Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge the release-5.30 branch into main #2407

Merged
merged 11 commits into from
May 9, 2024
Merged

Merge the release-5.30 branch into main #2407

merged 11 commits into from
May 9, 2024

Conversation

mtrmac
Copy link
Collaborator

@mtrmac mtrmac commented May 9, 2024

The latest tagged release as of this moment, 5.30.1 is on the release-5.30 branch, behind main.

That means that dependency automation tries to move users who use a recent commit from of main back onto 5.30.1, possibly dropping some features.

This merge lets the tools know that main “is a superset of” 5.30.1; users on main can then update to main after this PR is merged.

mtrmac added 11 commits May 9, 2024 16:26
@mtrmac
Validate digests before using them
2bcb834 
If doing it makes sense at all, it should happen before
the values are used.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Call .Validate() before digest.Hex() / digest.Encoded()
39e7c91 
... to prevent panics if the value does not contain a :, or other unexpected
values (e.g. a path traversal).

Don't bother on paths where we computed the digest ourselves, or it is already trusted
for other reasons.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Refactor the error handling path of saveStream
a802d65 
Use defer() to remove the temporary file, instead
of duplicating the call.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Refactor the error handling further
4a3785d 
Use defer, a nested function, and early returns.

Besides being a bit more directly related to what
we want to achieve, this now does not call decompressed.Close()
on a nil value if DecompressStream fails.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Call .Validate() before digest.Digest.String() if necessary
a9225e4 
... to prevent unexpected behavior on invalid values.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Validate the tags returned by a registry
b724ee7 
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Merge pull request containers#2404 from mtrmac/digest-unmarshal-5.30
132678b 
[release-5.30] Fix CVE-2024-3727
@mtrmac
Release 5.30.1
56e750a 
This fixes CVE-2024-3727 .

Digest values used throughout this library were not always validated.
That allowed attackers to trigger, when pulling untrusted images,
unexpected authenticated registry accesses on behalf of a victim user.

In less common uses of this library (using other transports or not using
the containers/image/v5/copy.Image API), an attacker could also trigger
local path traversals or crashes.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Bump to v5.30.2-dev
3ae80e0 
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Merge pull request containers#2405 from mtrmac/release-5.30.1
289d108 
[release-5.30] Release 5.30.1
@mtrmac
Merge remote-tracking branch 'upstream/release-5.30' into latest-rele…
6fff0d4 
…ase-into-main

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@TomSweeneyRedHat
Copy link
Member

LGTM

@mtrmac mtrmac merged commit 047b91c into containers:main May 9, 2024
10 checks passed
@mtrmac mtrmac deleted the latest-release-into-main branch May 9, 2024 18:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mtrmac @TomSweeneyRedHat