update some URLs
The origin repository renamed its "master" branch to "main", so we need
to update our references to items in that branch.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When analyzing a layer blob's contents, don't break if the blob has more
zeroes padding it out even after the tar reader thinks it's hit the end
of the archive.
Add more detail to the diagnostic error we print when there's a digest
or length mismatch, too, in case it's triggered by something other than
zero padding.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When comparing layer payloads during conformance tests, mask off any
file type bits that the tar headers in the layers might have included.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Chris Evich <cevich@redhat.com>
The registry.centos.org service has been decommissioned. Update the
conformance test references to point into the static CI images under
the `quay.io/libpod` repositories.
Signed-off-by: Aditya R <arajan@redhat.com>
Signed-off-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Chris Evich <cevich@redhat.com>
When container is created with specific uid and gid also add container
gid to supplementary/additional group.
Signed-off-by: Aditya R <arajan@redhat.com>
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Resolves: GHSA-8c26-wmh5-6g9v - CVE-2022-27191
Buildah doesn't seem to be directly affected as the logic in question
is not called.
golang.org/x/crypto@1baeb1ce contains the actual CVE fix. Using the
latest upstream commit to also include support for SHA-2.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Check that the inheritable capabilities are set to 0, even when we
explicitly try to add capabilities.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The kernel never sets the inheritable capabilities for a process, they
are only set by userspace. Emulate the same behavior.
Closes: CVE-2022-27651
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
github.com/modern-go/reflect2, pulled in by github.com/json-iterator/go,
which we use in multiple dependencies, wasn't compatible with Go 1.18
until v1.0.2, so we need to update from v1.0.1.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Fixes: GHSA-c2h3-6mxw-7mvq
Vulnerable versions: >= 1.5.0, < 1.5.7
Patched version: 1.5.7
`Impact`
A bug was found in containerd where container root directories and
some plugins had insufficiently restricted permissions, allowing
otherwise unprivileged Linux users to traverse directory contents
and execute programs. When containers included executable programs
with extended permission bits (such as setuid), unprivileged Linux
users could discover and execute those programs. When the UID of
an unprivileged Linux user on the host collided with the file
owner or group inside a container, the unprivileged Linux user on
the host could discover, read, and modify those files.
`Patches`
This vulnerability has been fixed in containerd 1.4.11 and
containerd 1.5.7. Users should update to these version when they
are released and may restart containers or update directory
permissions to mitigate the vulnerability.
`Workarounds`
Limit access to the host to trusted users. Update directory
permission on container bundles directories.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
When we attempt to remove a directory to make way for a non-directory as
part of extracting content, use RemoveAll() instead of Remove().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When checking if something that we want to overwrite with a directory is
already a directory or not, use lstat instead of stat. If it's a
symbolic link, it's not a directory.
This is a subtle behavior change, but it's in line with docker build.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This follows a long-standing practice here and across other containers
projects. Over time, it's simply not worth developer/maintainer time to
debug old tests that may fail due to new/changing inputs. Reduce down
to the bare minimum of tasks to keep CI on life-support while the need
for backports remains possible but unlikely.
Signed-off-by: Chris Evich <cevich@redhat.com>
* Change DEST_BRANCH in .cirrus.yml from main to release-1.23
* Set GITVALIDATE_EPOCH for validation to the release-1.23 branch point
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
openshift-merge-bot[bot]
Nalin Dahyabhai
OpenShift Merge Robot
Aditya R
flouthoc
Chris Evich
Lokesh Mandvekar
Daniel J Walsh
Giuseppe Scrivano
Ashley Cui