[release-1.26] Fix CVE-2025-47913 with x/crypto + minimum go bump#6813
[release-1.26] Fix CVE-2025-47913 with x/crypto + minimum go bump#6813cevich wants to merge 8 commits intocontainers:release-1.26from
Conversation
dosubot
Bot
added
the
size:S
cevich
force-pushed
the
fix_crypto_cve
branch
2 times, most recently
from
2ddbdb2 to
e5f3af4
Compare
dosubot
Bot
added
size:M
nalind
left a comment
nalind
left a comment
There was a problem hiding this comment.
#6678 may help with one of the errors we're seeing in the unit tests.
#6271 and #6674 should help with one of the errors we're seeing in integration tests.
Some of the changes from https://github.com/containers/buildah/pull/4610/changes#diff-dcdc10b43f652991a881c6d816518d2f1b52fe22f34abb9103f90528dff35a68 appear to be indicated for errors we're seeing in conformance tests.
| go 1.24.0 | ||
|
|
||
| toolchain go1.22.8 | ||
| toolchain go1.24.10 |
There was a problem hiding this comment.
Given that we try to avoid having this line pop up in later branches, I'm surprised to see it here.
There was a problem hiding this comment.
...may help...
Thanks so much for all the pointers! I'll get started tracking them down and applying.
edit: Fixed- All backported, and w/ selections from fa145b0
...avoid having this line...
I won't pretend to understand why, but I tried removing it then make vendor just adds it back in 😞
IIRC, there might be an environment variable that controls it? If so, I'd hazard to guess I'm not setting it 😁 Sounds like I should?
Edit: Fixed - manually removed line and now it's not re-appearing, so 🤷
FWIW, results from running system tests on RHEL (I haven't looked at them yet for comparison).
There was a problem hiding this comment.
Try setting "go 1.24.10" in go.mod ("go mod edit -go=1.24.10" should also work). make vendor-in-container shouldn't reintroduce a "toolchain" directive then.
There seem to be a few missing test helper binaries in the installed buildah-tests package (buildah-inet, buildah-dumpspec, buildah-tutorial) and a missing "DUMPSPEC_BINARY=/usr/bin/buildah-dumpspec" in the gating environment. I don't see the corresponding .spec file in the source tree, though, so I'm not sure what to suggest.
Does the gating test environment have "crun" installed? Or a version that doesn't recognize a "--debug" flag?
The SELinux test in the gating environment may need #2125.
There was a problem hiding this comment.
Try setting
I hand edited it then ran make vendor-in-container and it did not re-add the toolchain directive, so I'm not sure why I was struggling with it before.
There seem to be a few missing test helper binaries
Yes (and good catch). This unfortunately has been a problem across multiple releases. We've got issues open on it, and I've already got the specfile fixes in place for this version.
Does the gating test environment have "crun" installed?
Ahh! Another good catch, indeed it's unspecified so may not have been installed. I've fixed this so it's explicit now.
The SELinux test in the gating environment
Thanks for the pointer, we see this for other releases as well but have been ignoring it. I wasn't aware it had a fix. I'll add a reference to our notes for the other releases, and cherry-pick the fix here.
There was a problem hiding this comment.
The cherry-pick from 595af50 appears to have pulled in unit tests that weren't in the original commit.
There was a problem hiding this comment.
Yeah I generally default to --theirs to make future backports easier but it may have caused more trouble here than it resolved. I'll come back and strip out the tag-a-longs if this continues to be the case.
There was a problem hiding this comment.
The "extra" tests seem to be passing fine, though the copier TestGetSingleChroot still seems to be flaking on broken pipes. I'm fine with re-running or ignoring this as it seems to be a test bug not a buildah bug(?).
