undock/0.11.0-r1: cve remediation

[octo-sts]

undock/0.11.0-r1: fix GHSA-cgrx-mc8f-2prm

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/undock.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/crazy-max/undock@v0.11.0

[octo-sts]

🛑 Build Failed: Compilation

undefined: securejoin.OpenInRoot and undefined: securejoin.Reopen in vendor/go.podman.io/storage/userns.go

Build Details

Category	Details
Build System	go
Failure Point	go/build step - compilation of vendor/go.podman.io/storage/userns.go

Root Cause Analysis 🔍

Missing or incompatible securejoin package dependency. The go.podman.io/storage package is trying to use securejoin.OpenInRoot and securejoin.Reopen functions that are not available, likely due to a version mismatch or missing dependency after the go/bump step updated packages.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• podman fix cve: GHSA-cgrx-mc8f-2prm #71327
• podman fix cve: GHSA-cgrx-mc8f-2prm #71327
• buildah/1.42.1 package update #71753

Suggested Changes

File: undock.yaml

• addition at line 25-28 (pipeline go/bump step)
  Original:

  - uses: go/bump
    with:
      deps: |-
        github.com/sigstore/fulcio@v1.8.3
        github.com/opencontainers/selinux@v1.13.0

Replacement:

  - uses: go/bump
    with:
      deps: |-
        github.com/sigstore/fulcio@v1.8.3
        github.com/opencontainers/selinux@v1.13.0
      replaces: |-
        github.com/cyphar/filepath-securejoin=github.com/cyphar/filepath-securejoin@v0.5.1

Content:

Add a replaces section to the go/bump step to pin the filepath-securejoin package to version v0.5.1

Click to expand fix analysis

Analysis

The similar fixes reveal a consistent pattern: all three cases involved the same undefined functions (securejoin.OpenInRoot and securejoin.Reopen) in container storage packages. The fixes consistently involved adding a dependency replacement for github.com/cyphar/filepath-securejoin, pinning it to version v0.5.1. In two cases (podman), the fix was accomplished by adding a "replaces" section to the go/bump step, while in one case (buildah), the issue was resolved by removing the go/bump step entirely and updating to a newer upstream version that had compatible dependencies.

Click to expand fix explanation

Explanation

This fix should work because the root cause is a version incompatibility with the filepath-securejoin package. The undefined functions securejoin.OpenInRoot and securejoin.Reopen are present in version v0.5.1 of the package but appear to be missing or have different signatures in newer versions. By adding the replaces directive to pin filepath-securejoin to v0.5.1, we ensure that the vendor/go.podman.io/storage/userns.go code will have access to the expected function signatures. This approach directly mirrors the successful fixes in the podman package examples, where the same replacement resolved identical compilation errors.

Click to expand alternative approaches

Alternative Approaches

• Update to a newer version of undock (if available) that may have resolved this dependency conflict upstream, similar to the buildah fix
• Remove the go/bump step entirely if the current vendored dependencies are compatible
• Add additional dependency version pins for other related packages in the containers ecosystem to ensure full compatibility

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-v4gx-5w7w-pqgp has the latest event type of "pending-upstream-fix"

View with: cg advisory show CGA-v4gx-5w7w-pqgp
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/undock.advisories.yaml

ID:      CGA-v4gx-5w7w-pqgp
Package: undock
Aliases: CVE-2025-52881 GHSA-cgrx-mc8f-2prm
Events:
  - "scan/v1" at 2025-11-07 08:51:22 UTC
  - "pending-upstream-fix" at 2025-11-13 12:55:20 UTC

🔀 v2 advisory logic would not have closed this PR: Found 4 advisories, but 2 of them are not resolved (CGA-43vh-3w7c-3gxq, CGA-rx33-p3gc-rvm2).

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-v4gx-5w7w-pqgp has the latest event type of "pending-upstream-fix"

View with: cg advisory show CGA-v4gx-5w7w-pqgp
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/undock.advisories.yaml

ID:      CGA-v4gx-5w7w-pqgp
Package: undock
Aliases: CVE-2025-52881 GHSA-cgrx-mc8f-2prm
Events:
  - "scan/v1" at 2025-11-07 08:51:22 UTC
  - "pending-upstream-fix" at 2025-11-13 12:55:20 UTC

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-43vh-3w7c-3gxq has the latest event type of "PENDING_UPSTREAM_FIX"

View with: cg adv show CGA-43vh-3w7c-3gxq

ID:      CGA-43vh-3w7c-3gxq
Package: undock
Aliases: CVE-2025-52881 GHSA-cgrx-mc8f-2prm GO-2025-4098 CGA-6mg2-mjwq-xq6r
Events:
  - "DETECTION" at 2025-11-07 08:51:22 UTC
  - "PENDING_UPSTREAM_FIX" at 2025-11-13 12:55:20 UTC
  - "PENDING_UPSTREAM_FIX" at 2026-01-15 11:46:26 UTC