Skip to content

[release/1.1 backport] bump libseccomp-golang v0.9.1#3375

Merged
crosbymichael merged 1 commit intocontainerd:release/1.1from
thaJeztah:1.1_backport_bump_libseccomp
Jun 26, 2019
Merged

[release/1.1 backport] bump libseccomp-golang v0.9.1#3375
crosbymichael merged 1 commit intocontainerd:release/1.1from
thaJeztah:1.1_backport_bump_libseccomp

Conversation

@thaJeztah
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah commented Jun 26, 2019

backport of #3371 for the 1.1 branch

full diff: seccomp/libseccomp-golang@32f571b...689e3c1

Release notes:

  • Version 0.9.1 - May 21, 2019
  • Minimum supported version of libseccomp bumped to v2.2.0 (seccomp/libseccomp-golang@fc02980)
  • PowerPC and S390(x) architectures are unavailable below library version v2.3.0 and will return errors if used with incompatible libraries
  • Use Libseccomp's seccomp_version API to retrieve library version
  • Unconditionally set TSync attribute for filters, due to Go's heavily threaded nature
  • Fix CVE-2017-18367 - Multiple syscall arguments were incorrectly combined with logical-OR, instead of logical-AND (seccomp/libseccomp-golang@06e7a29)
  • Fix a failure to build on Debian-based distributions due to CGo code
  • Fix unit test failures on 32-bit architectures
  • Improve several errors to be more verbose about their causes
  • Add support for SCMP_ACT_LOG (with libseccomp versions 2.4.x and higher), permitting syscalls but logging their execution
  • Add support for SCMP_FLTATR_CTL_LOG (with libseccomp versions 2.4.x and higher), logging not-allowed actions when they are denied

Signed-off-by: Sebastiaan van Stijn [email protected]
(cherry picked from commit bb41ef8)
Signed-off-by: Sebastiaan van Stijn [email protected]

@thaJeztah
bump libseccomp-golang v0.9.1
f2d1981 
full diff: seccomp/libseccomp-golang@32f571b...689e3c1

Release notes:

* Version 0.9.1 - May 21, 2019
- Minimum supported version of libseccomp bumped to v2.2.0 (seccomp/libseccomp-golang@fc02980)
- PowerPC and S390(x) architectures are unavailable below library version v2.3.0 and will return errors if used with incompatible libraries
- Use Libseccomp's `seccomp_version` API to retrieve library version
- Unconditionally set TSync attribute for filters, due to Go's heavily threaded nature
- Fix [CVE-2017-18367](https://nvd.nist.gov/vuln/detail/CVE-2017-18367) - Multiple syscall arguments were incorrectly combined with logical-OR, instead of logical-AND (seccomp/libseccomp-golang@06e7a29)
- Fix a failure to build on Debian-based distributions due to CGo code
- Fix unit test failures on 32-bit architectures
- Improve several errors to be more verbose about their causes
- Add support for SCMP_ACT_LOG (with libseccomp versions 2.4.x and higher), permitting syscalls but logging their execution
- Add support for SCMP_FLTATR_CTL_LOG (with libseccomp versions 2.4.x and higher), logging not-allowed actions when they are denied

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit bb41ef8)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
@codecov-io
Copy link
Copy Markdown

codecov-io commented Jun 26, 2019

Codecov Report

Merging #3375 into release/1.1 will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@             Coverage Diff              @@
##           release/1.1    #3375   +/-   ##
============================================
  Coverage        49.07%   49.07%           
============================================
  Files               85       85           
  Lines             7598     7598           
============================================
  Hits              3729     3729           
  Misses            3194     3194           
  Partials           675      675
Flag Coverage Δ
#linux 49.07% <ø> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8c64d39...f2d1981. Read the comment docs.

estesp
estesp approved these changes Jun 26, 2019
View reviewed changes
Copy link
Copy Markdown
Member

@estesp estesp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Backport required to fix a known CVE

@thaJeztah
Copy link
Copy Markdown
Member Author

thaJeztah commented Jun 26, 2019

FWIW; I discussed the vendor bump with @justincormack, and he thought that the actual vendor in containerd, containerd/cri, and dockerd are not critical for the CVE itself; the version in runc is the important one, but turned out that it was already patched (there was some confusion about that).

Bumping the vendored files in these branches would still be good to have (IMO) to take away any doubt (and possibly security scanners finding a vulnerable version of the dependency).

If there's concerns about updating these files here, feel free to close

@crosbymichael
Copy link
Copy Markdown
Member

crosbymichael commented Jun 26, 2019

LGTM

@crosbymichael crosbymichael merged commit 43278be into containerd:release/1.1 Jun 26, 2019
@thaJeztah thaJeztah deleted the 1.1_backport_bump_libseccomp branch June 26, 2019 18:27
@thaJeztah thaJeztah mentioned this pull request Aug 15, 2019
Merged
@thaJeztah thaJeztah mentioned this pull request Oct 7, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@estesp estesp estesp approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@thaJeztah @codecov-io @crosbymichael @estesp