Resolves https://issues.redhat.com/browse/RHEL-134784 Resolves https://issues.redhat.com/browse/RHEL-168611 Also bump CI image to gain access to (required) golang 1.24. Drop updates to the build-push image as it hasn't been used in this repo for years and causes CI jobs to fail. [NO NEW TESTS NEEDED] Signed-off-by: Chris Evich <cevich@redhat.com>
cevich
force-pushed
the
fix_crypto_cve
branch
2 times, most recently
from
8c75f09 to
7107680
Compare
cevich
force-pushed
the
fix_crypto_cve
branch
2 times, most recently
from
fc1623e to
87251b5
Compare
|
Ugh now that the conformance tests are running, they're throwing:
This is surprising given I've updated the environment to Debian 14 😕 Or is this some client version buildah is reporting? I'm confused. |
That's the conformance test client's half of the API version negotiation not matching up with what the docker daemon is offering. 8d6f3fc is what we used on main. |
Ensure sockets are also disabled, and guarantee that /etc/resolved.conf symlink is removed/replaced by the file. Signed-off-by: Chris Evich <cevich@redhat.com>
Cherry-picking that didn't seem to result in any conformance test change. Could it be that the vendored code is "too old"? |
|
Answering my own question: "Yes", it seems an upgrade of I'm informed another way around this is to set |
cevich
force-pushed
the
fix_crypto_cve
branch
2 times, most recently
from
4e5a315 to
9108f9a
Compare
|
Ugh, I tried, but no matter where I I tried 8d6f3fc but as stated above, this won't work without a bump to the docker module version. Just now I've made an attempt at updating the ci vm images to support golang 1.25, bumped the docker module etc, but gave up. It really just wants to snowball into bigger and bigger changes, so this seems like a dead-end. The goal of this PR is just to update the x/crypto module version. The targeted version of RHEL goes EOL at the end of May, and the CI system shuts down completely in June. So I really don't care to waste more time grinding away at this CI-only problem. I'm going to simply disable the conformance tests, and then we 🤞 nothing in the next month or so would benefit from them... |
The conformance tests also use containers/image to read images in the docker daemon, and that would negotiate with, at the latest, the version that the corresponding docker client libraries listed as the most recent, which is 1.43 in the current tree, so that's not going to work so well. As you've noted, you'd have to update to 25.x to get something that claimed to be 1.44 or later. |
Ahh, I vaguely remember seeing other erors about an even older unsupported client, so that's probably the explanation there. Yeah, I don't see any practical way around this. Though I'll be open to suggestions tomorrow once my blood pressure goes back down 😁 |
dosubot
Bot
added
size:L
|
@nalind @TomSweeneyRedHat PTAL when you get a chance. Note: Validate is likely broken due to use of EOL OS. |
Indeed I don't see it listed at https://github.com/actions/runner-images. FWIW the version of |
Later versions of dockerd relaxed this minimum down to 1.40, but if that's not an option, a echo '{"min-api-version":"1.40"}' > /etc/docker/daemon.jsonbefore the daemon starts might override the requirement on its end. |
| sort.Strings(matches) | ||
| return matches, nil | ||
| } | ||
|
|
There was a problem hiding this comment.
If we update, this should be dropped from the backport.
There was a problem hiding this comment.
I'm assuming you're meaning drop this entire function along with TestSortedExtendedGlob() in copier_test.go 👍
Fix race condition where tar.Reader returns EOF after reading the standard EOF marker (two 512-byte null blocks) but before consuming trailing null bytes that many tar implementations add. This caused the copier subprocess to exit early, resulting in EPIPE errors when the sender tried to write remaining data. Fixes: containers#6573 Signed-off-by: Jan Rodák <hony.com@seznam.cz> (cherry picked from commit 595af50) Signed-off-by: Chris Evich <cevich@redhat.com>
Update "the bud with --cpu-shares" test to expect the a cgroupsv2 value computed using either the older formula or the newer one introduced in github.com/opencontainers/cgroups v0.0.3, and give it a unique name so that it can be selected more easily with bats's "--filter" flag. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> (cherry picked from commit 16c0bda) Signed-off-by: Chris Evich <cevich@redhat.com>
Update the weights expected in the "from cpu-shares test" test to account for both the old way that runtimes would convert from cgroupsv1 cpu shares to cgroupsv2 cpu weights, and the new way, catching it up with the "bud with --cpu-shares, checked" test, which will now also check with a few different values. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> (cherry picked from commit 17e30d5) Signed-off-by: Chris Evich <cevich@redhat.com>
See issue containers#4639 (cherry picked from commit fa145b0) Signed-off-by: Chris Evich <cevich@redhat.com>
Depending on the test execution environment, there are two acceptable values for role. Match both of them to tollerate both environments. Ref: containers#2125 Signed-off-by: Chris Evich <cevich@redhat.com>
Signed-off-by: Chris Evich <cevich@redhat.com>
dosubot
Bot
added
size:M
|
Force push:
|
|
Looks like the DOCKER_API_VERSION environment variable is still going to be needed for the go-dockerclient bits in the conformance tests. |
3 participants
What type of PR is this?
/kind other
What this PR does / why we need it:
Resolves https://issues.redhat.com/browse/RHEL-134784
Resolves https://issues.redhat.com/browse/RHEL-168611
Also bump CI image to gain access to (required) golang 1.24.
How to verify it
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?