[meta-virtualization] [PATCH] kubernetes: Security fix for CVE </CVE-2018-1002105>

Muminul Islam misla011 at fiu.edu
Fri Sep 27 16:53:19 PDT 2019 

Signed-off-by: Muminul Islam <muislam at microsoft.com>
---
 .../kubernetes/CVE-2018-1002105.patch         | 87 +++++++++++++++++++
 .../kubernetes/kubernetes_git.bb              |  1 +
 2 files changed, 88 insertions(+)
 create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2018-1002105.patch

diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2018-1002105.patch b/recipes-containers/kubernetes/kubernetes/CVE-2018-1002105.patch
new file mode 100644
index 0000000..9901bb2
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2018-1002105.patch
@@ -0,0 +1,87 @@
+From b2c05ca842b97090df424e0401968ba8d7ee3ecb Mon Sep 17 00:00:00 2001
+From: Jordan Liggitt <liggitt at google.com>
+Date: Mon, 5 Nov 2018 23:50:35 -0500
+Subject: [PATCH] Verify backend upgraded connection
+Reply-To: muislam at microsoft.com
+
+Signed-off-by: Muminul Islam <muislam at microsoft.com>
+
+CVE: CVE-2018-1002105
+
+Upstream-Status: Backport
+---
+ .../pkg/util/proxy/upgradeaware.go            | 37 +++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+
+diff --git a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
+index 4d5cd34d48..b14819079c 100644
+--- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
++++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
+@@ -17,6 +17,7 @@ limitations under the License.
+ package proxy
+ 
+ import (
++	"bufio"
+ 	"bytes"
+ 	"context"
+ 	"fmt"
+@@ -269,6 +270,18 @@ func (h *UpgradeAwareHandler) tryUpgrade(w http.ResponseWriter, req *http.Reques
+ 	}
+ 	defer backendConn.Close()
+ 
++	// determine the http response code from the backend by reading from rawResponse+backendConn
++	rawResponseCode, headerBytes, err := getResponseCode(io.MultiReader(bytes.NewReader(rawResponse), backendConn))
++	if err != nil {
++		klog.V(6).Infof("Proxy connection error: %v", err)
++		h.Responder.Error(w, req, err)
++		return true
++	}
++	if len(headerBytes) > len(rawResponse) {
++		// we read beyond the bytes stored in rawResponse, update rawResponse to the full set of bytes read from the backend
++		rawResponse = headerBytes
++	}
++
+ 	// Once the connection is hijacked, the ErrorResponder will no longer work, so
+ 	// hijacking should be the last step in the upgrade.
+ 	requestHijacker, ok := w.(http.Hijacker)
+@@ -293,6 +306,17 @@ func (h *UpgradeAwareHandler) tryUpgrade(w http.ResponseWriter, req *http.Reques
+ 		}
+ 	}
+ 
++	if rawResponseCode != http.StatusSwitchingProtocols {
++		// If the backend did not upgrade the request, finish echoing the response from the backend to the client and return, closing the connection.
++		klog.V(6).Infof("Proxy upgrade error, status code %d", rawResponseCode)
++		_, err := io.Copy(requestHijackedConn, backendConn)
++		if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
++			klog.Errorf("Error proxying data from backend to client: %v", err)
++		}
++		// Indicate we handled the request
++		return true
++	}
++
+ 	// Proxy the connection. This is bidirectional, so we need a goroutine
+ 	// to copy in each direction. Once one side of the connection exits, we
+ 	// exit the function which performs cleanup and in the process closes
+@@ -354,6 +378,19 @@ func (h *UpgradeAwareHandler) DialForUpgrade(req *http.Request) (net.Conn, error
+ 	return dial(updatedReq, h.UpgradeTransport)
+ }
+ 
++// getResponseCode reads a http response from the given reader, returns the status code,
++// the bytes read from the reader, and any error encountered
++func getResponseCode(r io.Reader) (int, []byte, error) {
++	rawResponse := bytes.NewBuffer(make([]byte, 0, 256))
++	// Save the bytes read while reading the response headers into the rawResponse buffer
++	resp, err := http.ReadResponse(bufio.NewReader(io.TeeReader(r, rawResponse)), nil)
++	if err != nil {
++		return 0, nil, err
++	}
++	// return the http status code and the raw bytes consumed from the reader in the process
++	return resp.StatusCode, rawResponse.Bytes(), nil
++}
++
+ // dial dials the backend at req.URL and writes req to it.
+ func dial(req *http.Request, transport http.RoundTripper) (net.Conn, error) {
+ 	conn, err := DialURL(req.Context(), req.URL, transport)
+-- 
+2.23.0
+
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index a0e0e47..b587e16 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -12,6 +12,7 @@ SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=master;name=kuberne
            file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
            file://0001-cross-don-t-build-tests-by-default.patch \
            file://0001-fix-compiling-failure-execvp-bin-bash-Argument-list-.patch \
+           file://CVE-2018-1002105.patch \
           "
 
 DEPENDS += "rsync-native \
-- 
2.23.0

More information about the meta-virtualization mailing list