calico: update to 3.26.4 and patch CVE-2024-33522

Change-Id: I86eb9721ac812817e97a5324634430f284c7b0b4 Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/c/photon/+/24382 Tested-by: gerrit-photon <photon-checkins@vmware.com> Reviewed-by: Alexey Makhalov <amakhalov@vmware.com> Reviewed-by: Shreenidhi Shedi <shreenidhi.shedi@broadcom.com>
2024-05-06 18:41:48 +00:00 · 2024-05-06 18:41:48 +00:00 · f9bbf47a79
parent 5ca7464706
commit f9bbf47a79
3 changed files with 402 additions and 3 deletions
--- a/SPECS/calico/0001-CVE-2024-33522.patch
+++ b/SPECS/calico/0001-CVE-2024-33522.patch
@ -0,0 +1,249 @@
+From d58e126ebf1fc08dd7504789c49ed13d7756e2e3 Mon Sep 17 00:00:00 2001
+From: Pedro Coutinho <pedro@tigera.io>
+Date: Wed, 24 Jan 2024 20:17:10 -0800
+Subject: [PATCH] Improvements to cni-plugin binaries
+
+[Brennan: Ported to 3.26.x]
+---
+ cni-plugin/Makefile               | 19 ++++---
+ cni-plugin/cmd/calico/calico.go   |  8 ---
+ cni-plugin/cmd/install/install.go | 32 +++++++++++
+ cni-plugin/pkg/install/install.go | 89 ++++++++++++++-----------------
+ 4 files changed, 86 insertions(+), 62 deletions(-)
+ create mode 100644 cni-plugin/cmd/install/install.go
+
+diff --git a/cni-plugin/Makefile b/cni-plugin/Makefile
+index 08d022d..92fbca6 100644
+--- a/cni-plugin/Makefile
+++ b/cni-plugin/Makefile
+@@ -87,13 +87,20 @@ build-all: $(addprefix sub-build-,$(VALIDARCHES))
+ sub-build-%:
+ 	$(MAKE) build ARCH=$*
+
+-## Build the Calico network plugin and ipam plugins
+## Build the Calico installation binary for the network and ipam plugins
+ $(BIN)/install binary: $(SRC_FILES)
+ ifeq ($(FIPS), true)
+-	$(call build_cgo_boring_binary, $(PACKAGE_NAME)/cmd/calico, $(BIN)/install)
+    $(call build_cgo_boring_binary, $(PACKAGE_NAME)/cmd/install, $@)
+ else
+-	$(DOCKER_RUN) -e CGO_ENABLED=$(CGO_ENABLED) $(CALICO_BUILD) sh -c '\
+-		$(GIT_CONFIG_SSH) go build -buildvcs=false -v -o $(BIN)/install -ldflags "$(LDFLAGS)" $(PACKAGE_NAME)/cmd/calico'
+    $(call build_binary, $(PACKAGE_NAME)/cmd/install, $@)
+endif
+
+## Build the Calico network and ipam plugins
+$(BIN)/calico: $(SRC_FILES)
+ifeq ($(FIPS), true)
+	$(call build_cgo_boring_binary, $(PACKAGE_NAME)/cmd/calico, $@)
+else
+	$(call build_binary, $(PACKAGE_NAME)/cmd/calico, $@)
+ endif
+
+ ## Build the Calico network plugin and ipam plugins for Windows
+diff --git a/cni-plugin/cmd/calico/calico.go b/cni-plugin/cmd/calico/calico.go
+index 091c080..4b88375 100644
+--- a/cni-plugin/cmd/calico/calico.go
+++ b/cni-plugin/cmd/calico/calico.go
+@@ -18,9 +18,6 @@ import (
+ 	"os"
+ 	"path/filepath"
+
+-	"github.com/sirupsen/logrus"
+-
+-	"github.com/projectcalico/calico/cni-plugin/pkg/install"
+ 	"github.com/projectcalico/calico/cni-plugin/pkg/ipamplugin"
+ 	"github.com/projectcalico/calico/cni-plugin/pkg/plugin"
+ )
+@@ -36,11 +33,6 @@ func main() {
+ 		plugin.Main(VERSION)
+ 	case "calico-ipam", "calico-ipam.exe":
+ 		ipamplugin.Main(VERSION)
+-	case "install":
+-		err := install.Install()
+-		if err != nil {
