830714 – (CVE-2021-25743) <sys-cluster/kubectl-1.26.0: lacks escape/meta/control sequence filtering in terminal output

Bug 830714 (CVE-2021-25743) - <sys-cluster/kubectl-1.26.0: lacks escape/meta/control sequence filtering in terminal output

Summary: <sys-cluster/kubectl-1.26.0: lacks escape/meta/control sequence filtering in ...

Status:	IN_PROGRESS

Alias:	CVE-2021-25743

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://github.com/kubernetes/kuberne...
Whiteboard:	B3 [noglsa cleanup]
Keywords:

Depends on:
Blocks:

Reported:	2022-01-07 04:30 UTC by John Helmert III
Modified:	2023-12-03 23:08 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-01-07 04:30:55 UTC

CVE-2021-25743:

kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events.

Comment 1 John Helmert III archtester

2022-10-15 19:32:13 UTC

There's a PR to fix: https://github.com/kubernetes/kubernetes/pull/112553

Comment 2 John Helmert III archtester

2022-10-30 17:10:51 UTC

Patch has landed: https://github.com/kubernetes/kubernetes/commit/dad0e937c0f76344363eb691b2668490ffef8537

Seems it will be in 1.26.

Comment 3 John Helmert III archtester

2023-11-05 16:56:15 UTC

Patch is in 1.26.0, and <1.26 branches aren't supported anymore according to https://kubernetes.io/releases/. Please cleanup.

No GLSA as it's not clear how exploitable/impactful this is.