-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merge the release-1.55 branch into main #2143
Conversation
fix the detection for the maximum userns size from an image. If the maximum ID used in an image is X, we need to use a user namespace with size X+1 to include UID=X. Closes: containers#2104 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
the alpine image defines a "nogroup": $ podman run --rm alpine grep nogroup /etc/group nogroup:x:65533: ignore it as we are already doing for the "nobody" user. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
We need to read /etc/passwd and /etc/group in the container to get an idea of how many UIDs and GIDs we need to allocate for a user namespace when `--userns=auto` is specified. We were forming paths for these using filepath.Join, which is not safe for paths within a container, resulting in this CVE allowing crafted symlinks in the container to access paths on the host instead. Addresses CVE-2024-9676 Signed-off-by: Matt Heon <mheon@redhat.com>
Matches what we're compiling with. Signed-off-by: Matt Heon <mheon@redhat.com>
…ase155 [release-1.55] backport fix for CVE-2026-9676
Bump the version identifier to v1.55.1 so that we can tag a new release. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Bump the version to v1.55.1
@Honny1 @kolyshkin @giuseppe PTAL, this is necessary to unblock c/image CI. (Alternatives: tag a release of c/storage from |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: giuseppe, Honny1, mtrmac The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Please merge, c/image CI is broken now. |
This makes the declared version larger than 1.55.1, so that the Skopeo test does not downgrade to 1.55.1 from a branch. That branch is missing an API we now depend on, so c/image CI is failing; this should fix that. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Thanks! C/image user: containers/image#2610 |
Update c/storage after containers/storage#2143
Go tools use commit parent links to determine ordering.
Without a merge like this this, commits on
main
, e.g.v1.55.1-0.20241002203117-0eb3a0231575
, look “behind”v1.55.1
, and Go tools “upgrade” to the branch, losing new features and breaking builds: https://cirrus-ci.com/build/6713959498121216 (Skopeo usesv1.55.1
, c/image uses a commit frommain
, and combining the two uses the tagged release.)So, add a merge commit to express the “is-later-than” relationship; afterwards, c/image will need to update to a commit which includes this merge, and Go tooling will again do the right thing.