From aca522d88982b74d0a2bdb1878103d7cf1cc8481 Mon Sep 17 00:00:00 2001 From: Muhammad Falak R Wani Date: Fri, 10 Jan 2025 01:28:39 +0530 Subject: [PATCH] cert-manager: address CVE-2024-45337 (#11817) Signed-off-by: Muhammad Falak R Wani Co-authored-by: jslobodzian --- SPECS/cert-manager/CVE-2024-45337.patch | 80 +++++++++++++++++++++++++ SPECS/cert-manager/cert-manager.spec | 8 ++- 2 files changed, 86 insertions(+), 2 deletions(-) create mode 100644 SPECS/cert-manager/CVE-2024-45337.patch diff --git a/SPECS/cert-manager/CVE-2024-45337.patch b/SPECS/cert-manager/CVE-2024-45337.patch new file mode 100644 index 00000000000..41cdea3ce45 --- /dev/null +++ b/SPECS/cert-manager/CVE-2024-45337.patch @@ -0,0 +1,80 @@ +From 784057d777784f1737dbf5d660f32bf2577add4c Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 3 Dec 2024 09:03:03 -0800 +Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache + +Users of the the ssh package seem to extremely commonly misuse the +PublicKeyCallback API, assuming that the key passed in the last call +before a connection is established is the key used for authentication. +Some users then make authorization decisions based on this key. This +property is not documented, and may not be correct, due to the caching +behavior of the package, resulting in users making incorrect +authorization decisions about the connection. + +This change makes the cache a one entry FIFO cache, making the assumed +property, that the last call to PublicKeyCallback represents the key +actually used for authentication, actually hold. + +Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and +Jules Duvivier from the Platform.sh / Upsun engineering team +for reporting this issue. + +Fixes golang/go#70779 +Fixes CVE-2024-45337 + +Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315 +Reviewed-by: Roland Shoemaker +Auto-Submit: Gopher Robot +Reviewed-by: Damien Neil +Reviewed-by: Nicola Murino +LUCI-TryBot-Result: Go LUCI +Signed-off-by: Muhammad Falak R Wani +--- + .../vendor/golang.org/x/crypto/ssh/server.go | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/cmd/controller/vendor/golang.org/x/crypto/ssh/server.go b/cmd/controller/vendor/golang.org/x/crypto/ssh/server.go +index 3ca9e89..a8b673c 100644 +--- a/cmd/controller/vendor/golang.org/x/crypto/ssh/server.go ++++ b/cmd/controller/vendor/golang.org/x/crypto/ssh/server.go +@@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) { + } + + // cachedPubKey contains the results of querying whether a public key is +-// acceptable for a user. ++// acceptable for a user. This is a FIFO cache. + type cachedPubKey struct { + user string + pubKeyData []byte +@@ -157,7 +157,13 @@ type cachedPubKey struct { + perms *Permissions + } + +-const maxCachedPubKeys = 16 ++// maxCachedPubKeys is the number of cache entries we store. ++// ++// Due to consistent misuse of the PublicKeyCallback API, we have reduced this ++// to 1, such that the only key in the cache is the most recently seen one. This ++// forces the behavior that the last call to PublicKeyCallback will always be ++// with the key that is used for authentication. ++const maxCachedPubKeys = 1 + + // pubKeyCache caches tests for public keys. Since SSH clients + // will query whether a public key is acceptable before attempting to +@@ -179,9 +185,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) { + + // add adds the given tuple to the cache. + func (c *pubKeyCache) add(candidate cachedPubKey) { +- if len(c.keys) < maxCachedPubKeys { +- c.keys = append(c.keys, candidate) ++ if len(c.keys) >= maxCachedPubKeys { ++ c.keys = c.keys[1:] + } ++ c.keys = append(c.keys, candidate) + } + + // ServerConn is an authenticated SSH connection, as seen from the +-- +2.34.1 + diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec index 777e932403a..8f783d19989 100644 --- a/SPECS/cert-manager/cert-manager.spec +++ b/SPECS/cert-manager/cert-manager.spec @@ -1,7 +1,7 @@ Summary: Automatically provision and manage TLS certificates in Kubernetes Name: cert-manager Version: 1.12.13 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -13,6 +13,7 @@ Source0: https://github.com/jetstack/%{name}/archive/refs/tags/v%{version # 1. wget https://github.com/jetstack/%%{name}/archive/refs/tags/v%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz # 2. /SPECS/cert-manager/generate_source_tarball.sh --srcTarball %%{name}-%%{version}.tar.gz --pkgVersion %%{version} Source1: %{name}-%{version}-vendor.tar.gz +Patch0: CVE-2024-45337.patch BuildRequires: golang Requires: %{name}-acmesolver Requires: %{name}-cainjector @@ -57,7 +58,7 @@ Summary: cert-manager's webhook binary Webhook component providing API validation, mutation and conversion functionality for cert-manager. %prep -%setup -q -a 1 +%autosetup -a 1 -p1 %build @@ -103,6 +104,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/ %{_bindir}/webhook %changelog +* Wed Jan 08 2025 Muhammad Falak - 1.12.13-2 +- Patch CVE-2024-45337 + * Mon Sep 16 2024 Jiri Appl - 1.12.13-1 - Upgrade to 1.12.13 which carries helm 3.14.2 to fix CVE-2024-26147 and CVE-2024-25620