From f01959461f3edab5ad285b6fae16ef71ea4009aa Mon Sep 17 00:00:00 2001 From: haomintsai Date: Sat, 4 Dec 2021 09:54:09 +0000 Subject: [PATCH] Fix CVE -2021-25741 --- 0005-fix-CVE-2021-25741.patch | 167 +++++++++++++++++++++++++++++++++ kubernetes.spec | 6 +- 2 files changed, 172 insertions(+), 1 deletion(-) create mode 100644 0005-fix-CVE-2021-25741.patch diff --git a/0005-fix-CVE-2021-25741.patch b/0005-fix-CVE-2021-25741.patch new file mode 100644 index 0000000..d3f7d07 --- /dev/null +++ b/0005-fix-CVE-2021-25741.patch @@ -0,0 +1,167 @@ +From e604f40bcc61048b69654a4f4daa593f6adf7ade Mon Sep 17 00:00:00 2001 +From: Mauricio Poppe +Date: Thu, 5 Aug 2021 22:31:38 +0000 +Subject: [PATCH] Pass additional flags to subpath mount to avoid flakes in + certain conditions + +(cherry picked from commit 8995693db5824a50249760f6b8e686cc1a500bad) +Signed-off-by: caihaomin +--- + pkg/volume/util/subpath/subpath_linux.go | 3 ++- + staging/src/k8s.io/mount-utils/fake_mounter.go | 4 ++++ + staging/src/k8s.io/mount-utils/mount.go | 2 ++ + staging/src/k8s.io/mount-utils/mount_linux.go | 31 ++++++++++++++++--------- + staging/src/k8s.io/mount-utils/mount_windows.go | 6 +++++ + 5 files changed, 34 insertions(+), 12 deletions(-) + +diff --git a/pkg/volume/util/subpath/subpath_linux.go b/pkg/volume/util/subpath/subpath_linux.go +index c04f0a7..0588f3a 100644 +--- a/pkg/volume/util/subpath/subpath_linux.go ++++ b/pkg/volume/util/subpath/subpath_linux.go +@@ -209,8 +209,9 @@ func doBindSubPath(mounter mount.Interface, subpath Subpath) (hostPath string, e + + // Do the bind mount + options := []string{"bind"} ++ mountFlags := []string{"--no-canonicalize"} + klog.V(5).Infof("bind mounting %q at %q", mountSource, bindPathTarget) +- if err = mounter.MountSensitiveWithoutSystemd(mountSource, bindPathTarget, "" /*fstype*/, options, nil); err != nil { ++ if err = mounter.MountSensitiveWithoutSystemdWithMountFlags(mountSource, bindPathTarget, "" /*fstype*/, options, nil /* sensitiveOptions */, mountFlags); err != nil { + return "", fmt.Errorf("error mounting %s: %s", subpath.Path, err) + } + success = true +diff --git a/staging/src/k8s.io/mount-utils/fake_mounter.go b/staging/src/k8s.io/mount-utils/fake_mounter.go +index 393ed04..55ea5e2 100644 +--- a/staging/src/k8s.io/mount-utils/fake_mounter.go ++++ b/staging/src/k8s.io/mount-utils/fake_mounter.go +@@ -136,6 +136,10 @@ func (f *FakeMounter) MountSensitiveWithoutSystemd(source string, target string, + return f.MountSensitive(source, target, fstype, options, nil /* sensitiveOptions */) + } + ++func (f *FakeMounter) MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error { ++ return f.MountSensitive(source, target, fstype, options, nil /* sensitiveOptions */) ++} ++ + // Unmount records the unmount event and updates the in-memory mount points for FakeMounter + func (f *FakeMounter) Unmount(target string) error { + f.mutex.Lock() +diff --git a/staging/src/k8s.io/mount-utils/mount.go b/staging/src/k8s.io/mount-utils/mount.go +index c78cf13..9e2d5d9 100644 +--- a/staging/src/k8s.io/mount-utils/mount.go ++++ b/staging/src/k8s.io/mount-utils/mount.go +@@ -48,6 +48,8 @@ type Interface interface { + MountSensitive(source string, target string, fstype string, options []string, sensitiveOptions []string) error + // MountSensitiveWithoutSystemd is the same as MountSensitive() but this method disable using systemd mount. + MountSensitiveWithoutSystemd(source string, target string, fstype string, options []string, sensitiveOptions []string) error ++ // MountSensitiveWithoutSystemdWithMountFlags is the same as MountSensitiveWithoutSystemd() with additional mount flags ++ MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error + // Unmount unmounts given target. + Unmount(target string) error + // List returns a list of all mounted filesystems. This can be large. +diff --git a/staging/src/k8s.io/mount-utils/mount_linux.go b/staging/src/k8s.io/mount-utils/mount_linux.go +index 20993cf..e9daa56 100644 +--- a/staging/src/k8s.io/mount-utils/mount_linux.go ++++ b/staging/src/k8s.io/mount-utils/mount_linux.go +@@ -83,11 +83,11 @@ func (mounter *Mounter) MountSensitive(source string, target string, fstype stri + mounterPath := "" + bind, bindOpts, bindRemountOpts, bindRemountOptsSensitive := MakeBindOptsSensitive(options, sensitiveOptions) + if bind { +- err := mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindOpts, bindRemountOptsSensitive, true) ++ err := mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindOpts, bindRemountOptsSensitive, nil /* mountFlags */, true) + if err != nil { + return err + } +- return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, true) ++ return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, nil /* mountFlags */, true) + } + // The list of filesystems that require containerized mounter on GCI image cluster + fsTypesNeedMounter := map[string]struct{}{ +@@ -99,19 +99,24 @@ func (mounter *Mounter) MountSensitive(source string, target string, fstype stri + if _, ok := fsTypesNeedMounter[fstype]; ok { + mounterPath = mounter.mounterPath + } +- return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, true) ++ return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, nil /* mountFlags */, true) + } + + // MountSensitiveWithoutSystemd is the same as MountSensitive() but disable using systemd mount. + func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target string, fstype string, options []string, sensitiveOptions []string) error { ++ return mounter.MountSensitiveWithoutSystemdWithMountFlags(source, target, fstype, options, sensitiveOptions, nil /* mountFlags */) ++} ++ ++// MountSensitiveWithoutSystemdWithMountFlags is the same as MountSensitiveWithoutSystemd with additional mount flags. ++func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error { + mounterPath := "" + bind, bindOpts, bindRemountOpts, bindRemountOptsSensitive := MakeBindOptsSensitive(options, sensitiveOptions) + if bind { +- err := mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindOpts, bindRemountOptsSensitive, false) ++ err := mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindOpts, bindRemountOptsSensitive, mountFlags, false) + if err != nil { + return err + } +- return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, false) ++ return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, mountFlags, false) + } + // The list of filesystems that require containerized mounter on GCI image cluster + fsTypesNeedMounter := map[string]struct{}{ +@@ -123,14 +128,14 @@ func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target strin + if _, ok := fsTypesNeedMounter[fstype]; ok { + mounterPath = mounter.mounterPath + } +- return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, false) ++ return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, mountFlags, false) + } + + // doMount runs the mount command. mounterPath is the path to mounter binary if containerized mounter is used. + // sensitiveOptions is an extension of options except they will not be logged (because they may contain sensitive material) + // systemdMountRequired is an extension of option to decide whether uses systemd mount. +-func (mounter *Mounter) doMount(mounterPath string, mountCmd string, source string, target string, fstype string, options []string, sensitiveOptions []string, systemdMountRequired bool) error { +- mountArgs, mountArgsLogStr := MakeMountArgsSensitive(source, target, fstype, options, sensitiveOptions) ++func (mounter *Mounter) doMount(mounterPath string, mountCmd