From c3f302751356209a116872c50a7a1ccfa4f96665 Mon Sep 17 00:00:00 2001
From: yujingbo <yujingbo@kylinos.cn>
Date: Thu, 28 Aug 2025 19:53:24 +0800
Subject: [PATCH] fix CVE-2025-5187

---
 0022-fix-CVE-2025-5187.patch | 88 ++++++++++++++++++++++++++++++++++++
 kubernetes.spec              |  9 +++-
 2 files changed, 96 insertions(+), 1 deletion(-)
 create mode 100644 0022-fix-CVE-2025-5187.patch

diff --git a/0022-fix-CVE-2025-5187.patch b/0022-fix-CVE-2025-5187.patch
new file mode 100644
index 0000000..dc5acd6
--- /dev/null
+++ b/0022-fix-CVE-2025-5187.patch
@@ -0,0 +1,88 @@
+From 152330ef541b23a027c779597496b62c287fb363 Mon Sep 17 00:00:00 2001
+From: Sergey Kanzhelev <S.Kanzhelev@live.com>
+Date: Thu, 22 May 2025 17:54:10 +0000
+Subject: [PATCH] do not allow the node to update it's owner reference
+
+---
+ .../admission/noderestriction/admission.go    |  5 +++
+ .../noderestriction/admission_test.go         | 36 +++++++++++++++----
+ 2 files changed, 35 insertions(+), 6 deletions(-)
+
+diff --git a/plugin/pkg/admission/noderestriction/admission.go b/plugin/pkg/admission/noderestriction/admission.go
+index 6989a72ff18..07a034ae146 100644
+--- a/plugin/pkg/admission/noderestriction/admission.go
++++ b/plugin/pkg/admission/noderestriction/admission.go
+@@ -461,6 +461,11 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error {
+ 			return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify taints", nodeName))
+ 		}
+ 
++		// Don't allow a node to update its own ownerReferences.
++		if !apiequality.Semantic.DeepEqual(node.OwnerReferences, oldNode.OwnerReferences) {
++			return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify ownerReferences", nodeName))
++		}
++
+ 		// Don't allow a node to update labels outside the allowed set.
+ 		// This would allow a node to add or modify its labels in a way that would let it steer privileged workloads to itself.
+ 		modifiedLabels := getModifiedLabels(node.Labels, oldNode.Labels)
+diff --git a/plugin/pkg/admission/noderestriction/admission_test.go b/plugin/pkg/admission/noderestriction/admission_test.go
+index 412634d685b..b8a5ddd48a7 100644
+--- a/plugin/pkg/admission/noderestriction/admission_test.go
++++ b/plugin/pkg/admission/noderestriction/admission_test.go
+@@ -236,10 +236,14 @@ func (a *admitTestCase) run(t *testing.T) {
+ 
+ func Test_nodePlugin_Admit(t *testing.T) {
+ 	var (
+-		mynode = &user.DefaultInfo{Name: "system:node:mynode", Groups: []string{"system:nodes"}}
+-		bob    = &user.DefaultInfo{Name: "bob"}
++		trueRef = true
++		mynode  = &user.DefaultInfo{Name: "system:node:mynode", Groups: []string{"system:nodes"}}
++		bob     = &user.DefaultInfo{Name: "bob"}
++
++		mynodeObjMeta          = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid"}
++		mynodeObjMetaOwnerRefA = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid", OwnerReferences: []metav1.OwnerReference{{Name: "fooerA", Controller: &trueRef}}}
++		mynodeObjMetaOwnerRefB = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid", OwnerReferences: []metav1.OwnerReference{{Name: "fooerB", Controller: &trueRef}}}
+ 
+-		mynodeObjMeta    = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid"}
+ 		mynodeObj        = &api.Node{ObjectMeta: mynodeObjMeta}
+ 		mynodeObjConfigA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{ConfigSource: &api.NodeConfigSource{
+ 			ConfigMap: &api.ConfigMapNodeConfigSource{
+@@ -256,9 +260,11 @@ func Test_nodePlugin_Admit(t *testing.T) {