+-			logrus.WithError(err).Fatal("Error installing CNI plugin")
+-		}
+ 	default:
+ 		panic("Unknown binary name: " + filename)
+ 	}
+diff --git a/cni-plugin/cmd/install/install.go b/cni-plugin/cmd/install/install.go
+new file mode 100644
+index 0000000..1ac30ed
+--- /dev/null
+++ b/cni-plugin/cmd/install/install.go
+@@ -0,0 +1,32 @@
+// Copyright (c) 2023 Tigera, Inc. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"github.com/sirupsen/logrus"
+
+	"github.com/projectcalico/calico/cni-plugin/pkg/install"
+)
+
+// VERSION is filled out during the build process (using git describe output)
+var VERSION string
+
+func main() {
+	err := install.Install()
+	if err != nil {
+		logrus.WithError(err).Fatal("Error installing CNI plugin")
+	}
+}
+
+diff --git a/cni-plugin/pkg/install/install.go b/cni-plugin/pkg/install/install.go
+index 31fe35a..8d4dc01 100644
+--- a/cni-plugin/pkg/install/install.go
+++ b/cni-plugin/pkg/install/install.go
+@@ -159,34 +159,27 @@ func Install() error {
+ 	// Copy over any TLS assets from the SECRETS_MOUNT_DIR to the host.
+ 	// First check if the dir exists and has anything in it.
+ 	if directoryExists(c.TLSAssetsDir) {
+-		logrus.Info("Installing any TLS assets")
+-		mkdir("/host/etc/cni/net.d/calico-tls")
+-		if err := copyFileAndPermissions(fmt.Sprintf("%s/%s", c.TLSAssetsDir, "etcd-ca"), "/host/etc/cni/net.d/calico-tls/etcd-ca"); err != nil {
+-			logrus.Warnf("Missing etcd-ca")
+-		}
+-		if err := copyFileAndPermissions(fmt.Sprintf("%s/%s", c.TLSAssetsDir, "etcd-cert"), "/host/etc/cni/net.d/calico-tls/etcd-cert"); err != nil {
+-			logrus.Warnf("Missing etcd-cert")
+-		}
+-		if err := copyFileAndPermissions(fmt.Sprintf("%s/%s", c.TLSAssetsDir, "etcd-key"), "/host/etc/cni/net.d/calico-tls/etcd-key"); err != nil {
+-			logrus.Warnf("Missing etcd-key")
+		// Only install TLS assets if at least one of them exists in the dir.
+		etcdCaPath := fmt.Sprintf("%s/%s", c.TLSAssetsDir, "etcd-ca")
+		etcdCertPath := fmt.Sprintf("%s/%s", c.TLSAssetsDir, "etcd-cert")
+		etcdKeyPath := fmt.Sprintf("%s/%s", c.TLSAssetsDir, "etcd-key")
+		if !fileExists(etcdCaPath) && !fileExists(etcdCertPath) && !fileExists(etcdKeyPath) {
+			logrus.Infof("No TLS assets found in %s, skipping", c.TLSAssetsDir)
+		} else {
+			logrus.Info("Installing any TLS assets")
+			mkdir(winutils.GetHostPath("/host/etc/cni/net.d/calico-tls"))
+			if err := copyFileAndPermissions(etcdCaPath, winutils.GetHostPath("/host/etc/cni/net.d/calico-tls/etcd-ca")); err != nil {
+				logrus.Warnf("Missing etcd-ca")
+			}
+			if err := copyFileAndPermissions(etcdCertPath, winutils.GetHostPath("/host/etc/cni/net.d/calico-tls/etcd-cert")); err != nil {
+				logrus.Warnf("Missing etcd-cert")
+			}
+			if err := copyFileAndPermissions(etcdKeyPath, winutils.GetHostPath("/host/etc/cni/net.d/calico-tls/etcd-key")); err != nil {
+				logrus.Warnf("Missing etcd-key")
+			}
+ 		}
+ 	}
+
+-	// Set the suid bit on the binaries to allow them to run as non-root users.
+-	if err := setSuidBit("/opt/cni/bin/install"); err != nil {
+-		logrus.WithError(err).Fatalf("Failed to set the suid bit on the install binary")
+-	}
+-
+-	// TODO: Remove the setSUID code here on calico and calico-ipam when they eventually
+-	// get refactored to all use install as the source.
+-	if err := setSuidBit("/opt/cni/bin/calico"); err != nil {
+-		logrus.WithError(err).Fatalf("Failed to set the suid bit on the calico binary")
+-	}
+-
+-	if err := setSuidBit("/opt/cni/bin/calico-ipam"); err != nil {
+-		logrus.WithError(err).Fatalf("Failed to set the suid bit on the calico-ipam")
+-	}
+-
+ 	// Place the new binaries if the directory is writeable.
+ 	dirs := []string{"/host/opt/cni/bin", "/host/secondary-bin-dir"}
+ 	binsWritten := false
+@@ -196,6 +189,9 @@ func Install() error {
+ 			continue
+ 		}
+
+		// Don't exec the 'calico' binary later on if it has been skipped
+		calicoBinarySkipped := true
+
+ 		// Iterate through each binary we might want to install.
+ 		files, err := os.ReadDir("/opt/cni/bin/")
+ 		if err != nil {
+@@ -204,6 +200,10 @@ func Install() error {
+ 		for _, binary := range files {
+ 			target := fmt.Sprintf("%s/%s", d, binary.Name())
+ 			source := fmt.Sprintf("/opt/cni/bin/%s", binary.Name())
+			// Skip the 'install' binary as it is not needed on the host
+			if binary.Name() == "install" || binary.Name() == "install.exe" {
+				continue
+			}
+ 			if c.skipBinary(binary.Name()) {
+ 				continue
+ 			}
+@@ -215,6 +215,9 @@ func Install() error {
+ 				logrus.WithError(err).Errorf("Failed to install %s", target)
+ 				os.Exit(1)
+ 			}
+			if binary.Name() == "calico" || binary.Name() == "calico.exe" {
+				calicoBinarySkipped = false
+			}
+ 			logrus.Infof("Installed %s", target)
+ 		}
+
+@@ -222,17 +225,20 @@ func Install() error {
+ 		logrus.Infof("Wrote Calico CNI binaries to %s\n", d)
+ 		binsWritten = true
+
+-		// Print CNI plugin version to confirm that the binary was actually written.
+-		// If this fails, it means something has gone wrong so we should retry.
+-		cmd := exec.Command(d+"/calico", "-v")
+-		var out bytes.Buffer
+-		cmd.Stdout = &out
+-		err = cmd.Run()
+-		if err != nil {
+-			logrus.WithError(err).Warnf("Failed getting CNI plugin version from installed binary, exiting")
+-			return err
+		// Don't exec the 'calico' binary later on if it has been skipped
+		if !calicoBinarySkipped {
+			// Print CNI plugin version to confirm that the binary was actually written.
+			// If this fails, it means something has gone wrong so we should retry.
+			cmd := exec.Command(d+"/calico", "-v")
+			var out bytes.Buffer
+			cmd.Stdout = &out
+			err = cmd.Run()
+			if err != nil {
+				logrus.WithError(err).Warnf("Failed getting CNI plugin version from installed binary, exiting")
+				return err
+			}
+			logrus.Infof("CNI plugin version: %s", out.String())
+ 		}
+-		logrus.Infof("CNI plugin version: %s", out.String())
+ 	}
+
+ 	// If binaries were not placed, exit
+@@ -507,19 +513,6 @@ current-context: calico-context`
+ 	}
+ }
+
+-func setSuidBit(file string) error {
+-	fi, err := os.Stat(file)
+-	if err != nil {
+-		return fmt.Errorf("failed to stat file: %s", err)
+-	}
+-	err = os.Chmod(file, fi.Mode()|os.FileMode(uint32(8388608)))
+-	if err != nil {
+-		return fmt.Errorf("failed to chmod file: %s", err)
+-	}
+-
+-	return nil
+-}
+-
+ // destinationUptoDate compares the given files and returns
+ // whether or not the destination file needs to be updated with the
+ // contents of the source file.
