed, 132 insertions(+), 11 deletions(-) | |diff --git a/plugin/pkg/admission/serviceaccount/admission.go b/plugin/pkg/admission/serviceaccount/admission.go |index c844a051c24b..3f4338128e53 100644 |--- a/plugin/pkg/admission/serviceaccount/admission.go |+++ b/plugin/pkg/admission/serviceaccount/admission.go -- No file to patch. Skipping patch. 3 out of 3 hunks ignored can't find file to patch at input line 66 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -- |diff --git a/plugin/pkg/admission/serviceaccount/admission_test.go b/plugin/pkg/admission/serviceaccount/admission_test.go |index bf15f870d75a..4dba6cd8b13e 100644 |--- a/plugin/pkg/admission/serviceaccount/admission_test.go |+++ b/plugin/pkg/admission/serviceaccount/admission_test.go -- No file to patch. Skipping patch. 6 out of 6 hunks ignored Patch CVE-2024-3177.patch does not apply (enforce with -f) stderr: ") It would need to be applied in src/import subdirectory as other .patch files here are. Will send a fix, but the original submitter should do a better test before sending. On Tue, May 14, 2024 at 4:28 AM Bruce Ashfield via lists.yoctoproject.org wrote: > > merged to kirkstone > > Bruce > > In message: [meta-virtualization][kirkstone][PATCH] kubernetes: Backport fix > for CVE-2024-3177 > on 03/05/2024 Ashish Sharma via lists.yoctoproject.org wrote: > > > Upstream-Status: Backport > > [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8] > > > > Signed-off-by: Ashish Sharma > > --- > > .../kubernetes/kubernetes/CVE-2024-3177.patch | 237 ++ > > .../kubernetes/kubernetes_git.bb | 1 + > > 2 files changed, 238 insertions(+) > > create mode 100644 > > recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch > > > > diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch > > b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch > > new file mode 100644 > > index ..20b2ea8a > > --- /dev/null > > +++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch > > @@ -0,0 +1,237 @@ > > +From 3f0922513d235d8bdebe79f0d07da769c04211b8 Mon Sep 17 00:00:00 2001 > > +From: Rita Zhang > > +Date: Mon, 25 Mar 2024 10:33:41 -0700 > > +Subject: [PATCH] Add envFrom to serviceaccount admission plugin > > + > > +Signed-off-by: Rita Zhang > > + > > +Upstream-Status: Backport > > [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8] > > +CVE: CVE-2024-3177 > > +Signed-off-by: Ashish Sharma > > + > > + .../pkg/admission/serviceaccount/admission.go | 21 +++ > > + .../serviceaccount/admission_test.go | 122 -- > > + 2 files changed, 132 insertions(+), 11 deletions(-) > > + > > +diff --git a/plugin/pkg/admission/serviceaccount/admission.go > > b/plugin/pkg/admission/serviceaccount/admission.go > > +index c844a051c24b..3f4338128e53 100644 > > +--- a/plugin/pkg/admission/serviceaccount/admission.go > > b/plugin/pkg/admission/serviceaccount/admission.go > > +@@ -337,6 +337,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount > > *corev1.ServiceAccount, po > > + } > > + } > > + } > > ++for _, envFrom := range container.EnvFrom { > > ++if envFrom.SecretRef != nil { > > ++if > > !mountableSecrets.Has(envFrom.SecretRef.Name) { > > ++return fmt.Errorf("init container %s > > with envFrom referencing secret.secretName=\"%s\" is not allowed because > > service account %s does not reference that secret", container.Name, > > envFrom.SecretRef.Name, serviceAccount.Name) > > ++} > > ++} > > ++} > > + } > > + > > + for _, container := range pod.Spec.Containers { > > +@@ -347,6 +354,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount > > *corev1.ServiceAccount, po > >
Re: [meta-virtualization][kirkstone][PATCH] kubernetes: Backport fix for CVE-2024-3177
merged to kirkstone Bruce In message: [meta-virtualization][kirkstone][PATCH] kubernetes: Backport fix for CVE-2024-3177 on 03/05/2024 Ashish Sharma via lists.yoctoproject.org wrote: > Upstream-Status: Backport > [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8] > > Signed-off-by: Ashish Sharma > --- > .../kubernetes/kubernetes/CVE-2024-3177.patch | 237 ++ > .../kubernetes/kubernetes_git.bb | 1 + > 2 files changed, 238 insertions(+) > create mode 100644 > recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch > > diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch > b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch > new file mode 100644 > index ..20b2ea8a > --- /dev/null > +++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch > @@ -0,0 +1,237 @@ > +From 3f0922513d235d8bdebe79f0d07da769c04211b8 Mon Sep 17 00:00:00 2001 > +From: Rita Zhang > +Date: Mon, 25 Mar 2024 10:33:41 -0700 > +Subject: [PATCH] Add envFrom to serviceaccount admission plugin > + > +Signed-off-by: Rita Zhang > + > +Upstream-Status: Backport > [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8] > +CVE: CVE-2024-3177 > +Signed-off-by: Ashish Sharma > + > + .../pkg/admission/serviceaccount/admission.go | 21 +++ > + .../serviceaccount/admission_test.go | 122 -- > + 2 files changed, 132 insertions(+), 11 deletions(-) > + > +diff --git a/plugin/pkg/admission/serviceaccount/admission.go > b/plugin/pkg/admission/serviceaccount/admission.go > +index c844a051c24b..3f4338128e53 100644 > +--- a/plugin/pkg/admission/serviceaccount/admission.go > b/plugin/pkg/admission/serviceaccount/admission.go > +@@ -337,6 +337,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount > *corev1.ServiceAccount, po > + } > + } > + } > ++for _, envFrom := range container.EnvFrom { > ++if envFrom.SecretRef != nil { > ++if > !mountableSecrets.Has(envFrom.SecretRef.Name) { > ++return fmt.Errorf("init container %s > with envFrom referencing secret.secretName=\"%s\" is not allowed because > service account %s does not reference that secret", container.Name, > envFrom.SecretRef.Name, serviceAccount.Name) > ++} > ++} > ++} > + } > + > + for _, container := range pod.Spec.Containers { > +@@ -347,6 +354,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount > *corev1.ServiceAccount, po > + } > + } > + } > ++for _, envFrom := range container.EnvFrom { > ++if envFrom.SecretRef != nil { > ++if > !mountableSecrets.Has(envFrom.SecretRef.Name) { > ++return fmt.Errorf("container %s with > envFrom referencing secret.secretName=\"%s\" is not allowed because service > account %s does not reference that secret", container.Name, > envFrom.SecretRef.Name, serviceAccount.Name) > ++} > ++} > ++} > + } > + > + // limit pull secret references as well > +@@ -388,6 +402,13 @@ func (s *Plugin) > limitEphemeralContainerSecretReferences(pod *api.Pod, a admissi > + } > + } > + } > ++for _, envFrom := range container.EnvFrom { > ++if envFrom.SecretRef != nil { > ++if > !mountableSecrets.Has(envFrom.SecretRef.Name) { > ++return fmt.Errorf("ephemeral container > %s with envFrom referencing secret.secretName=\"%s\" is not allowed because > service account %s does not reference that secret", container.Name, > envFrom.SecretRef.Name, serviceAccount.Name) > ++} > ++} > ++} > + } > + return nil > + } > +diff --git a/plugin/pkg/admission/serviceaccount/admission_test.go > b/plugin/pkg/admission/serviceaccount/admission_test.go > +index bf15f870d75a..4dba6cd8b13e 100644 > +--- a/plugin/pkg/admission/serviceaccount/admission_test.go > b/plugin/pkg/admission/serviceaccount/admission_test.go > +@@ -521,6 +521,25 @@ func TestAllowsReferencedSecret(t *testing.T) { > + t.Errorf("Unexpected error: %v", err) > + } > + > ++pod2 = { > ++Spec: api.PodSpec{ > ++Containers: []api.Container{ > ++{ > ++Name: "container-1", > ++EnvFrom: []api.EnvFromSource{ > ++{ > ++