volume,container: chroot to source before exporting content
#17528
Conversation
openshift-ci
bot
added
release-note
approved
|
Please mention CVE Number in the commit message and release notes. |
|
And the BZ number(s) please. |
flouthoc
force-pushed
the
volume-security-patch
branch
from
7ecfb53 to
41c2cae
Compare
* Utils must support higher level API to create Tar with chrooted into directory * Volume export: use TarwithChroot instead of Tar so we can make sure no symlink can be exported by tar if it exists outside of the source directory. * container export: use chroot and Tar instead of Tar so we can make sure no symlink can be exported by tar if it exists outside of the mointPoint. [NO NEW TESTS NEEDED] [NO TESTS NEEDED] Race needs combination of external/in-container mechanism which is hard to repro in CI. Closes: BZ:#2168256 CVE: https://access.redhat.com/security/cve/CVE-2023-0778 Signed-off-by: Aditya R <[email protected]>
flouthoc
force-pushed
the
volume-security-patch
branch
from
41c2cae to
6ca857f
Compare
|
LGTM |
|
LGTM |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: flouthoc, giuseppe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm Complete list of cherry-pick branches: |
openshift-ci
bot
added
the
do-not-merge/hold
|
@ashley-cui We're going to need a new upstream release off v4.4 today or tomorrow to get this landed. |
|
Actually, scratch v3.0.1-rhel - the feature hadn't landed by then. |
|
And FWIW @ashley-cui best case scenario is to get the next spin of v4.4 completed by COB today, so we can have Jindrich build a test module overnight and get it into QE's hands early Friday afternoon their time. But, don't kill yourself for that, tomorrow would be OK if push came to shove. |
|
@flouthoc can you spin up a PR in the 4.4.1-rhel branch please? |
|
@TomSweeneyRedHat I'll spin it up as soon as this PR merges and is cherry-picked into the v4.4 branch :) |
|
@TomSweeneyRedHat @ashley-cui We don't do releases for RHEL. v4.4 is upstream - we're doing a v4.4.2 to get a release out to Fedora & Co. as soon as possible. Having the commit in v4.4.1 is sufficient. |
|
Speaking of... /cherry-pick v4.4.1-rhel |
|
@mheon: once the present PR merges, I will cherry-pick it on top of v4.4.1-rhel in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
@mheon: #17528 failed to apply on top of branch "v4.4.1-rhel": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@mheon: #17528 failed to apply on top of branch "v4.4": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@mheon: #17528 failed to apply on top of branch "v4.0-rhel": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Looks like this needs to be manually cherry-picked as it doesn't apply cleanly :( |
|
Import differences, eugh. I'll take it. |
|
TY, TY @mheon |
[v4.0-rhel] Backport #17528
Backport #17528 to v4.4
[v4.4.1-rhel] Backport #17528
NVD shows only redhat links and does not mention fixed-in release se these CVEs will show-up in reports indefinitely. They are already fixed in current version, so ignore them. CVE-2022-2989 * GHSA-4wjj-jwc9-2x96 * containers/podman#15618 * commit d82a41687e614d9ac8b2d169dee47fe226835e4c Add container GID to additional groups CVE-2023-0778 * GHSA-qwqv-rqgf-8qh8 * containers/podman#17528 * commit 6ca857feb07a5fdc96fd947afef03916291673d8 volume,container: chroot to source before exporting content Signed-off-by: Peter Marko <[email protected]>
github-actions
bot
added
the
locked - please file new issue/PR
[NO NEW TESTS NEEDED]
[NO TESTS NEEDED]
Race needs combination of external/in-container mechanism which is hard to repro in CI.
See: https://access.redhat.com/security/cve/CVE-2023-0778
Closes BZ:#2168256
Does this PR introduce a user-facing change?