Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address CVE GO-2024-2611 #1959

Merged
merged 1 commit into from
Mar 7, 2024
Merged

Address CVE GO-2024-2611 #1959

merged 1 commit into from
Mar 7, 2024

Conversation

torredil
Copy link
Member

@torredil torredil commented Mar 7, 2024

Is this a bug fix or adding new feature?

CVE fix

What is this PR about? / Why do we need it?

Unblock CI:

Screenshot 2024-03-07 at 10 15 45 AM 
Vulnerability #1: GO-2024-2611
    Infinite loop in JSON unmarshaling in google.golang.org/protobuf
  More info: https://pkg.go.dev/vuln/GO-2024-2611
  Module: google.golang.org/protobuf
    Found in: google.golang.org/protobuf@v1.32.0
    Fixed in: google.golang.org/protobuf@v1.33.0
    Example traces found:
Error:       #1: pkg/driver/mount_linux.go:151:46: driver.NodeMounter.Unstage calls fmt.Sprint, which eventually calls json.Decoder.Peek
Error:       #2: pkg/driver/mount_linux.go:151:46: driver.NodeMounter.Unstage calls fmt.Sprint, which eventually calls json.Decoder.Read
Error:       #3: pkg/driver/mount_linux.go:151:46: driver.NodeMounter.Unstage calls fmt.Sprint, which eventually calls protojson.Unmarshal

What testing is done?

make test && CI

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Mar 7, 2024
@torredil
Address CVE GO-2024-2611
b6650fe 
Signed-off-by: Eddie Torres <torredil@amazon.com>
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Mar 7, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 7, 2024

Code Coverage Diff

This PR does not change the code coverage

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 7, 2024
@ConnorJC3
Copy link
Contributor

/lgtm
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ConnorJC3

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 7, 2024
@k8s-ci-robot k8s-ci-robot merged commit f335f99 into kubernetes-sigs:master Mar 7, 2024
19 checks passed
@ConnorJC3 ConnorJC3 mentioned this pull request Mar 7, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AndrewSirenko AndrewSirenko AndrewSirenko approved these changes

@ConnorJC3 ConnorJC3 Awaiting requested review from ConnorJC3

Assignees

@ConnorJC3 ConnorJC3

@AndrewSirenko AndrewSirenko

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@torredil @ConnorJC3 @k8s-ci-robot @AndrewSirenko