diff options
Diffstat (limited to 'recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch')
-rw-r--r-- | recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch | 166 |
1 files changed, 166 insertions, 0 deletions
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch new file mode 100644 index 00000000..9388f18d --- /dev/null +++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8564.patch @@ -0,0 +1,166 @@ +From b907f9e11892ddab1e71095e3d41bf76e63c3873 Mon Sep 17 00:00:00 2001 +From: Nikolaos Moraitis <nmoraiti@redhat.com> +Date: Fri, 11 Sep 2020 11:36:27 +0200 +Subject: [PATCH] avoid potential secret leaking while reading .dockercfg + +There are a lot of scenarios where an invalid .dockercfg file +will still contain secrets. This commit removes logging of the +contents to avoid any potential leaking and manages the actual error +by printing to the user the actual location of the invalid file. + +Signed-off-by: Nikolaos Moraitis <nmoraiti@redhat.com> + +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634] +CVE: CVE-2020-8564 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + pkg/credentialprovider/config.go | 16 +++-- + pkg/credentialprovider/config_test.go | 93 +++++++++++++++++++++++++++ + 2 files changed, 102 insertions(+), 7 deletions(-) + +diff --git a/pkg/credentialprovider/config.go b/pkg/credentialprovider/config.go +index 377383aa903..b256bd8e7f0 100644 +--- a/src/import/pkg/credentialprovider/config.go ++++ b/src/import/pkg/credentialprovider/config.go +@@ -114,10 +114,14 @@ func ReadDockercfgFile(searchPaths []string) (cfg DockerConfig, err error) { + continue + } + cfg, err := readDockerConfigFileFromBytes(contents) +- if err == nil { +- klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation) +- return cfg, nil ++ if err != nil { ++ klog.V(4).Infof("couldn't get the config from %q contents: %v", absDockerConfigFileLocation, err) ++ continue + } ++ ++ klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation) ++ return cfg, nil ++ + } + return nil, fmt.Errorf("couldn't find valid .dockercfg after checking in %v", searchPaths) + } +@@ -224,8 +228,7 @@ func ReadDockerConfigFileFromUrl(url string, client *http.Client, header *http.H + + func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error) { + if err = json.Unmarshal(contents, &cfg); err != nil { +- klog.Errorf("while trying to parse blob %q: %v", contents, err) +- return nil, err ++ return nil, errors.New("error occurred while trying to unmarshal json") + } + return + } +@@ -233,8 +236,7 @@ func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error + func readDockerConfigJsonFileFromBytes(contents []byte) (cfg DockerConfig, err error) { + var cfgJson DockerConfigJson + if err = json.Unmarshal(contents, &cfgJson); err != nil { +- klog.Errorf("while trying to parse blob %q: %v", contents, err) +- return nil, err ++ return nil, errors.New("error occurred while trying to unmarshal json") + } + cfg = cfgJson.Auths + return +diff --git a/pkg/credentialprovider/config_test.go b/pkg/credentialprovider/config_test.go +index c310dc33dce..6974076984f 100644 +--- a/src/import/pkg/credentialprovider/config_test.go ++++ b/src/import/pkg/credentialprovider/config_test.go +@@ -304,3 +304,96 @@ func TestDockerConfigEntryJSONCompatibleEncode(t *testing.T) { + } + } + } ++ ++func TestReadDockerConfigFileFromBytes(t *testing.T) { ++ testCases := []struct { ++ id string ++ input []byte ++ expectedCfg DockerConfig ++ errorExpected bool ++ expectedErrorMsg string ++ }{ ++ { ++ id: "valid input, no error expected", ++ input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}}`), ++ expectedCfg: DockerConfig(map[string]DockerConfigEntry{ ++ "http://foo.example.com": { ++ Username: "foo", ++ Password: "bar", ++ Email: "foo@example.com", ++ }, ++ }), ++ }, ++ { ++ id: "invalid input, error expected", ++ input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"`), ++ errorExpected: true, ++ expectedErrorMsg: "error occurred while trying to unmarshal json", ++ }, ++ } ++ ++ for _, tc := range testCases { ++ cfg, err := readDockerConfigFileFromBytes(tc.input) ++ if err != nil && !tc.errorExpected { ++ t.Fatalf("Error was not expected: %v", err) ++ } ++ if err != nil && tc.errorExpected { ++ if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) { ++ t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error()) ++ } ++ } else { ++ if !reflect.DeepEqual(cfg, tc.expectedCfg) { ++ t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg) ++ } ++ } ++ } ++} ++ ++func TestReadDockerConfigJSONFileFromBytes(t *testing.T) { ++ testCases := []struct { ++ id string ++ input []byte ++ expectedCfg DockerConfig ++ errorExpected bool ++ expectedErrorMsg string ++ }{ ++ { ++ id: "valid input, no error expected", ++ input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"}}}`), ++ expectedCfg: DockerConfig(map[string]DockerConfigEntry{ ++ "http://foo.example.com": { ++ Username: "foo", ++ Password: "bar", ++ Email: "foo@example.com", ++ }, ++ "http://bar.example.com": { ++ Username: "bar", ++ Password: "baz", ++ Email: "bar@example.com", ++ }, ++ }), ++ }, ++ { ++ id: "invalid input, error expected", ++ input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"`), ++ errorExpected: true, ++ expectedErrorMsg: "error occurred while trying to unmarshal json", ++ }, ++ } ++ ++ for _, tc := range testCases { ++ cfg, err := readDockerConfigJSONFileFromBytes(tc.input) ++ if err != nil && !tc.errorExpected { ++ t.Fatalf("Error was not expected: %v", err) ++ } ++ if err != nil && tc.errorExpected { ++ if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) { ++ t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error()) ++ } ++ } else { ++ if !reflect.DeepEqual(cfg, tc.expectedCfg) { ++ t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg) ++ } ++ } ++ } ++} +-- +2.25.1 + |