[release-1.51] Use newer release of securejoin package to secure userns paths#2208
Merged
TomSweeneyRedHat merged 1 commit intocontainers:release-1.51from Jan 14, 2025
Conversation
Signed-off-by: Krzysztof Wilczyński <kwilczynski@redhat.com>
kwilczynski
changed the title
kwilczynski
changed the title
Member
Author
|
/cc @mheon |
Member
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, kwilczynski The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Member
|
/lgtm |
kwilczynski
deleted the
feature/use-latest-securejoin-for-release-1.51
branch
This was referenced Jan 15, 2025
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The backport to release 1.51 brought about implementation of a fix to the CVE-2024-9676 / GHSA-wq2p-5pc6-wpgf that while deemed sufficient wasn't completely secure as there are potential side effects to it that would need to be fixed as identified by @cyphar. The alternative fix would also involve a hand-rolled implementation, which might or might not be sufficient.
However, while discussing a possible way forward, it has become apparent that the latest available implementation within the securejoin package would be the preferred one anyway. The only reason why we were unable to use it was Go version compatibility issue—a too-new Go version was required for some ancillary changes, not the core implementation, and thus, the package could not be used.
That said, as part of some valiant effort, @cyphar was able to remove the blocker that prevented us from using a newer release of securejoin package with an older version of Go.
Thus, as there are no more reasons not to, update to the supported release of the securejoin package, which allows us to use the more secure implementation of the
secureOpen()helper as seen in more modern releases.Related: