Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release-1.30] server: use SecureJoin when setting container /etc directory #8231

Conversation

openshift-cherrypick-robot

This is an automated cherry-pick of #8225

/assign haircommander

Fix CVE-2024-5154 where a malicious container image could make a symlink of `/proc/mounts` on the host, out of the container's rootfs

kwilczynski and others added 3 commits May 31, 2024 00:36
Signed-off-by: Krzysztof Wilczyński <kwilczynski@redhat.com>
Signed-off-by: Krzysztof Wilczyński <kwilczynski@redhat.com>
Signed-off-by: Peter Hunt <pehunt@redhat.com>
@openshift-ci openshift-ci bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels May 31, 2024
@openshift-ci openshift-ci bot requested review from hasan4791 and QiWang19 May 31, 2024 00:37
@haircommander
Copy link
Member

/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label May 31, 2024
Copy link
Contributor

openshift-ci bot commented May 31, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander, openshift-cherrypick-robot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 31, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit e9b39ec into cri-o:release-1.30 May 31, 2024
51 checks passed
@haircommander
Copy link
Member

/cherry-pick release-1.29

@openshift-cherrypick-robot
Copy link
Author

@haircommander: #8231 failed to apply on top of branch "release-1.29":

Applying: server: use SecureJoin when setting container /etc directory
Using index info to reconstruct a base tree...
M	server/container_create_linux.go
Falling back to patching base and 3-way merge...
Auto-merging server/container_create_linux.go
CONFLICT (content): Merge conflict in server/container_create_linux.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 server: use SecureJoin when setting container /etc directory
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.29

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kwilczynski
Copy link
Member

OK. Will backport manually.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants