From a86ead2f2c00afb2e8ddd326d827001237aa8fc3 Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Tue, 9 Dec 2025 18:36:37 +0800 Subject: [PATCH] fix CVE-2025-13281 (cherry picked from commit 796adf97e10af57d2a07557722da6d3fec964bb5) --- 0023-fix-CVE-2025-13281.patch | 95 +++++++++++++++++++++++++++++++++++ kubernetes.spec | 9 +++- 2 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 0023-fix-CVE-2025-13281.patch diff --git a/0023-fix-CVE-2025-13281.patch b/0023-fix-CVE-2025-13281.patch new file mode 100644 index 0000000..9f81c9e --- /dev/null +++ b/0023-fix-CVE-2025-13281.patch @@ -0,0 +1,95 @@ +From 7506ce804c20696ba32cdb72126270ceaed06e24 Mon Sep 17 00:00:00 2001 +From: Ankit Gohil +Date: Mon, 3 Nov 2025 22:38:58 +0000 +Subject: [PATCH] Clean up event messages for errors in Portworx in-tree driver + +--- + pkg/volume/portworx/portworx.go | 33 +++++++++++++++++++++++++-------- + 1 file changed, 25 insertions(+), 8 deletions(-) + +diff --git a/pkg/volume/portworx/portworx.go b/pkg/volume/portworx/portworx.go +index 9d347ba7..93a72502 100644 +--- a/pkg/volume/portworx/portworx.go ++++ b/pkg/volume/portworx/portworx.go +@@ -304,8 +304,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr + notMnt, err := b.mounter.IsLikelyNotMountPoint(dir) + klog.Infof("Portworx Volume set up. Dir: %s %v %v", dir, !notMnt, err) + if err != nil && !os.IsNotExist(err) { +- klog.Errorf("Cannot validate mountpoint: %s", dir) +- return err ++ // don't log error details from client calls in events ++ klog.V(4).Infof("Cannot validate mountpoint %s: %v", dir, err) ++ return fmt.Errorf("failed to validate mountpoint: see kube-controller-manager.log for details") + } + if !notMnt { + return nil +@@ -315,7 +316,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr + attachOptions[attachContextKey] = dir + attachOptions[attachHostKey] = b.plugin.host.GetHostName() + if _, err := b.manager.AttachVolume(b, attachOptions); err != nil { +- return err ++ // don't log error details from client calls in events ++ klog.V(4).Infof("Failed to attach volume %s: %v", b.volumeID, err) ++ return fmt.Errorf("failed to attach volume: see kube-controller-manager.log for details") + } + + klog.V(4).Infof("Portworx Volume %s attached", b.volumeID) +@@ -325,7 +328,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr + } + + if err := b.manager.MountVolume(b, dir); err != nil { +- return err ++ // don't log error details from client calls in events ++ klog.V(4).Infof("Failed to mount volume %s: %v", b.volumeID, err) ++ return fmt.Errorf("failed to mount volume: see kube-controller-manager.log for details") + } + if !b.readOnly { + volume.SetVolumeOwnership(b, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) +@@ -356,12 +361,16 @@ func (c *portworxVolumeUnmounter) TearDownAt(dir string) error { + klog.Infof("Portworx Volume TearDown of %s", dir) + + if err := c.manager.UnmountVolume(c, dir); err != nil { +- return err ++ // don't log error details from client calls in events ++ klog.V(4).Infof("Failed to unmount volume %s: %v", c.volumeID, err) ++ return fmt.Errorf("failed to unmount volume: see kube-controller-manager.log for details") + } + + // Call Portworx Detach Volume. + if err := c.manager.DetachVolume(c); err != nil { +- return err ++ // don't log error details from client calls in events ++ klog.V(4).Infof("Failed to detach volume %s: %v", c.volumeID, err) ++ return fmt.Errorf("failed to detach volume: see kube-controller-manager.log for details") + } + + return nil +@@ -378,7 +387,13 @@ func (d *portworxVolumeDeleter) GetPath() string { + } + + func (d *portworxVolumeDeleter) Delete() error { +- return d.manager.DeleteVolume(d) ++ err := d.manager.DeleteVolume(d) ++ if err != nil { ++ // don't log error details from client calls in events ++ klog.V(4).Infof("Failed to delete volume %s: %v", d.volumeID, err) ++ return fmt.Errorf("failed to delete volume: see kube-controller-manager.log for details") ++ } ++ return nil + } + + type portworxVolumeProvisioner struct { +@@ -399,7 +414,9 @@ func (c *portworxVolumeProvisioner) Provision(selectedNode *v1.Node, allowedTopo + + volumeID, sizeGiB, labels, err := c.manager.CreateVolume(c) + if err != nil { +- return nil, err ++ // don't log error details from client calls in events ++ klog.V(4).Infof("Failed to create volume: %v", err) ++ return nil, fmt.Errorf("failed to create volume: see kube-controller-manager.log for details") + } + + pv := &v1.PersistentVolume{ +-- +2.43.0 + diff --git a/kubernetes.spec b/kubernetes.spec index 46ec96b..09d0177 100644 --- a/kubernetes.spec +++ b/kubernetes.spec @@ -3,7 +3,7 @@ Name: kubernetes Version: 1.20.2 -Release: 27 +Release: 28 Summary: Container cluster management License: ASL 2.0 URL: https://k8s.io/kubernetes @@ -46,6 +46,7 @@ Patch6018: 0019-backport-Don-t-prematurely-close-reflectors-in-case-of-slow-i.pa Patch6019: 0020-backport-Fix-cpu-share-issues-on-systems-with-large-amounts-o.patch Patch6020: 0021-gitRepo-volume-directory-must-be-max-1-level-deep.patch Patch6021: 0022-fix-CVE-2025-5187.patch +Patch6022: 0023-fix-CVE-2025-13281.patch %description Container cluster management. @@ -277,6 +278,12 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \ %systemd_postun kubelet kube-proxy %changelog +* Tue Dec 09 2025 dongyuzhen 1.20.2-28 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix CVE-2025-13281 + * Thu Aug 28 2025 yujingbo - 1.20.2-27 - Type:bugfix - CVE:NA -- Gitee