Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge the release-1.55 branch into main #2143

Merged
merged 9 commits into from
Oct 23, 2024
Merged

Conversation

mtrmac
Copy link
Collaborator

@mtrmac mtrmac commented Oct 21, 2024

Go tools use commit parent links to determine ordering.

Without a merge like this this, commits on main, e.g. v1.55.1-0.20241002203117-0eb3a0231575, look “behind” v1.55.1, and Go tools “upgrade” to the branch, losing new features and breaking builds: https://cirrus-ci.com/build/6713959498121216 (Skopeo uses v1.55.1, c/image uses a commit from main, and combining the two uses the tagged release.)

So, add a merge commit to express the “is-later-than” relationship; afterwards, c/image will need to update to a commit which includes this merge, and Go tooling will again do the right thing.

giuseppe and others added 9 commits October 14, 2024 16:15
fix the detection for the maximum userns size from an image.

If the maximum ID used in an image is X, we need to use a user
namespace with size X+1 to include UID=X.

Closes: containers#2104

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
the alpine image defines a "nogroup":

$ podman run --rm alpine grep nogroup /etc/group
nogroup:x:65533:

ignore it as we are already doing for the "nobody" user.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
We need to read /etc/passwd and /etc/group in the container to
get an idea of how many UIDs and GIDs we need to allocate for a
user namespace when `--userns=auto` is specified. We were forming
paths for these using filepath.Join, which is not safe for paths
within a container, resulting in this CVE allowing crafted
symlinks in the container to access paths on the host instead.

Addresses CVE-2024-9676

Signed-off-by: Matt Heon <mheon@redhat.com>
Matches what we're compiling with.

Signed-off-by: Matt Heon <mheon@redhat.com>
…ase155

[release-1.55] backport fix for CVE-2026-9676
Bump the version identifier to v1.55.1 so that we can tag a new release.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@mtrmac
Copy link
Collaborator Author

mtrmac commented Oct 21, 2024

@Honny1 @kolyshkin @giuseppe PTAL, this is necessary to unblock c/image CI. (Alternatives: tag a release of c/storage from main; test c/image against a frozen version of Skopeo which hasn’t updated to 1.55.1.)

Copy link
Member

@Honny1 Honny1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Copy link
Contributor

openshift-ci bot commented Oct 21, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: giuseppe, Honny1, mtrmac

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mtrmac
Copy link
Collaborator Author

mtrmac commented Oct 23, 2024

Please merge, c/image CI is broken now.

@giuseppe giuseppe merged commit 717b332 into containers:main Oct 23, 2024
19 of 20 checks passed
@mtrmac mtrmac deleted the merge-branch branch October 23, 2024 20:04
mtrmac added a commit to mtrmac/image that referenced this pull request Oct 23, 2024
This makes the declared version larger than 1.55.1, so that the Skopeo test
does not downgrade to 1.55.1 from a branch. That branch is missing an API
we now depend on, so c/image CI is failing; this should fix that.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Copy link
Collaborator Author

mtrmac commented Oct 23, 2024

Thanks!

C/image user: containers/image#2610

mtrmac added a commit to containers/image that referenced this pull request Oct 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants