Browse code
kubernetes: Fix CVE-2018-1002105
Change-Id: I4be1227a6bc73f82c4b78f3e310b5115f3830be4
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6407
Tested-by: michellew <michellew@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
ashwin-h authored on 2018/12/21 05:16:34Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,75 @@ |
| 0 |
+commit 0535bcef95a33855f0a722c8cd822c663fc6275e |
|
| 1 |
+Author: Jordan Liggitt <liggitt@google.com> |
|
| 2 |
+Date: Mon Nov 5 23:50:35 2018 -0500 |
|
| 3 |
+ |
|
| 4 |
+ Verify backend upgraded connection |
|
| 5 |
+ |
|
| 6 |
+diff --git a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go |
|
| 7 |
+index 2bc1965..01d6b85 100644 |
|
| 8 |
+--- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go |
|
| 9 |
+@@ -17,6 +17,7 @@ limitations under the License. |
|
| 10 |
+ package proxy |
|
| 11 |
+ |
|
| 12 |
+ import ( |
|
| 13 |
++ "bufio" |
|
| 14 |
+ "bytes" |
|
| 15 |
+ "context" |
|
| 16 |
+ "fmt" |
|
| 17 |
+@@ -270,6 +271,18 @@ func (h *UpgradeAwareHandler) tryUpgrade(w http.ResponseWriter, req *http.Reques |
|
| 18 |
+ } |
|
| 19 |
+ defer backendConn.Close() |
|
| 20 |
+ |
|
| 21 |
++ // determine the http response code from the backend by reading from rawResponse+backendConn |
|
| 22 |
++ rawResponseCode, headerBytes, err := getResponseCode(io.MultiReader(bytes.NewReader(rawResponse), backendConn)) |
|
| 23 |
++ if err != nil {
|
|
| 24 |
++ glog.V(6).Infof("Proxy connection error: %v", err)
|
|
| 25 |
++ h.Responder.Error(w, req, err) |
|
| 26 |
++ return true |
|
| 27 |
++ } |
|
| 28 |
++ if len(headerBytes) > len(rawResponse) {
|
|
| 29 |
++ // we read beyond the bytes stored in rawResponse, update rawResponse to the full set of bytes read from the backend |
|
| 30 |
++ rawResponse = headerBytes |
|
| 31 |
++ } |
|
| 32 |
++ |
|
| 33 |
+ // Once the connection is hijacked, the ErrorResponder will no longer work, so |
|
| 34 |
+ // hijacking should be the last step in the upgrade. |
|
| 35 |
+ requestHijacker, ok := w.(http.Hijacker) |
|
| 36 |
+@@ -294,6 +307,17 @@ func (h *UpgradeAwareHandler) tryUpgrade(w http.ResponseWriter, req *http.Reques |
|
| 37 |
+ } |
|
| 38 |
+ } |
|
| 39 |
+ |
|
| 40 |
++ if rawResponseCode != http.StatusSwitchingProtocols {
|
|
| 41 |
++ // If the backend did not upgrade the request, finish echoing the response from the backend to the client and return, closing the connection. |
|
| 42 |
++ glog.V(6).Infof("Proxy upgrade error, status code %d", rawResponseCode)
|
|
| 43 |
++ _, err := io.Copy(requestHijackedConn, backendConn) |
|
| 44 |
++ if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
|
|
| 45 |
++ glog.Errorf("Error proxying data from backend to client: %v", err)
|
|
| 46 |
++ } |
|
| 47 |
++ // Indicate we handled the request |
|
| 48 |
++ return true |
|
| 49 |
++ } |
|
| 50 |
++ |
|
| 51 |
