Ensures that the primary GID is also included in the additional GIDs #3651
Conversation
Apply `ensureAdditionalGids()` from containerd/containerd@3eda46a (CVE-2023-25173, GHSA-hmfx-3pcx-653p) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
Can we have a new release with this? |
There was a problem hiding this comment.
Can we have a new release with this?
Yes LGTM. PTAL @tonistiigi
|
Is this code also used for the embedded BuildKit in moby? If so, we probably need a cherry-pick for 0.10 as well |
| @@ -91,6 +91,7 @@ func parseUID(str string) (uint32, error) { | |||
| // once the PR in containerd is merged we should remove this function. | |||
There was a problem hiding this comment.
// WithUIDGID allows the UID and GID for the Process to be set
// FIXME: This is a temporeray fix for the missing supplementary GIDs from containerd
// once the PR in containerd is merged we should remove this function.
Have these changes been merged in containerd, and if so, can we remove this function (making it an alias for the one in containerd? https://github.com/containerd/containerd/blob/8cb00f45c973b017f403d05d4d208ab2971ff335/oci/spec_opts.go#L692-L702
There was a problem hiding this comment.
The function arguments are different, so it still can't be removed
Yes IIUC |
Is there any practical reason why you would need it? |
I'd like to release nerdctl v1.2.1 with the CVE fix very soon, and I'd like to make sure the issue is fixed in |
|
Let me know if the next release is planned soon. The vuln isn't critical, so either is fine to me. |
Apply
ensureAdditionalGids()from containerd/containerd@3eda46a(CVE-2023-25173, GHSA-hmfx-3pcx-653p)