[Buildroot] [git commit] package/containerd: security bump to version 1.5.11
Peter Korsgaard
peter at korsgaard.com
Mon Apr 11 19:02:42 UTC 2022
>>>>> "Arnout" == Arnout Vandecappelle <arnout at mind.be> writes:
Hi,
> On 11/04/2022 14:28, Marcus Hoffmann wrote:
>> Hi Peter,
>> On 05.04.22 19:28, Peter Korsgaard wrote:
>>> commit:
>>> https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325
>>>
>>> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
>>>
>>> Fixes the following security issues:
>>>
>>> - CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes
>>> https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
>>>
>>> - CVE-2022-24769: Default inheritable capabilities for linux container
>>> should be empty
>>> https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c
>>>
>>> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
>>> ---
>>> package/containerd/containerd.hash | 2 +-
>>> package/containerd/containerd.mk | 2 +-
>>> 2 files changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/package/containerd/containerd.hash
>>> b/package/containerd/containerd.hash
>>> index d5aafe2e70..23dacded88 100644
>>> --- a/package/containerd/containerd.hash
>>> +++ b/package/containerd/containerd.hash
>>> @@ -1,3 +1,3 @@
>>> # Computed locally
>>> -sha256
>>> 40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4
>>> containerd-1.5.9.tar.gz
>>> +sha256
>>> 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
>>> containerd-1.5.11.tar.gz
>> I get a different hash for this download, both within buildroot as
>> well as downloading the file manually from github:
>> ERROR: containerd-1.5.11.tar.gz has wrong sha256 hash:
>> ERROR: expected: 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
>> ERROR: got : 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6
>> ERROR: Incomplete download, or man-in-the-middle (MITM) attack
>>
>> Did the file change in the meantime or did something else go wrong here?
> It also goes wrong in the autobuilders (this one on master, before I
> merged the bump to 1.6.2) [1]
>> Should send a patch changing the hash to
>> 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6?
> Let's first allow Peter to check what exactly went wrong. He should
> have a local download with the hash he pushed so he can compare what
> changed.
> I looked at the github repo, and it says that it was tagged on March
> 24, i.e. before Peter did the bump to 1.5.11. So it doesn't look like
> they updated the tag.
Funky, I do indeed have the old hash here:
sha256sum ~download/containerd/containerd-1.5.11.tar.gz containerd-1.5.11.tar.gz
6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1 /var/lib/downloads/containerd/containerd-1.5.11.tar.gz
02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6 containerd-1.5.11.tar.gz
Extracting the tarballs, I see the following diff:
diff -urpN a/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go b/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go
--- a/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go 2022-03-24 01:09:42.000000000 +0100
+++ b/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go 2022-03-24 01:09:42.000000000 +0100
@@ -55,7 +55,7 @@ var (
// NOTE: The $Format strings are replaced during 'git archive' thanks to the
// companion .gitattributes file containing 'export-subst' in this same
// directory. See also https://git-scm.com/docs/gitattributes
- gitVersion string = "v0.0.0-master+3df54a85234"
+ gitVersion string = "v0.0.0-master+3df54a8523"
gitCommit string = "3df54a852345ae127d1fa3092b95168e4a88e2f8" // sha1 from git, output of $(git rev-parse HEAD)
gitTreeState string = "" // state of git tree, either "clean" or "dirty"
So the gitVersion field lost a digit. No idea how this could
happen. Looking at the file in the git repo I see that this is listed
as:
gitVersion string = "v0.0.0-master+$Format:%H$"
gitCommit string = "$Format:%H$" // sha1 from git, output of $(git rev-parse HEAD)
https://github.com/containerd/containerd/blob/main/vendor/k8s.io/client-go/pkg/version/base.go
So I guess something in github is wrongly expanding this $Format?
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list