+--
+2.39.0
+
--- a/SPECS/calico/0002-CVE-2024-33522.patch
+++ b/SPECS/calico/0002-CVE-2024-33522.patch
@ -0,0 +1,144 @@
+From 7c0c4774d0015e775a385b346c1b6f06755183ca Mon Sep 17 00:00:00 2001
+From: Pedro Coutinho <pedro@tigera.io>
+Date: Thu, 15 Feb 2024 20:52:25 -0800
+Subject: [PATCH] Verify calico cni binary contents instead of executing
+ 'calico -v'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+'destinationUptoDate()' compares the files byte for byte,
+so if they’re exactly the same, it’s equivalent to running
+'calico -v'
+
+[Brennan: Ported to 3.26.x]
+---
+ cni-plugin/Makefile               |  6 ++---
+ cni-plugin/cmd/install/install.go |  2 +-
+ cni-plugin/pkg/install/install.go | 39 +++++++++++++------------------
+ 3 files changed, 20 insertions(+), 27 deletions(-)
+
+diff --git a/cni-plugin/Makefile b/cni-plugin/Makefile
+index 92fbca6..49c7e95 100644
+--- a/cni-plugin/Makefile
+++ b/cni-plugin/Makefile
+@@ -103,6 +103,9 @@ else
+ 	$(call build_binary, $(PACKAGE_NAME)/cmd/calico, $@)
+ endif
+
+$(BIN)/calico-ipam: $(BIN)/calico
+	cp "$<" "$@"
+
+ ## Build the Calico network plugin and ipam plugins for Windows
+ $(BIN_WIN)/calico.exe $(BIN_WIN)/calico-ipam.exe: $(SRC_FILES)
+ 	$(DOCKER_RUN) \
+@@ -159,9 +162,6 @@ check-boring-ssl: $(BIN)/install
+ 	$(DOCKER_RUN) -e CGO_ENABLED=$(CGO_ENABLED) $(CALICO_BUILD) $(CHECK_BORINGSSL)
+ 	-rm -f $(BIN)/tags.txt
+
+-$(BIN)/calico-ipam $(BIN)/calico: $(BIN)/install
+-	cp "$<" "$@"
+-
+ ut-datastore:
+ 	# The tests need to run as root
+ 	docker run --rm -t --privileged --net=host \
+diff --git a/cni-plugin/cmd/install/install.go b/cni-plugin/cmd/install/install.go
+index 1ac30ed..e3d11a4 100644
+--- a/cni-plugin/cmd/install/install.go
+++ b/cni-plugin/cmd/install/install.go
+@@ -24,7 +24,7 @@ import (
+ var VERSION string
+
+ func main() {
+-	err := install.Install()
+	err := install.Install(VERSION)
+ 	if err != nil {
+ 		logrus.WithError(err).Fatal("Error installing CNI plugin")
+ 	}
+diff --git a/cni-plugin/pkg/install/install.go b/cni-plugin/pkg/install/install.go
+index 8d4dc01..e9daa16 100644
+--- a/cni-plugin/pkg/install/install.go
+++ b/cni-plugin/pkg/install/install.go
+@@ -15,13 +15,12 @@
+ package install
+
+ import (
+-	"bytes"
+ 	"encoding/base64"
+ 	"encoding/json"
+ 	"fmt"
+ 	"io"
+ 	"os"
+-	"os/exec"
+	"runtime"
+ 	"strings"
+ 	"time"
+
+@@ -118,7 +117,7 @@ func loadConfig() config {
+ 	return c
+ }
+
+-func Install() error {
+func Install(version string) error {
+ 	// Make sure the RNG is seeded.
+ 	seedrng.EnsureSeeded()
+
+@@ -189,9 +188,6 @@ func Install() error {
+ 			continue
+ 		}
+
+-		// Don't exec the 'calico' binary later on if it has been skipped
+-		calicoBinarySkipped := true
+-
+ 		// Iterate through each binary we might want to install.
