Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v0.51] Bump c/image to v5.24.3, c/common to v0.51.4 #2154

Merged
merged 3 commits into from
Sep 17, 2024
Merged

[v0.51] Bump c/image to v5.24.3, c/common to v0.51.4 #2154

merged 3 commits into from
Sep 17, 2024

Conversation

TomSweeneyRedHat
Copy link
Member

As the title says, bump c/image to v5.24.3 to address CVE-2024-3727, then bump c/common to include it in Podman v4.4.1-rhel.

@TomSweeneyRedHat
[v0.51] Bump c/image to v5.24.3
133af21 
Bump c/image to v5.24.3 to resolve CVE-2024-3727 in the
Podman v4.4.1-rhel branch for a number of versions of OCP

Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 6, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: TomSweeneyRedHat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label Sep 6, 2024
@TomSweeneyRedHat
Copy link
Member Author

I seem to remember seeing this error elsewhere, but I can't find the secret sauce to fix it:

go: github.com/containerd/containerd@v1.6.15 requires
	github.com/containerd/aufs@v1.0.0 requires
	github.com/containerd/containerd@v1.5.0-beta.3 requires
	github.com/Microsoft/hcsshim@v0.8.15 requires
	github.com/containerd/containerd@v1.5.0-beta.1 requires
	github.com/Microsoft/hcsshim/test@v0.0.0-20201218223536-d3e5debf77da requires
	github.com/docker/distribution@v0.0.0-20190905152932-14b96e55d84c requires
	github.com/mitchellh/osext@v0.0.0-20151018003038-5e2d6d41470f: invalid version: git ls-remote -q origin in /var/tmp/go/pkg/mod/cache/vcs/94ed57c5b21c953d93b47487113db43a5c9b69fd990329ec70dc77348c4dd443: exit status 128:
	fatal: could not read Username for 'https://github.com': terminal prompts disabled
Confirm the import path was entered correctly.
If this is a private repository, see https://golang.org/doc/faq#git_https for additional information.
make: *** [Makefile:68: vendor] Error 1

Anyone's memory cells connecting better than mine are tonight?

@kwilczynski
Copy link
Member

kwilczynski commented Sep 13, 2024
edited
Loading

github.com/mitchellh/osext@v0.0.0-20151018003038-5e2d6d41470f

@TomSweeneyRedHat, try:

GOPROXY="https://proxy.golang.org/" go mod tidy

This is because the github.com/mitchellh/osext does not exist and returns 404 back to Git. Some project somewhere needs to update its dependencies.

@kwilczynski
Copy link
Member

@TomSweeneyRedHat, there are other issues here per:

go: github.com/containers/common/libimage imports
	github.com/containers/ocicrypt/config imports
	gopkg.in/yaml.v3 tested by
	gopkg.in/yaml.v3.test imports
	gopkg.in/check.v1 imports
	github.com/kr/pretty imports
	github.com/rogpeppe/go-internal/fmtsort loaded from github.com/rogpeppe/go-internal@v1.6.1,
	but go 1.16 would select v1.8.0

To upgrade to the versions selected by go 1.16:
	go mod tidy -go=1.16 && go mod tidy -go=1.17
If reproducibility with go 1.16 is not needed:
	go mod tidy -compat=1.17
For other options, see:
	https://golang.org/doc/modules/pruning
go: github.com/containers/common/libimage imports
	github.com/containers/ocicrypt/config imports
	gopkg.in/yaml.v3 tested by
	gopkg.in/yaml.v3.test imports
	gopkg.in/check.v1 imports
	github.com/kr/pretty imports
	github.com/rogpeppe/go-internal/fmtsort loaded from github.com/rogpeppe/go-internal@v1.6.1,
	but go 1.16 would select v1.8.0

@TomSweeneyRedHat TomSweeneyRedHat mentioned this pull request Sep 16, 2024
Merged
@TomSweeneyRedHat
[v0.51] exclude github.com/mitchellh/osext
05f9a53 
Exclude the old, outdated, and problematic
github.com/mitchellh/osext which was being dragged in
by containerd.

This is what containerd did in containerd/containerd#10011
and included it in 1.6.31.  I tried bumping first to 1.6.31, but
that dragged in a lot of stuff.  I think this is safer, if it works.

Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
@TomSweeneyRedHat
[v0.51] Bump c/common to v0.51.4
4d0d20a 
As the title says, bumping c/common to v0.51.4.

Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
@TomSweeneyRedHat TomSweeneyRedHat force-pushed the dev/tsweeney/cveplus-v0.51 branch from 05809a1 to 4d0d20a Compare September 17, 2024 00:45
@TomSweeneyRedHat
Copy link
Member Author

@kwilczynski TYVM! It looks like mitchell/osext is not used and dragged in by contained from some far flung dependency. They got rid of it in 1.6.31, but bumping up that high in this branch dragged in a boatload of other nasty. When contained ran into this same issue, they excluded osext. I've tried doing the same and will cross my fingers that will cure it. If not, I'll dive into your other suggestions.

@kwilczynski
Copy link
Member

@kwilczynski TYVM! It looks like mitchell/osext is not used and dragged in by contained from some far flung dependency. They got rid of it in 1.6.31, but bumping up that high in this branch dragged in a boatload of other nasty. When contained ran into this same issue, they excluded osext. I've tried doing the same and will cross my fingers that will cure it. If not, I'll dive into your other suggestions.

@TomSweeneyRedHat, looks like excluding the github.com/mitchellh/osext did the trick here. Nice!

@TomSweeneyRedHat
Copy link
Member Author

Happy Green Test buttons! @Luap99 and @rhatdan PTAL

@rhatdan
Copy link
Member

rhatdan commented Sep 17, 2024

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Sep 17, 2024
@TomSweeneyRedHat
Copy link
Member Author

Fixes: https://issues.redhat.com/browse/RHEL-59127 once this is vendored into Podman v4.4.*

@mheon
Copy link
Member

mheon commented Sep 17, 2024

Let me check if the mergebot is stuck

@mheon
Copy link
Member

mheon commented Sep 17, 2024

LGTM for reference

@mheon
Copy link
Member

mheon commented Sep 17, 2024

It shouldn't be stuck.
I'm just pressing the button.

@mheon mheon merged commit 448e039 into containers:v0.51 Sep 17, 2024
5 checks passed
@TomSweeneyRedHat
Copy link
Member Author

Too many PRs, thix addresses CVE-2024-3727 follow on fix. #2157 fixes https://issues.redhat.com/browse/RHEL-59127 .

Once a release is cut and then c/common vendored into Skopeo and Podman, this will fix:
https://issues.redhat.com/browse/OCPBUGS-37020
https://issues.redhat.com/browse/OCPBUGS-37009
https://issues.redhat.com/browse/OCPBUGS-37010
https://issues.redhat.com/browse/OCPBUGS-37022
https://issues.redhat.com/browse/OCPBUGS-37011
https://issues.redhat.com/browse/OCPBUGS-37023

I'm waiting for #2157 to merge before creating a c/common release and then merge into Podman/Skopeo.

@TomSweeneyRedHat TomSweeneyRedHat deleted the dev/tsweeney/cveplus-v0.51 branch September 19, 2024 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@rhatdan rhatdan

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@TomSweeneyRedHat @kwilczynski @rhatdan @mheon