+ // Proxy the connection. |
|
| 52 |
+ wg := &sync.WaitGroup{}
|
|
| 53 |
+ wg.Add(2) |
|
| 54 |
+@@ -345,6 +369,19 @@ func (h *UpgradeAwareHandler) DialForUpgrade(req *http.Request) (net.Conn, error |
|
| 55 |
+ return dial(updatedReq, h.UpgradeTransport) |
|
| 56 |
+ } |
|
| 57 |
+ |
|
| 58 |
++// getResponseCode reads a http response from the given reader, returns the status code, |
|
| 59 |
++// the bytes read from the reader, and any error encountered |
|
| 60 |
++func getResponseCode(r io.Reader) (int, []byte, error) {
|
|
| 61 |
++ rawResponse := bytes.NewBuffer(make([]byte, 0, 256)) |
|
| 62 |
++ // Save the bytes read while reading the response headers into the rawResponse buffer |
|
| 63 |
++ resp, err := http.ReadResponse(bufio.NewReader(io.TeeReader(r, rawResponse)), nil) |
|
| 64 |
++ if err != nil {
|
|
| 65 |
++ return 0, nil, err |
|
| 66 |
++ } |
|
| 67 |
++ // return the http status code and the raw bytes consumed from the reader in the process |
|
| 68 |
++ return resp.StatusCode, rawResponse.Bytes(), nil |
|
| 69 |
++} |
|
| 70 |
++ |
|
| 71 |
+ // dial dials the backend at req.URL and writes req to it. |
|
| 72 |
+ func dial(req *http.Request, transport http.RoundTripper) (net.Conn, error) {
|
|
| 73 |
+ conn, err := DialURL(req.URL, transport) |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: Kubernetes cluster management |
| 2 | 2 |
Name: kubernetes |
| 3 | 3 |
Version: 1.9.6 |
| 4 |
-Release: 1%{?dist}
|
|
| 4 |
+Release: 2%{?dist}
|
|
| 5 | 5 |
License: ASL 2.0 |
| 6 | 6 |
URL: https://github.com/kubernetes/kubernetes/archive/v%{version}.tar.gz
|
| 7 | 7 |
Source0: kubernetes-v%{version}.tar.gz
|
| ... | ... |
@@ -9,6 +9,7 @@ Source0: kubernetes-v%{version}.tar.gz
|
| 9 | 9 |
Source1: https://github.com/kubernetes/contrib/archive/contrib-0.7.0.tar.gz |
| 10 | 10 |
%define sha1 contrib-0.7.0=47a744da3b396f07114e518226b6313ef4b2203c |
| 11 | 11 |
Patch0: k8s-cascade.patch |
| 12 |
+Patch1: CVE-2018-1002105.patch |
|
| 12 | 13 |
Group: Development/Tools |
| 13 | 14 |
Vendor: VMware, Inc. |
| 14 | 15 |
Distribution: Photon |
| ... | ... |
@@ -49,6 +50,7 @@ tar xf %{SOURCE1} --no-same-owner
|
| 49 | 49 |
sed -i -e 's|127.0.0.1:4001|127.0.0.1:2379|g' contrib-0.7.0/init/systemd/environ/apiserver |
| 50 | 50 |
cd %{name}-%{version}
|
| 51 | 51 |
%patch0 -p1 |
| 52 |
+%patch1 -p1 |
|
| 52 | 53 |
|
| 53 | 54 |
%build |
| 54 | 55 |
make |
| ... | ... |
@@ -186,6 +188,8 @@ fi |
| 186 | 186 |
%{_bindir}/pause-amd64
|
| 187 | 187 |
|
| 188 | 188 |
%changelog |
| 189 |
+* Thu Dec 20 2018 Ashwin H <ashwinh@vmware.com> 1.9.6-2 |
|
| 190 |
+- Fix CVE-2018-1002105 |
|
| 189 | 191 |
* Fri May 18 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 1.9.6-1 |
| 190 | 192 |
- k8s v1.9.6 and Cascade Cloud Provider patch |
| 191 | 193 |
* Tue Jan 30 2018 Ashok Chandrasekar <ashokc@vmware.com> 1.8.1-5 |