string, source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string, systemdMountRequired bool) error { ++ mountArgs, mountArgsLogStr := MakeMountArgsSensitive(source, target, fstype, options, sensitiveOptions, mountFlags) + if len(mounterPath) > 0 { + mountArgs = append([]string{mountCmd}, mountArgs...) + mountArgsLogStr = mountCmd + " " + mountArgsLogStr +@@ -206,17 +211,21 @@ func detectSystemd() bool { + // MakeMountArgs makes the arguments to the mount(8) command. + // options MUST not contain sensitive material (like passwords). + func MakeMountArgs(source, target, fstype string, options []string) (mountArgs []string) { +- mountArgs, _ = MakeMountArgsSensitive(source, target, fstype, options, nil /* sensitiveOptions */) ++ mountArgs, _ = MakeMountArgsSensitive(source, target, fstype, options, nil /* sensitiveOptions */, nil /* mountFlags */) + return mountArgs + } + + // MakeMountArgsSensitive makes the arguments to the mount(8) command. + // sensitiveOptions is an extension of options except they will not be logged (because they may contain sensitive material) +-func MakeMountArgsSensitive(source, target, fstype string, options []string, sensitiveOptions []string) (mountArgs []string, mountArgsLogStr string) { ++func MakeMountArgsSensitive(source, target, fstype string, options []string, sensitiveOptions []string, mountFlags []string) (mountArgs []string, mountArgsLogStr string) { + // Build mount command as follows: +- // mount [-t $fstype] [-o $options] [$source] $target ++ // mount [--$mountFlags] [-t $fstype] [-o $options] [$source] $target + mountArgs = []string{} + mountArgsLogStr = "" ++ ++ mountArgs = append(mountArgs, mountFlags...) ++ mountArgsLogStr += strings.Join(mountFlags, " ") ++ + if len(fstype) > 0 { + mountArgs = append(mountArgs, "-t", fstype) + mountArgsLogStr += strings.Join(mountArgs, " ") +diff --git a/staging/src/k8s.io/mount-utils/mount_windows.go b/staging/src/k8s.io/mount-utils/mount_windows.go +index 358bcf5..92b42ca 100644 +--- a/staging/src/k8s.io/mount-utils/mount_windows.go ++++ b/staging/src/k8s.io/mount-utils/mount_windows.go +@@ -64,6 +64,12 @@ func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target strin + return mounter.MountSensitive(source, target, fstype, options, sensitiveOptions /* sensitiveOptions */) + } + ++// MountSensitiveWithoutSystemdWithMountFlags is the same as MountSensitiveWithoutSystemd with additional mount flags ++// Windows not supported systemd mount, this function degrades to MountSensitive(). ++func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error { ++ return mounter.MountSensitive(source, target, fstype, options, sensitiveOptions /* sensitiveOptions */) ++} ++ + // MountSensitive is the same as Mount() but this method allows + // sensitiveOptions to be passed in a separate parameter from the normal + // mount options and ensures the sensitiveOptions are never logged. This +-- +1.8.3.1 diff --git a/kubernetes.spec b/kubernetes.spec index aeb9be2..96f278f 100644 --- a/kubernetes.spec +++ b/kubernetes.spec @@ -3,7 +3,7 @@ Name: kubernetes Version: 1.20.2 -Release: 5 +Release: 6 Summary: Container cluster management License: ASL 2.0 URL: https://k8s.io/kubernetes @@ -28,6 +28,7 @@ Patch6000: 0001-kubelet-support-exec-websocket-protocol.patch Patch6001: 0002-fix-compile-options.patch Patch6002: 0003-fix-CVE-2021-25735.patch Patch6003: 0004-fix-CVE-2021-25737.patch +Patch6004: 0005-fix-CVE-2021-25741.patch %description Container cluster management. @@ -259,6 +260,9 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \ %systemd_postun kubelet kube-proxy %changelog +* Fri Dec 04 2021 caihaomin - 1.20.2-6 +- DESC: fix CVE-2021-25741 + * Fri Sep 24 2021 leizhongkai - 1.20.2-5 - DESC: fix CVE-2021-25735 and CVE-2021-25737 -- Gitee