+ 		files, err := os.ReadDir("/opt/cni/bin/")
+ 		if err != nil {
+@@ -215,9 +211,6 @@ func Install() error {
+ 				logrus.WithError(err).Errorf("Failed to install %s", target)
+ 				os.Exit(1)
+ 			}
+-			if binary.Name() == "calico" || binary.Name() == "calico.exe" {
+-				calicoBinarySkipped = false
+-			}
+ 			logrus.Infof("Installed %s", target)
+ 		}
+
+@@ -225,21 +218,21 @@ func Install() error {
+ 		logrus.Infof("Wrote Calico CNI binaries to %s\n", d)
+ 		binsWritten = true
+
+-		// Don't exec the 'calico' binary later on if it has been skipped
+-		if !calicoBinarySkipped {
+-			// Print CNI plugin version to confirm that the binary was actually written.
+-			// If this fails, it means something has gone wrong so we should retry.
+-			cmd := exec.Command(d+"/calico", "-v")
+-			var out bytes.Buffer
+-			cmd.Stdout = &out
+-			err = cmd.Run()
+-			if err != nil {
+-				logrus.WithError(err).Warnf("Failed getting CNI plugin version from installed binary, exiting")
+-				return err
+-			}
+-			logrus.Infof("CNI plugin version: %s", out.String())
+		// Instead of executing 'calico -v', check if the calico binary was copied successfully
+		calicoBinaryName := "calico"
+		if runtime.GOOS == "windows" {
+			calicoBinaryName = "calico.exe"
+ 		}
+-	}
+		calicoBinaryOK, err := destinationUptoDate("/opt/cni/bin/"+calicoBinaryName, d+"/"+calicoBinaryName)
+		if err != nil {
+			logrus.WithError(err).Warnf("Failed verifying installed binary, exiting")
+			return err
+		}
+		// Print version number if successful
+		if calicoBinaryOK {
+			logrus.Infof("CNI plugin version: %s", version)
+		}
+    }
+
+ 	// If binaries were not placed, exit
+ 	if !binsWritten {
+--
+2.39.0
+
--- a/SPECS/calico/calico.spec
+++ b/SPECS/calico/calico.spec
@ -1,11 +1,15 @@
 Summary:        Calico node and documentation for project calico.
 Name:           calico
-Version:        3.26.1
-Release:        5%{?dist}
+Version:        3.26.4
+Release:        1%{?dist}
 License:        Apache-2.0
 URL:            https://github.com/projectcalico/calico
 Source0:        https://github.com/projectcalico/calico/archive/refs/tags/%{name}-%{version}.tar.gz
-%define sha512  calico=2571bbae94ca0c80b11a347ffc4601e7ab5feba3bd9fb93e78e0b3ec9998a2871ba7abf3fe8029f8738ed9cf616b4e0a7ddb6a0556b08873045fefe1c2656d99
+%define sha512  calico=85a051cf938f771e9bf3173cc1806697b73b36d221053ad53ecf69afae0bfe8f9c0c6fac24de4b5f3e747b095ebf11e79d6358bd0e7a797a5144054010bb15b4
+
+Patch1:         0001-CVE-2024-33522.patch
+Patch2:         0002-CVE-2024-33522.patch
+
 Group:          Development/Tools
 Vendor:         VMware, Inc.
 Distribution:   Photon
@ -133,6 +137,8 @@ cp -r confd/etc/ %{buildroot}%{_sysconfdir}
 %config(noreplace) %{_sysconfdir}/calico

 %changelog
+* Mon May 06 2024 Brennan Lamoreaux <brennan.lamoreaux@broadcom.com> 3.26.4-1
+- Update to 3.26.4 and add patches for CVE-2024-33522.
 * Tue Nov 21 2023 Piyush Gupta <gpiyush@vmware.com> 3.26.1-5
 - Bump up version to compile with new go
 * Wed Oct 11 2023 Piyush Gupta <gpiyush@vmware.com> 3.26.1-4