Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11

[Arnout Vandecappelle <arnout@mind.be>]

On 11/04/2022 21:02, Peter Korsgaard wrote:
>>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
> 
> Hi,
> 
>   > On 11/04/2022 14:28, Marcus Hoffmann wrote:
>   >> Hi Peter,
>   >> On 05.04.22 19:28, Peter Korsgaard wrote:
>   >>> commit:
>   >>> https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325
>   >>>
>   >>> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
>   >>>
>   >>> Fixes the following security issues:
>   >>>
>   >>> - CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes
>   >>> https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
>   >>>
>   >>> - CVE-2022-24769: Default inheritable capabilities for linux container
>   >>>    should be empty
>   >>> https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c
>   >>>
>   >>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>   >>> ---
>   >>>   package/containerd/containerd.hash | 2 +-
>   >>>   package/containerd/containerd.mk   | 2 +-
>   >>>   2 files changed, 2 insertions(+), 2 deletions(-)
>   >>>
>   >>> diff --git a/package/containerd/containerd.hash
>   >>> b/package/containerd/containerd.hash
>   >>> index d5aafe2e70..23dacded88 100644
>   >>> --- a/package/containerd/containerd.hash
>   >>> +++ b/package/containerd/containerd.hash
>   >>> @@ -1,3 +1,3 @@
>   >>>   # Computed locally
>   >>> -sha256
>   >>> 40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4
>   >>> containerd-1.5.9.tar.gz
>   >>> +sha256
>   >>> 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
>   >>> containerd-1.5.11.tar.gz
>   >> I get a different hash for this download, both within buildroot as
>   >> well as downloading the file manually from github:
>   >> ERROR: containerd-1.5.11.tar.gz has wrong sha256 hash:
>   >> ERROR: expected: 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
>   >> ERROR: got     : 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6
>   >> ERROR: Incomplete download, or man-in-the-middle (MITM) attack
>   >>
>   >> Did the file change in the meantime or did something else go wrong here?
> 
>   >  It also goes wrong in the autobuilders (this one on master, before I
>   >  merged the bump to 1.6.2) [1]
> 
>   >> Should send a patch changing the hash to
>   >> 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6?
> 
>   >  Let's first allow Peter to check what exactly went wrong. He should
>   >  have a local download with the hash he pushed so he can compare what
>   > changed.
> 
>   >  I looked at the github repo, and it says that it was tagged on March
>   >  24, i.e. before Peter did the bump to 1.5.11. So it doesn't look like
>   > they updated the tag.
> 
> Funky, I do indeed have the old hash here:
> 
> sha256sum ~download/containerd/containerd-1.5.11.tar.gz containerd-1.5.11.tar.gz
> 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1  /var/lib/downloads/containerd/containerd-1.5.11.tar.gz
> 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6  containerd-1.5.11.tar.gz
> 
> Extracting the tarballs, I see the following diff:
> 
> diff -urpN a/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go b/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go
> --- a/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go     2022-03-24 01:09:42.000000000 +0100
> +++ b/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go     2022-03-24 01:09:42.000000000 +0100
> @@ -55,7 +55,7 @@ var (
>          // NOTE: The $Format strings are replaced during 'git archive' thanks to the
>          // companion .gitattributes file containing 'export-subst' in this same
>          // directory.  See also https://git-scm.com/docs/gitattributes
> -       gitVersion   string = "v0.0.0-master+3df54a85234"
> +       gitVersion   string = "v0.0.0-master+3df54a8523"
>          gitCommit    string = "3df54a852345ae127d1fa3092b95168e4a88e2f8" // sha1 from git, output of $(git rev-parse HEAD)
>          gitTreeState string = ""            // state of git tree, either "clean" or "dirty"
> 
> So the gitVersion field lost a digit. No idea how this could
> happen. Looking at the file in the git repo I see that this is listed
> as:
> 
> 	gitVersion   string = "v0.0.0-master+$Format:%H$"
> 	gitCommit    string = "$Format:%H$" // sha1 from git, output of $(git rev-parse HEAD)

  Weird, %H should expand to the full commit hash - like on the gitCommit 
line... How the hell does git archive expand %H differently in one line and the 
other?

  Aah, it was changed from %h to %H in [1].

  But that easily explains the issue: the length of the abbreviated commit hash 
depends on the state of the repo. Thus, some gc on github may have dropped a 
conflicting ref (somewhere else) so the length of the abbreviated hash is 
reduced again.

  There's not much we can do about this I'm afraid, other than using git 
download instead of tarball download. Or updating to a version that contains [1] 
of course.

  Regards,
  Arnout

[1] 
https://github.com/containerd/containerd/commit/e634f04d8cdb6c2f96eea2e4e66d0e4500a46282



> 
> https://github.com/containerd/containerd/blob/main/vendor/k8s.io/client-go/pkg/version/base.go
> 
> So I guess something in github is wrongly expanding this $Format?


> 
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot