Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix CVE-2019-11244: `kubectl --http-cache=<world-accessible dir>` cre… #77874

Merged
merged 1 commit into from May 16, 2019

Conversation

@yuchengwu
Copy link
Contributor

commented May 14, 2019

…ates world-writeable cached schema files

What type of PR is this?

/kind bug

What this PR does / why we need it:

In kubectl v1.8.0+, schema info is cached in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-).

If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.

CVSS score: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N (3.3, low)

Which issue(s) this PR fixes:

Fixes #76676

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

client-go and kubectl no longer write cached discovery files with world-accessible file permissions
@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented May 14, 2019

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.


Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented May 14, 2019

Hi @yuchengwu. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

fix CVE-2019-11244: `kubectl --http-cache=<world-accessible dir>` cre…
…ates world-writeable cached schema files

@yuchengwu yuchengwu force-pushed the yuchengwu:fix-CVE-2019-11244 branch from bcc913e to f228ae3 May 14, 2019

@yuchengwu

This comment has been minimized.

Copy link
Contributor Author

commented May 14, 2019

/ok-to-test

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented May 14, 2019

@yuchengwu: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@yuchengwu

This comment has been minimized.

Copy link
Contributor Author

commented May 14, 2019

/assign @liggitt

@BenTheElder

This comment has been minimized.

Copy link
Member

commented May 14, 2019

/ok-to-test

@neolit123

This comment has been minimized.

Copy link
Member

commented May 14, 2019

/kind bug
/priority important-longterm

@liggitt

This comment has been minimized.

Copy link
Member

commented May 15, 2019

/test pull-kubernetes-bazel-build
/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm label May 15, 2019

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented May 15, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, yuchengwu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@neolit123

This comment has been minimized.

Copy link
Member

commented May 15, 2019

/retest

@k8s-ci-robot k8s-ci-robot merged commit 730bc96 into kubernetes:master May 16, 2019

20 checks passed

cla/linuxfoundation yuchengwu authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-csi-serial Skipped.
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gce-storage-slow Skipped.
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details

@yuchengwu yuchengwu deleted the yuchengwu:fix-CVE-2019-11244 branch May 17, 2019

k8s-ci-robot added a commit that referenced this pull request May 17, 2019
Merge pull request #78032 from yuchengwu/automated-cherry-pick-of-#77…
…874-github-release-1.12

Automated cherry pick of #77874: fix CVE-2019-11244: `kubectl --http-cache=<world-accessible
k8s-ci-robot added a commit that referenced this pull request May 21, 2019
Merge pull request #78027 from yuchengwu/automated-cherry-pick-of-#77…
…874-github-release-1.14

Automated cherry pick of #77874: fix CVE-2019-11244: `kubectl --http-cache=<world-accessible
k8s-ci-robot added a commit that referenced this pull request May 21, 2019
Merge pull request #78028 from yuchengwu/automated-cherry-pick-of-#77…
…874-github-release-1.13

Automated cherry pick of #77874: fix CVE-2019-11244: `kubectl --http-cache=<world-accessible
nikhita pushed a commit to nikhita/kubernetes that referenced this pull request Jun 13, 2019
Merge pull request kubernetes#77874 from yuchengwu/fix-CVE-2019-11244
fix CVE-2019-11244: `kubectl --http-cache=<world-accessible dir>` cre…

Kubernetes-commit: 730bc96
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.