Bug 1802880: Update to github.com/mtrmac/gpgme v0.1.2 [4.3] #1855
Conversation
This "fixes" CVE-2020-8945 by incorporating proglottis/gpgme#23 . The code is not actually used, for two reasons: - Nothing in this repository invokes signature verification (the subpackage is only used to generate contents of policy.json) - Builds use the 'containers_image_openpgp' build tag, which switches to the non-gpgme signature backend. This updates the vendored code anyway - to avoid false positives when scanning for vulnerabilities - so that we don't have to worry about any future changes in this repository enabling those code paths. Performed by $ GOPROXY=https://proxy.golang.org GO111MODULE=on go get github.com/mtrmac/gpgme@v0.1.2 && make go-deps in a golang:1.12 container Signed-off-by: Miloslav Trmač <mitr@redhat.com>
openshift-ci-robot
added
the
bugzilla/severity-medium
|
@mtrmac: This pull request references Bugzilla bug 1802880, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
bugzilla/invalid-bug
|
Compare #1519 for the master branch. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mtrmac The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
mtrmac
changed the title
|
/bugzilla refresh |
|
@mtrmac: This pull request references Bugzilla bug 1802880, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@mtrmac: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
I think the 4.2 backport isn't necessary - we know this cve doesn't impact MCO, we should just close it for 4.2/4.3 IMO |
|
The cost/benefit decision of dealing with this PR and the backport process vs. the minimal risk of introducing new users of that code is entirely up to repo maintainers who will be paying the cost; I’m fine with whatever you decide. |
awesome, so what we know is that bumping this library and introducing more lines of code doesn't buy anything as we're not impacted by the CVE, so let's close this for 4.3 |
|
@mtrmac: This pull request references Bugzilla bug 1802880. The bug has been updated to no longer refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
The only issue is automatic tools that look for CVEs with static analysis but we can't help with that - we're again not impacted by that CVE |
- What I did
This "fixes" CVE-2020-8945 by incorporating proglottis/gpgme#23 .
The code is not actually used, for two reasons:
policy.json)containers_image_openpgpbuild tag, which switches to the non-gpgme signature backend.This updates the vendored code anyway
Performed by
$ GOPROXY=https://proxy.golang.org GO111MODULE=on go get github.com/mtrmac/gpgme@v0.1.2 && make go-depsin a
golang:1.12container.- How to verify it
See a much higher number of
runtime.KeepAlivecalls in the vendored package, compare with the upstream release.- Description for the changelog
N/A