+ 				KubeletConfigKey: "kubelet",
+ 			}}}}
+ 
+-		mynodeObjTaintA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}}
+-		mynodeObjTaintB = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}}
+-		othernodeObj    = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}}
++		mynodeObjTaintA    = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}}
++		mynodeObjTaintB    = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}}
++		mynodeObjOwnerRefA = &api.Node{ObjectMeta: mynodeObjMetaOwnerRefA}
++		mynodeObjOwnerRefB = &api.Node{ObjectMeta: mynodeObjMetaOwnerRefB}
++		othernodeObj       = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}}
+ 
+ 		coremymirrorpod, v1mymirrorpod           = makeTestPod("ns", "mymirrorpod", "mynode", true)
+ 		coreothermirrorpod, v1othermirrorpod     = makeTestPod("ns", "othermirrorpod", "othernode", true)
+@@ -1030,6 +1036,24 @@ func Test_nodePlugin_Admit(t *testing.T) {
+ 			attributes: admission.NewAttributesRecord(setForbiddenUpdateLabels(mynodeObj, "new"), setForbiddenUpdateLabels(mynodeObj, "old"), nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
+ 			err:        `is not allowed to modify labels: foo.node-restriction.kubernetes.io/foo, node-restriction.kubernetes.io/foo, other.k8s.io/foo, other.kubernetes.io/foo`,
+ 		},
++		{
++			name:       "forbid update of my node: add owner reference",
++			podsGetter: existingPods,
++			attributes: admission.NewAttributesRecord(mynodeObjOwnerRefA, mynodeObj, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
++			err:        "node \"mynode\" is not allowed to modify ownerReferences",
++		},
++		{
++			name:       "forbid update of my node: remove owner reference",
++			podsGetter: existingPods,
++			attributes: admission.NewAttributesRecord(mynodeObj, mynodeObjOwnerRefA, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
++			err:        "node \"mynode\" is not allowed to modify ownerReferences",
++		},
++		{
++			name:       "forbid update of my node: change owner reference",
++			podsGetter: existingPods,
++			attributes: admission.NewAttributesRecord(mynodeObjOwnerRefA, mynodeObjOwnerRefB, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
++			err:        "node \"mynode\" is not allowed to modify ownerReferences",
++		},
+ 
+ 		// Other node object
+ 		{
diff --git a/kubernetes.spec b/kubernetes.spec
index e097591..46ec96b 100644
--- a/kubernetes.spec
+++ b/kubernetes.spec
@@ -3,7 +3,7 @@
 
 Name:         kubernetes
 Version:      1.20.2
-Release:      26
+Release:      27
 Summary:      Container cluster management
 License:      ASL 2.0
 URL:          https://k8s.io/kubernetes
@@ -45,6 +45,7 @@ Patch6017: 0018-backport-reduce-configmap-and-secret-watch-of-kubelet.patch
 Patch6018: 0019-backport-Don-t-prematurely-close-reflectors-in-case-of-slow-i.patch
 Patch6019: 0020-backport-Fix-cpu-share-issues-on-systems-with-large-amounts-o.patch
 Patch6020: 0021-gitRepo-volume-directory-must-be-max-1-level-deep.patch
+Patch6021: 0022-fix-CVE-2025-5187.patch
 
 %description
 Container cluster management.
@@ -276,6 +277,12 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \
 %systemd_postun kubelet kube-proxy
 
 %changelog
+* Thu Aug 28 2025 yujingbo <yujingbo@kylinos.cn> - 1.20.2-27
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix CVE-2025-5187
+
 * Thu Dec 05 2024 liuxu <liuxu156@huawei.com> - 1.20.2-26
 - Type:bugfix
 - CVE:NA
-- 
Gitee