Skip to content

local-static-provisioner: fix GHSA-r6j8-c6r2-37rr by cherry-picking upstream commits #76735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jamie-albert wants to merge 2 commits into from
Closed

local-static-provisioner: fix GHSA-r6j8-c6r2-37rr by cherry-picking upstream commits #76735

jamie-albert wants to merge 2 commits into from
+4 −1

Conversation

@jamie-albert
Copy link
Member

@jamie-albert jamie-albert commented Dec 23, 2025

Summary

Fixes GHSA-r6j8-c6r2-37rr (CVE-2025-13281) by cherry-picking upstream security fixes.

Changes

  • Epoch: 6 → 7
  • Cherry-picked commits:
    1. 2edb740e03b22a619e832176ba0d4c30ba1f9f92: fix CVE-2025-5187
    2. fbbab741296e295136f60d1de5996ad7a9e90d02: fix CVE-2025-13281

Upstream Commits

Source: kubernetes-sigs/sig-storage-local-static-provisioner

Verification

After rebuild, the cherry-picked security fixes will be applied to resolve the vulnerability.

References

@octo-sts
Copy link
Contributor

octo-sts bot commented Dec 23, 2025

🔄 Build Failed: Git Checkout Error

fatal: couldn't find remote ref main

Build Details

Category Details
Build System melange
Failure Point git-checkout step during cherry-pick operation - git fetch --unshallow origin main:main

Root Cause Analysis 🔍

The git checkout step failed when attempting to fetch the 'main' branch from the remote repository for cherry-pick operations. The remote repository does not have a 'main' branch reference, but the build configuration expects to apply cherry-picks from commits on the main branch (2edb740e03b22a619e832176ba0d4c30ba1f9f92 and fbbab741296e295136f60d1de5996ad7a9e90d02). This is likely due to the repository using a different default branch name (such as 'master') or the branch not existing at all.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: local-static-provisioner.yaml

  • modification at line 26-27 (pipeline git-checkout cherry-picks section)
    Original:
        main/2edb740e03b22a619e832176ba0d4c30ba1f9f92: fix CVE-2025-5187
        main/fbbab741296e295136f60d1de5996ad7a9e90d02: fix CVE-2025-13281

Replacement:

        2edb740e03b22a619e832176ba0d4c30ba1f9f92/main: fix CVE-2025-5187
        fbbab741296e295136f60d1de5996ad7a9e90d02/main: fix CVE-2025-13281

Content:

Change cherry-pick format from 'main/commit' to 'commit/main' to match the expected format for branch references in cherry-pick operations
Click to expand fix analysis

Analysis

The similar fixes show a clear pattern: both failures involved incorrect branch references in cherry-pick configurations. In Fix Example #0, the issue was resolved by changing the cherry-pick format from "adf3c7c0f76702246a9306fc60924984c2d9042e/main" to "main/adf3c7c0f76702246a9306fc60924984c2d9042e". In Fix Example #1, the cherry-pick configuration was completely removed when upgrading the package version. The root cause in both cases was that the git checkout step failed to find the specified branch reference ('main' or 'master') in the remote repository.

Click to expand fix explanation

Explanation

The current build failure occurs because the git checkout step cannot find the 'main' branch when trying to apply cherry-picks. Based on the similar fixes, the issue is with the cherry-pick format. The current format 'main/commit' is being interpreted as trying to fetch a branch called 'main', but the correct format should be 'commit/main' where the commit hash comes first followed by the branch reference. This matches the pattern seen in Fix Example #0 where the format was corrected from 'commit/main' to 'main/commit' (the reverse of our current issue). The kubernetes-sigs/sig-storage-local-static-provisioner repository likely uses 'main' as its default branch, but the cherry-pick syntax needs the commit hash first to properly identify the specific commit to apply.

Click to expand alternative approaches

Alternative Approaches

  • Remove the cherry-picks entirely and apply the CVE fixes as patch files similar to how it was done in some historical examples
  • Update to a newer version that already includes these CVE fixes, eliminating the need for cherry-picks
  • Verify the actual default branch name of the repository and use that instead of 'main' if it differs

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 23, 2025
@jamie-albert
Update cherry-pick references from main to master
9c1d1b3 
Signed-off-by: jamie-albert <jamie.albert@chainguard.dev>
@jamie-albert
Copy link
Member Author

jamie-albert commented Dec 23, 2025

Closing PR - cherry-picks do not apply cleanly. Creating pending-upstream-fix advisory instead.

@jamie-albert jamie-albert mentioned this pull request Dec 23, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jamie-albert