Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

run hack/update-netparse-cve.sh #261

Merged
merged 1 commit into from Aug 26, 2021
Merged

run hack/update-netparse-cve.sh #261

merged 1 commit into from Aug 26, 2021
+4 −2

Conversation

nckturner
Copy link
Contributor

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

Since golang 1.17, golang/go#30999, "In both net.ParseIP and net.ParseCIDR reject leading zeros in the dot-decimal notation of IPv4 addresses."

This can cause that previous valid data becomes invalid, so we should guarantee that this doesn't happen.

In addition, since this change in the golang stdlib as associated a security CVE-2021-29923, we should check

While you triage those callsites, it would be good to also check if they are affected by the kind of issues that are motivating the change: if you are validating the inputs with Go and then passing the inputs to the OS or to non-Go applications, the two might disagree on the inputs validity or meaning. This can cause issues, which we would love to hear about at security@golang.org or on the issue, to assess the security risk.

Which issue(s) this PR fixes:
Fixes #260

Special notes for your reviewer:

Cherry pick kubernetes/kubernetes#104368

Does this PR introduce a user-facing change?:

Since golang 1.17 both net.ParseIP and net.ParseCIDR rejects leading zeros in the dot-decimal notation of IPv4 addresses.
Kubernetes will keep allowing leading zeros on IPv4 address to not break the compatibility.
IMPORTANT: Kubernetes interprets leading zeros on IPv4 addresses as decimal, users must not rely on parser alignment to not being impacted by the associated security advisory:
CVE-2021-29923 golang standard library "net" - Improper Input Validation of octal literals in golang 1.16.2 and below standard library "net" results in indeterminate SSRF & RFI vulnerabilities.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-29923```

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Aug 26, 2021
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 26, 2021
@wongma7
Copy link
Contributor

wongma7 commented Aug 26, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 26, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nckturner, wongma7

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 4ed7c2e into kubernetes:master Aug 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justinsb justinsb Awaiting requested review from justinsb

@wongma7 wongma7 Awaiting requested review from wongma7

Assignees

@wongma7 wongma7

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cherry pick #104368
3 participants
@nckturner @wongma7 @k8s-ci-robot