Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport #17528 to v4.4 #17532

Merged
merged 1 commit into from
Feb 17, 2023
Merged

Conversation

mheon
Copy link
Member

@mheon mheon commented Feb 16, 2023

Backport #17528 to v4.4

CVE: https://access.redhat.com/security/cve/CVE-2023-0778

<MH: Cherry-pick to v4.4>

Does this PR introduce a user-facing change?

NONE

* Utils must support higher level API to create Tar with chrooted into
  directory
* Volume export: use TarwithChroot instead of Tar so we can make sure no
  symlink can be exported by tar if it exists outside of the source
directory.
* container export: use chroot and Tar instead of Tar so we can make sure no
  symlink can be exported by tar if it exists outside of the mointPoint.

[NO NEW TESTS NEEDED]
[NO TESTS NEEDED]
Race needs combination of external/in-container mechanism which is hard to repro in CI.

Closes: BZ:#2168256
CVE: https://access.redhat.com/security/cve/CVE-2023-0778

Signed-off-by: Aditya R <[email protected]>

<MH: Cherry-pick to v4.4>

Signed-off-by: Matt Heon <[email protected]>
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 16, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mheon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 16, 2023
Copy link
Member

@ashley-cui ashley-cui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/hold

@openshift-ci openshift-ci bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged. labels Feb 16, 2023
@TomSweeneyRedHat
Copy link
Member

LGTM
tests are all kinds of unhappy here too, will rerun

@ashley-cui
Copy link
Member

Needs a rebase for happy CI @mheon

@ashley-cui
Copy link
Member

Just kidding! looks like CI is back online :)

@ashley-cui
Copy link
Member

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 17, 2023
@openshift-merge-robot openshift-merge-robot merged commit f17495e into containers:v4.4 Feb 17, 2023
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 9, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 9, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. release-note-none
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants