From f9400c0ac0703a1cc6047e6679f16eba8544e608 Mon Sep 17 00:00:00 2001
From: yujingbo <yujingbo@kylinos.cn>
Date: Thu, 28 Aug 2025 20:14:45 +0800
Subject: [PATCH] fix CVE-2025-5187

(cherry picked from commit af26103ae3d98d7ba39bb7702f696551836af546)
---
 0009-fix-CVE-2025-5187.patch | 88 ++++++++++++++++++++++++++++++++++++
 kubernetes.spec              | 10 +++-
 2 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 0009-fix-CVE-2025-5187.patch

diff --git a/0009-fix-CVE-2025-5187.patch b/0009-fix-CVE-2025-5187.patch
new file mode 100644
index 0000000..dc5acd6
--- /dev/null
+++ b/0009-fix-CVE-2025-5187.patch
@@ -0,0 +1,88 @@
+From 152330ef541b23a027c779597496b62c287fb363 Mon Sep 17 00:00:00 2001
+From: Sergey Kanzhelev <S.Kanzhelev@live.com>
+Date: Thu, 22 May 2025 17:54:10 +0000
+Subject: [PATCH] do not allow the node to update it's owner reference
+
+---
+ .../admission/noderestriction/admission.go    |  5 +++
+ .../noderestriction/admission_test.go         | 36 +++++++++++++++----
+ 2 files changed, 35 insertions(+), 6 deletions(-)
+
+diff --git a/plugin/pkg/admission/noderestriction/admission.go b/plugin/pkg/admission/noderestriction/admission.go
+index 6989a72ff18..07a034ae146 100644
+--- a/plugin/pkg/admission/noderestriction/admission.go
++++ b/plugin/pkg/admission/noderestriction/admission.go
+@@ -461,6 +461,11 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error {
+ 			return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify taints", nodeName))
+ 		}
+ 
++		// Don't allow a node to update its own ownerReferences.
++		if !apiequality.Semantic.DeepEqual(node.OwnerReferences, oldNode.OwnerReferences) {
++			return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify ownerReferences", nodeName))
++		}
++
+ 		// Don't allow a node to update labels outside the allowed set.
+ 		// This would allow a node to add or modify its labels in a way that would let it steer privileged workloads to itself.
+ 		modifiedLabels := getModifiedLabels(node.Labels, oldNode.Labels)
+diff --git a/plugin/pkg/admission/noderestriction/admission_test.go b/plugin/pkg/admission/noderestriction/admission_test.go
+index 412634d685b..b8a5ddd48a7 100644
+--- a/plugin/pkg/admission/noderestriction/admission_test.go
++++ b/plugin/pkg/admission/noderestriction/admission_test.go
+@@ -236,10 +236,14 @@ func (a *admitTestCase) run(t *testing.T) {
+ 
+ func Test_nodePlugin_Admit(t *testing.T) {
+ 	var (
+-		mynode = &user.DefaultInfo{Name: "system:node:mynode", Groups: []string{"system:nodes"}}
+-		bob    = &user.DefaultInfo{Name: "bob"}
++		trueRef = true
++		mynode  = &user.DefaultInfo{Name: "system:node:mynode", Groups: []string{"system:nodes"}}
++		bob     = &user.DefaultInfo{Name: "bob"}
++
++		mynodeObjMeta          = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid"}
++		mynodeObjMetaOwnerRefA = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid", OwnerReferences: []metav1.OwnerReference{{Name: "fooerA", Controller: &trueRef}}}
++		mynodeObjMetaOwnerRefB = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid", OwnerReferences: []metav1.OwnerReference{{Name: "fooerB", Controller: &trueRef}}}
+ 
+-		mynodeObjMeta    = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid"}
+ 		mynodeObj        = &api.Node{ObjectMeta: mynodeObjMeta}
+ 		mynodeObjConfigA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{ConfigSource: &api.NodeConfigSource{
+ 			ConfigMap: &api.ConfigMapNodeConfigSource{
+@@ -256,9 +260,11 @@ func Test_nodePlugin_Admit(t *testing.T) {
+ 				KubeletConfigKey: "kubelet",
+ 			}}}}
+ 
+-		mynodeObjTaintA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}}
+-		mynodeObjTaintB = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}}
+-		othernodeObj    = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}}
++		mynodeObjTaintA    = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}}
++		mynodeObjTaintB    = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}}
++		mynodeObjOwnerRefA = &api.Node{ObjectMeta: mynodeObjMetaOwnerRefA}
++		mynodeObjOwnerRefB = &api.Node{ObjectMeta: mynodeObjMetaOwnerRefB}
++		othernodeObj       = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}}
+ 
+ 		coremymirrorpod, v1mymirrorpod           = makeTestPod("ns", "mymirrorpod", "mynode", true)
+ 		coreothermirrorpod, v1othermirrorpod     = makeTestPod("ns", "othermirrorpod", "othernode", true)
+@@ -1030,6 +1036,24 @@ func Test_nodePlugin_Admit(t *testing.T) {
+ 			attributes: admission.NewAttributesRecord(setForbiddenUpdateLabels(mynodeObj, "new"), setForbiddenUpdateLabels(mynodeObj, "old"), nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
+ 			err:        `is not allowed to modify labels: foo.node-restriction.kubernetes.io/foo, node-restriction.kubernetes.io/foo, other.k8s.io/foo, other.kubernetes.io/foo`,
+ 		},
++		{
++			name:       "forbid update of my node: add owner reference",
++			podsGetter: existingPods,
++			attributes: admission.NewAttributesRecord(mynodeObjOwnerRefA, mynodeObj, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
++			err:        "node \"mynode\" is not allowed to modify ownerReferences",
++		},
++		{
++			name:       "forbid update of my node: remove owner reference",
++			podsGetter: existingPods,
++			attributes: admission.NewAttributesRecord(mynodeObj, mynodeObjOwnerRefA, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
++			err:        "node \"mynode\" is not allowed to modify ownerReferences",
++		},
++		{
++			name:       "forbid update of my node: change owner reference",
++			podsGetter: existingPods,
++			attributes: admission.NewAttributesRecord(mynodeObjOwnerRefA, mynodeObjOwnerRefB, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
++			err:        "node \"mynode\" is not allowed to modify ownerReferences",
++		},
+ 
+ 		// Other node object
+ 		{
diff --git a/kubernetes.spec b/kubernetes.spec
index 1f9a636..3dea5f0 100644
--- a/kubernetes.spec
+++ b/kubernetes.spec
@@ -3,7 +3,7 @@
 
