update some URLs
The origin repository renamed its "master" branch to "main", so we need
to update our references to items in that branch.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When analyzing a layer blob's contents, don't break if the blob has more
zeroes padding it out even after the tar reader thinks it's hit the end
of the archive.
Add more detail to the diagnostic error we print when there's a digest
or length mismatch, too, in case it's triggered by something other than
zero padding.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When comparing layer payloads during conformance tests, mask off any
file type bits that the tar headers in the layers might have included.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Chris Evich <cevich@redhat.com>
The registry.centos.org service has been decommissioned. Update the
conformance test references to point into the static CI images under
the `quay.io/libpod` repositories.
Signed-off-by: Aditya R <arajan@redhat.com>
Signed-off-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Chris Evich <cevich@redhat.com>
When container is created with specific uid and gid also add container
gid to supplementary/additional group.
Signed-off-by: Aditya R <arajan@redhat.com>
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Check that the inheritable capabilities are set to 0, even when we
explicitly try to add capabilities.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The kernel never sets the inheritable capabilities for a process, they
are only set by userspace. Emulate the same behavior.
Closes: CVE-2022-27651
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Fixes: GHSA-c2h3-6mxw-7mvq
Vulnerable versions: >= 1.5.0, < 1.5.7
Patched version: 1.5.7
`Impact`
A bug was found in containerd where container root directories and
some plugins had insufficiently restricted permissions, allowing
otherwise unprivileged Linux users to traverse directory contents
and execute programs. When containers included executable programs
with extended permission bits (such as setuid), unprivileged Linux
users could discover and execute those programs. When the UID of
an unprivileged Linux user on the host collided with the file
owner or group inside a container, the unprivileged Linux user on
the host could discover, read, and modify those files.
`Patches`
This vulnerability has been fixed in containerd 1.4.11 and
containerd 1.5.7. Users should update to these version when they
are released and may restart containers or update directory
permissions to mitigate the vulnerability.
`Workarounds`
Limit access to the host to trusted users. Update directory
permission on container bundles directories.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
When we attempt to remove a directory to make way for a non-directory as
part of extracting content, use RemoveAll() instead of Remove().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When checking if something that we want to overwrite with a directory is
already a directory or not, use lstat instead of stat. If it's a
symbolic link, it's not a directory.
This is a subtle behavior change, but it's in line with docker build.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This follows a long-standing practice here and across other containers
projects. Over time, it's simply not worth developer/maintainer time to
debug old tests that may fail due to new/changing inputs. Reduce down
to the bare minimum of tasks to keep CI on life-support while the need
for backports remains possible but unlikely.
Signed-off-by: Chris Evich <cevich@redhat.com>
Bumping to v1.22.3. The v1.22.2 tag/release that was created was
created badly and is messing up go modules. Per @vrothberg, the
only fix is to bump the version and create a new release.
[NO TESTS NEEDED]
[NO NEW TESTS NEEDED]
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Bump c/image to v5.15.2 in readiness for Podman v3.3 version dance.
[NO TESTS NEEDED]
[NO NEW TESTS NEEDED]
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Bump c/storage to v1.34.1 for the release-1.22 branch
Also bump go to 1.16 in Makefile and .cirrus.yml
[NO TESTS NEEDED]
[NO NEW TESTS NEEDED]
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Fix the CHANGELOG.md in the release-1.22 branch
as it had duplicate entries for the past few
releases within it.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
openshift-merge-bot[bot]
Nalin Dahyabhai
OpenShift Merge Robot
Aditya R
flouthoc
Chris Evich
Giuseppe Scrivano
Lokesh Mandvekar
TomSweeneyRedHat
openshift-ci[bot]
Daniel J Walsh