Skip to content

[release/1.1] Revert "bump libseccomp-golang v0.9.1"#3539

Merged
dmcgowan merged 1 commit intocontainerd:release/1.1from
thaJeztah:1.1_revert_bump_libseccomp
Aug 15, 2019
Merged

[release/1.1] Revert "bump libseccomp-golang v0.9.1"#3539
dmcgowan merged 1 commit intocontainerd:release/1.1from
thaJeztah:1.1_revert_bump_libseccomp

Conversation

@thaJeztah
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah commented Aug 15, 2019

This reverts commit f2d1981 (#3375)

which was a backport of #3371

Per the discussion on #3371 (comment), this bump caused the minimum supported seccomp version to be changed from 2.3.0, which caused older distros to no longer be supported.

Note that the fix for CVE-2017-18367 was already in the version we vendored before the bump (and the actual issue is in RunC; RunC 1.0.0-rc8 has the fix in place already.

@thaJeztah
Revert "bump libseccomp-golang v0.9.1"
a17c0d2 
This reverts commit f2d1981.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah
Copy link
Copy Markdown
Member Author

thaJeztah commented Aug 15, 2019

ping @Random-Liu @justincormack PTAL

@codecov-io
Copy link
Copy Markdown

codecov-io commented Aug 15, 2019

Codecov Report

Merging #3539 into release/1.1 will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@             Coverage Diff              @@
##           release/1.1    #3539   +/-   ##
============================================
  Coverage        49.07%   49.07%           
============================================
  Files               85       85           
  Lines             7598     7598           
============================================
  Hits              3729     3729           
  Misses            3194     3194           
  Partials           675      675
Flag Coverage Δ
#linux 49.07% <ø> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 43278be...a17c0d2. Read the comment docs.

@thaJeztah
Copy link
Copy Markdown
Member Author

thaJeztah commented Aug 15, 2019
edited
Loading

From the runc libseccomp bump; opencontainers/runc#2074 (comment)

Looks like the fix for the CVE was already merged in opencontainers/runc@03a5a74#diff-c1eca12d097b318b217f891966083c8e as part of opencontainers/runc#1424

The "diff" posted in this PR looks to be between the wrong commits; this is the right link/diff:

seccomp/libseccomp-golang@84e90a9...v0.9.1

The fix is in opencontainers/runc@03a5a74#diff-c1eca12d097b318b217f891966083c8e).

The fix in libseccomp is in commit seccomp/libseccomp-golang@06e7a29

Full diff of libseccomp-golang changes in that runc PR: seccomp/libseccomp-golang@32f571b...84e90a9

@crosbymichael
Copy link
Copy Markdown
Member

crosbymichael commented Aug 15, 2019

LGTM

1 similar comment
@dmcgowan
Copy link
Copy Markdown
Member

dmcgowan commented Aug 15, 2019

LGTM

@dmcgowan dmcgowan merged commit e9e200b into containerd:release/1.1 Aug 15, 2019
@thaJeztah thaJeztah deleted the 1.1_revert_bump_libseccomp branch August 15, 2019 21:16
@thaJeztah thaJeztah mentioned this pull request Oct 7, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@thaJeztah @codecov-io @crosbymichael @dmcgowan