 Name:         kubernetes
 Version:      1.29.1
-Release:      12
+Release:      13
 Summary:      Container cluster management
 License:      ASL 2.0
 URL:          https://k8s.io/kubernetes
@@ -32,6 +32,7 @@ Patch0005: 0005-fix-a-bug-where-the-uploaded-kubelet-configuration-in-kube-syste
 Patch0006: 0006-adapt-go-version.patch
 Patch0007: 0007-gitRepo-volume-directory-must-be-max-1-level-deep.patch
 Patch0008: 0008-Kubelet-server-handler-cleanup.patch
+Patch0009: 0009-fix-CVE-2025-5187.patch
 
 Patch1000: 1000-Add-riscv64-support-for-v1.29.1-kubernetes.patch
 Patch1001: 1001-Add-loong64-host-build-support.patch 
@@ -104,6 +105,7 @@ Help documents for kubernetes.
 %patch 0006 -p1
 %patch 0007 -p1
 %patch 0008 -p1
+%patch 0009 -p1
 
 %ifarch riscv64
 %patch 1000 -p1
@@ -290,6 +292,12 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \
 %systemd_postun kubelet kube-proxy
 
 %changelog
+* Thu Aug 28 2025 yujingbo <yujingbo@kylinos.cn> - 1.29.1-13
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix CVE-2025-5187
+
 * Tue Aug 05 2025 dongyuzhen <dongyuzhen@h-partners.com> - 1.29.1-12
 - Type:bugfix
 - CVE:NA
-- 
Gitee