Comments (8)
rhatdan
commented on August 16, 2024
1
If the suspect code is not vendored into containers/image then containers/image and the tools that base off of it are not vulnerable.
from image.
kaovilai
commented on August 16, 2024
Can be resolved by updating containerd to 1.6.1+
from image.
mtrmac
commented on August 16, 2024
Thanks for your report. AFAICS nothing in this repo depends on containerd/imgcrypt.
from image.
kaovilai
commented on August 16, 2024
@mtrmac github.com/containerd/[email protected] is required by github.com/containerd/[email protected] which is required by github.com/Microsoft/[email protected]
which is specified in
Line 44 in b694889
github.com/containerd/cgroups v1.0.3
❯ git checkout upstream/main
Note: switching to 'upstream/main'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at b6948897 Merge pull request #1652 from containers/dependabot/go_modules/github.com/docker/docker-20.10.18incompatible
~/git/image remotes/upstream/main
❯ go mod graph | grep imgcrypt
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/Microsoft/[email protected]
github.com/containerd/[email protected] github.com/Microsoft/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containers/[email protected]
github.com/containerd/[email protected] github.com/gogo/[email protected]
github.com/containerd/[email protected] github.com/opencontainers/[email protected]
github.com/containerd/[email protected] github.com/opencontainers/[email protected]
github.com/containerd/[email protected] github.com/opencontainers/[email protected]
github.com/containerd/[email protected] github.com/pkg/[email protected]
github.com/containerd/[email protected] github.com/sirupsen/[email protected]
github.com/containerd/[email protected] github.com/urfave/[email protected]
github.com/containerd/[email protected] golang.org/x/[email protected]
github.com/containerd/[email protected] google.golang.org/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/Microsoft/[email protected]
github.com/containerd/[email protected] github.com/Microsoft/[email protected]
github.com/containerd/[email protected] github.com/Microsoft/hcsshim/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containers/[email protected]
github.com/containerd/[email protected] github.com/gogo/[email protected]
github.com/containerd/[email protected] github.com/imdario/[email protected]
github.com/containerd/[email protected] github.com/opencontainers/[email protected]
github.com/containerd/[email protected] github.com/opencontainers/[email protected]
github.com/containerd/[email protected] github.com/opencontainers/[email protected]
github.com/containerd/[email protected] github.com/pkg/[email protected]
github.com/containerd/[email protected] github.com/prometheus/[email protected]
github.com/containerd/[email protected] github.com/sirupsen/[email protected]
github.com/containerd/[email protected] github.com/urfave/[email protected]
github.com/containerd/[email protected] golang.org/x/[email protected]
github.com/containerd/[email protected] google.golang.org/[email protected]
github.com/containerd/[email protected] gopkg.in/[email protected]
github.com/containerd/[email protected] gotest.tools/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/Microsoft/[email protected]
github.com/containerd/[email protected] github.com/Microsoft/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containers/[email protected]
github.com/containerd/[email protected] github.com/gogo/[email protected]
github.com/containerd/[email protected] github.com/opencontainers/[email protected]
github.com/containerd/[email protected] github.com/opencontainers/[email protected]
github.com/containerd/[email protected] github.com/opencontainers/[email protected]
github.com/containerd/[email protected] github.com/pkg/[email protected]
github.com/containerd/[email protected] github.com/sirupsen/[email protected]
github.com/containerd/[email protected] github.com/urfave/[email protected]
github.com/containerd/[email protected] golang.org/x/[email protected]
github.com/containerd/[email protected] google.golang.org/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/Microsoft/[email protected]
github.com/containerd/[email protected] github.com/Microsoft/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containerd/[email protected]
github.com/containerd/[email protected] github.com/containers/[email protected]
github.com/containerd/[email protected] github.com/coreos/[email protected]
github.com/containerd/[email protected] github.com/docker/[email protected]+incompatible
github.com/containerd/[email protected] github.com/docker/[email protected]
github.com/containerd/[email protected] github.com/docker/[email protected]
github.com/containerd/[email protected] github.com/godbus/[email protected]
github.com/containerd/[email protected] github.com/gogo/[email protected]
github.com/containerd/[email protected] github.com/gogo/[email protected]
github.com/containerd/[email protected] github.com/imdario/[email protected]
github.com/containerd/[email protected] github.com/opencontainers/[email protected]
github.com/containerd/[email protected] github.com/opencontainers/[email protected]
github.com/containerd/[email protected] github.com/opencontainers/[email protected]
github.com/containerd/[email protected] github.com/opencontainers/[email protected]
github.com/containerd/[email protected] github.com/pkg/[email protected]
github.com/containerd/[email protected] github.com/prometheus/[email protected]
github.com/containerd/[email protected] github.com/sirupsen/[email protected]
github.com/containerd/[email protected] github.com/syndtr/[email protected]
github.com/containerd/[email protected] github.com/urfave/[email protected]
github.com/containerd/[email protected] go.etcd.io/[email protected]
github.com/containerd/[email protected] golang.org/x/[email protected]
github.com/containerd/[email protected] golang.org/x/[email protected]
github.com/containerd/[email protected] golang.org/x/[email protected]
github.com/containerd/[email protected] google.golang.org/[email protected]
from image.
kaovilai
commented on August 16, 2024
Looks like this won't be easy to solve. Latest containerd have circular dependency with older containerd which depended on imgcrypt <1.1.4
from image.
mtrmac
commented on August 16, 2024
❯ go mod graph | grep imgcrypt
But then
$ go mod vendor
$ ./vendor/github.com/containerd
./vendor/github.com/containerd/cgroups
./vendor/github.com/containerd/cgroups/stats
./vendor/github.com/containerd/cgroups/stats/v1
./vendor/github.com/containerd/stargz-snapshotter
./vendor/github.com/containerd/stargz-snapshotter/estargz
./vendor/github.com/containerd/stargz-snapshotter/estargz/errorutilThat package just isn’t used. There is nothing to fix.
If we added an explicit imgcrypt dependency to c/image just to force a higher version, the go tooling would immediately drop that dependency as unused.
Whatever vulnerability scanner tool, or methodology, you are using, it’s incorrect and it needs to be fixed not to report packages that don’t show up in the binary at all.
from image.
kaovilai
commented on August 16, 2024
Containerd uses imgcrypt so by proxy containers/image/ requires imgcrypt. You simply cannot say it is not in your package when it is clearly in go.sum
Lines 320 to 323 in 11c01b9
from image.
kaovilai
commented on August 16, 2024
Besides vendor not containing imgcrypt.. containerd does not use CheckAuthorization() function affected by CVE.
from image.
Related Issues (20)
- Blob reuse decisions do not take into account manifest support HOT 1
- Cannot copy buildkit cache images HOT 2
- Support for structured logging (using `log/slog`) HOT 5
- proposal: Support append images into docker archive HOT 1
- Make a new release HOT 2
- Docker client code can no longer talk to the latest verson of the docker daemon 25.0.0 HOT 5
- Allow empty OCI configs for artifacts HOT 9
- policy.json overwrite not honouring $XDG_CONFIG_HOME HOT 3
- Podman cannot pull image from local registry HOT 4
- copy.Options.EnsureCompressionVariantsExist doesn’t detect existing variants with zstd:chunked
- support multiple sigstore keys HOT 6
- How can I copy from a tar file stream HOT 7
- "slices" module only in go 1.21 HOT 1
- Cannot pull sigstore signed image with podman HOT 4
- Error inspecting local manifest-lists HOT 6
- platform.WantedPlatforms is noisy on macOS HOT 7
- Incorrect syntax highlighting in containers-transports.5
- Why do we get the whole image when inspect with docker daemon? HOT 2
- Support sigstore BYO PKI verification HOT 1
- Support more arbitrary credential helper executable names? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from image.