[Buildroot] [git commit] package/containerd: security bump to version 1.5.11

Peter Korsgaard peter at korsgaard.com
Mon Apr 11 19:02:42 UTC 2022 

>>>>> "Arnout" == Arnout Vandecappelle <arnout at mind.be> writes:

Hi,

 > On 11/04/2022 14:28, Marcus Hoffmann wrote:
 >> Hi Peter,
 >> On 05.04.22 19:28, Peter Korsgaard wrote:
 >>> commit:
 >>> https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325 
 >>> 
 >>> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
 >>> 
 >>> Fixes the following security issues:
 >>> 
 >>> - CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes
 >>> https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
 >>> 
 >>> - CVE-2022-24769: Default inheritable capabilities for linux container
 >>>    should be empty
 >>> https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c
 >>> 
 >>> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
 >>> ---
 >>>   package/containerd/containerd.hash | 2 +-
 >>>   package/containerd/containerd.mk   | 2 +-
 >>>   2 files changed, 2 insertions(+), 2 deletions(-)
 >>> 
 >>> diff --git a/package/containerd/containerd.hash
 >>> b/package/containerd/containerd.hash
 >>> index d5aafe2e70..23dacded88 100644
 >>> --- a/package/containerd/containerd.hash
 >>> +++ b/package/containerd/containerd.hash
 >>> @@ -1,3 +1,3 @@
 >>>   # Computed locally
 >>> -sha256 
 >>> 40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4
 >>> containerd-1.5.9.tar.gz
 >>> +sha256 
 >>> 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
 >>> containerd-1.5.11.tar.gz
 >> I get a different hash for this download, both within buildroot as
 >> well as downloading the file manually from github:
 >> ERROR: containerd-1.5.11.tar.gz has wrong sha256 hash:
 >> ERROR: expected: 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
 >> ERROR: got     : 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6
 >> ERROR: Incomplete download, or man-in-the-middle (MITM) attack
 >> 
 >> Did the file change in the meantime or did something else go wrong here?

 >  It also goes wrong in the autobuilders (this one on master, before I
 >  merged the bump to 1.6.2) [1]

 >> Should send a patch changing the hash to
 >> 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6?

 >  Let's first allow Peter to check what exactly went wrong. He should
 >  have a local download with the hash he pushed so he can compare what
 > changed.

 >  I looked at the github repo, and it says that it was tagged on March
 >  24, i.e. before Peter did the bump to 1.5.11. So it doesn't look like
 > they updated the tag.

Funky, I do indeed have the old hash here:

sha256sum ~download/containerd/containerd-1.5.11.tar.gz containerd-1.5.11.tar.gz
6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1  /var/lib/downloads/containerd/containerd-1.5.11.tar.gz
02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6  containerd-1.5.11.tar.gz

Extracting the tarballs, I see the following diff:

diff -urpN a/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go b/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go
--- a/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go     2022-03-24 01:09:42.000000000 +0100
+++ b/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go     2022-03-24 01:09:42.000000000 +0100
@@ -55,7 +55,7 @@ var (
        // NOTE: The $Format strings are replaced during 'git archive' thanks to the
        // companion .gitattributes file containing 'export-subst' in this same
        // directory.  See also https://git-scm.com/docs/gitattributes
-       gitVersion   string = "v0.0.0-master+3df54a85234"
+       gitVersion   string = "v0.0.0-master+3df54a8523"
        gitCommit    string = "3df54a852345ae127d1fa3092b95168e4a88e2f8" // sha1 from git, output of $(git rev-parse HEAD)
        gitTreeState string = ""            // state of git tree, either "clean" or "dirty"

So the gitVersion field lost a digit. No idea how this could
happen. Looking at the file in the git repo I see that this is listed
as:

	gitVersion   string = "v0.0.0-master+$Format:%H$"
	gitCommit    string = "$Format:%H$" // sha1 from git, output of $(git rev-parse HEAD)

https://github.com/containerd/containerd/blob/main/vendor/k8s.io/client-go/pkg/version/base.go

So I guess something in github is wrongly expanding this $Format?

-- 
Bye, Peter Korsgaard

More information about the buildroot mailing list