From 0f0bd21dea52832eb11e63e8dd788fb94cb74cd9 Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Wed, 10 Dec 2025 11:38:05 +0800 Subject: [PATCH] fix CVE-2025-13281 --- 0010-fix-CVE-2025-13281.patch | 95 +++++++++++++++++++++++++++++++++++ kubernetes.spec | 10 +++- 2 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 0010-fix-CVE-2025-13281.patch diff --git a/0010-fix-CVE-2025-13281.patch b/0010-fix-CVE-2025-13281.patch new file mode 100644 index 0000000..36bc07e --- /dev/null +++ b/0010-fix-CVE-2025-13281.patch @@ -0,0 +1,95 @@ +From 7506ce804c20696ba32cdb72126270ceaed06e24 Mon Sep 17 00:00:00 2001 +From: Ankit Gohil +Date: Mon, 3 Nov 2025 22:38:58 +0000 +Subject: [PATCH] Clean up event messages for errors in Portworx in-tree driver + +--- + pkg/volume/portworx/portworx.go | 33 +++++++++++++++++++++++++-------- + 1 file changed, 25 insertions(+), 8 deletions(-) + +diff --git a/pkg/volume/portworx/portworx.go b/pkg/volume/portworx/portworx.go +index 6b9243f5..4866739b 100644 +--- a/pkg/volume/portworx/portworx.go ++++ b/pkg/volume/portworx/portworx.go +@@ -311,8 +311,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr + notMnt, err := b.mounter.IsLikelyNotMountPoint(dir) + klog.Infof("Portworx Volume set up. Dir: %s %v %v", dir, !notMnt, err) + if err != nil && !os.IsNotExist(err) { +- klog.Errorf("Cannot validate mountpoint: %s", dir) +- return err ++ // don't log error details from client calls in events ++ klog.V(4).Infof("Cannot validate mountpoint %s: %v", dir, err) ++ return fmt.Errorf("failed to validate mountpoint: see kube-controller-manager.log for details") + } + if !notMnt { + return nil +@@ -322,7 +323,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr + attachOptions[attachContextKey] = dir + attachOptions[attachHostKey] = b.plugin.host.GetHostName() + if _, err := b.manager.AttachVolume(b, attachOptions); err != nil { +- return err ++ // don't log error details from client calls in events ++ klog.V(4).Infof("Failed to attach volume %s: %v", b.volumeID, err) ++ return fmt.Errorf("failed to attach volume: see kube-controller-manager.log for details") + } + + klog.V(4).Infof("Portworx Volume %s attached", b.volumeID) +@@ -332,7 +335,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr + } + + if err := b.manager.MountVolume(b, dir); err != nil { +- return err ++ // don't log error details from client calls in events ++ klog.V(4).Infof("Failed to mount volume %s: %v", b.volumeID, err) ++ return fmt.Errorf("failed to mount volume: see kube-controller-manager.log for details") + } + if !b.readOnly { + volume.SetVolumeOwnership(b, dir, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) +@@ -363,12 +368,16 @@ func (c *portworxVolumeUnmounter) TearDownAt(dir string) error { + klog.Infof("Portworx Volume TearDown of %s", dir) + + if err := c.manager.UnmountVolume(c, dir); err != nil { +- return err ++ // don't log error details from client calls in events ++ klog.V(4).Infof("Failed to unmount volume %s: %v", c.volumeID, err) ++ return fmt.Errorf("failed to unmount volume: see kube-controller-manager.log for details") + } + + // Call Portworx Detach Volume. + if err := c.manager.DetachVolume(c); err != nil { +- return err ++ // don't log error details from client calls in events ++ klog.V(4).Infof("Failed to detach volume %s: %v", c.volumeID, err) ++ return fmt.Errorf("failed to detach volume: see kube-controller-manager.log for details") + } + + return nil +@@ -385,7 +394,13 @@ func (d *portworxVolumeDeleter) GetPath() string { + } + + func (d *portworxVolumeDeleter) Delete() error { +- return d.manager.DeleteVolume(d) ++ err := d.manager.DeleteVolume(d) ++ if err != nil { ++ // don't log error details from client calls in events ++ klog.V(4).Infof("Failed to delete volume %s: %v", d.volumeID, err) ++ return fmt.Errorf("failed to delete volume: see kube-controller-manager.log for details") ++ } ++ return nil + } + + type portworxVolumeProvisioner struct { +@@ -406,7 +421,9 @@ func (c *portworxVolumeProvisioner) Provision(selectedNode *v1.Node, allowedTopo + + volumeID, sizeGiB, labels, err := c.manager.CreateVolume(c) + if err != nil { +- return nil, err ++ // don't log error details from client calls in events ++ klog.V(4).Infof("Failed to create volume: %v", err) ++ return nil, fmt.Errorf("failed to create volume: see kube-controller-manager.log for details") + } + + pv := &v1.PersistentVolume{ +-- +2.43.0 + diff --git a/kubernetes.spec b/kubernetes.spec index 3dea5f0..4610958 100644 --- a/kubernetes.spec +++ b/kubernetes.spec @@ -3,7 +3,7 @@ Name: kubernetes Version: 1.29.1 -Release: 13 +Release: 14 Summary: Container cluster management License: ASL 2.0 URL: https://k8s.io/kubernetes @@ -33,6 +33,7 @@ Patch0006: 0006-adapt-go-version.patch Patch0007: 0007-gitRepo-volume-directory-must-be-max-1-level-deep.patch Patch0008: 0008-Kubelet-server-handler-cleanup.patch Patch0009: 0009-fix-CVE-2025-5187.patch +Patch0010: 0010-fix-CVE-2025-13281.patch Patch1000: 1000-Add-riscv64-support-for-v1.29.1-kubernetes.patch Patch1001: 1001-Add-loong64-host-build-support.patch @@ -106,6 +107,7 @@ Help documents for kubernetes. %patch 0007 -p1 %patch 0008 -p1 %patch 0009 -p1 +%patch 0010 -p1 %ifarch riscv64 %patch 1000 -p1 @@ -292,6 +294,12 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \ %systemd_postun kubelet kube-proxy %changelog +* Wed Dec 10 2025 dongyuzhen - 1.29.1-14 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix CVE-2025-13281 + * Thu Aug 28 2025 yujingbo - 1.29.1-13 - Type:bugfix - CVE:NA -- Gitee