From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Arnout Vandecappelle <arnout@mind.be>
Cc: Marcus Hoffmann <marcus.hoffmann@othermo.de>, buildroot@buildroot.org
Subject: Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11
Date: Mon, 11 Apr 2022 20:33:16 +0200 [thread overview]
Message-ID: <20220411183316.GB4029883@scaer> (raw)
In-Reply-To: <07cb544d-bc42-d774-08aa-67cecc96c1b0@mind.be>
Arnout, Marcus, All,
On 2022-04-11 19:03 +0200, Arnout Vandecappelle spake thusly:
> On 11/04/2022 14:28, Marcus Hoffmann wrote:
> >On 05.04.22 19:28, Peter Korsgaard wrote:
> >>commit: https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325
> >>
> >>branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
> >>
> >>Fixes the following security issues:
> >>
> >>- CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes
> >>https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
> >>
> >>- CVE-2022-24769: Default inheritable capabilities for linux container
> >> should be empty
> >>https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c
> >>
> >>Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> >>---
> >> package/containerd/containerd.hash | 2 +-
> >> package/containerd/containerd.mk | 2 +-
> >> 2 files changed, 2 insertions(+), 2 deletions(-)
> >>
> >>diff --git a/package/containerd/containerd.hash
> >>b/package/containerd/containerd.hash
> >>index d5aafe2e70..23dacded88 100644
> >>--- a/package/containerd/containerd.hash
> >>+++ b/package/containerd/containerd.hash
> >>@@ -1,3 +1,3 @@
> >> # Computed locally
> >>-sha256
> >>40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4
> >>containerd-1.5.9.tar.gz
> >>+sha256
> >>6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
> >>containerd-1.5.11.tar.gz
> >I get a different hash for this download, both within buildroot as well as
> >downloading the file manually from github:
> >ERROR: containerd-1.5.11.tar.gz has wrong sha256 hash:
> >ERROR: expected: 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
> >ERROR: got : 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6
> >ERROR: Incomplete download, or man-in-the-middle (MITM) attack
> >Did the file change in the meantime or did something else go wrong here?
> It also goes wrong in the autobuilders (this one on master, before I merged
> the bump to 1.6.2) [1]
Note that golang packages are susceptible to hash changes ifone of their
dependencies is chagned. For example, if a go package depends, directly
or transitively, on a package foo at some-tag, but foo got re-tagged, or
the repository has moved, then the vendoring will get a different content
than previously.
For example, docker's "distribution" repository has moved from under
"docker" out to its own "distribution" namespace:
https://github.com/docker/distribution
now redirects to:
https://github.com/distribution/distribution
> >Should send a patch changing the hash to
> >02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6?
> Let's first allow Peter to check what exactly went wrong. He should have a
> local download with the hash he pushed so he can compare what changed.
> I looked at the github repo, and it says that it was tagged on March 24,
> i.e. before Peter did the bump to 1.5.11. So it doesn't look like they
> updated the tag.
>
> 1] http://autobuild.buildroot.net/results/b5d/b5dcd56490e807db9e92e3bbbd6753738132db57/build-end.log
I think the error is soemhing else in this case:
tar: stdout: write error
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2022-04-11 18:33 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-05 17:28 [Buildroot] [git commit] package/containerd: security bump to version 1.5.11 Peter Korsgaard
2022-04-11 12:28 ` Marcus Hoffmann
2022-04-11 17:03 ` Arnout Vandecappelle
2022-04-11 18:33 ` Yann E. MORIN [this message]
2022-04-11 19:02 ` Peter Korsgaard
2022-04-11 20:27 ` Arnout Vandecappelle
2022-04-11 20:34 ` Peter Korsgaard
2022-04-12 8:28 ` Arnout Vandecappelle
2022-04-12 9:26 ` Peter Korsgaard
2022-04-14 19:15 ` Arnout Vandecappelle
2022-04-14 20:06 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220411183316.GB4029883@scaer \
--to=yann.morin.1998@free.fr \
--cc=arnout@mind.be \
--cc=buildroot@buildroot.org \
--cc=marcus.hoffmann@othermo.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.