[release-1.11] Bump ocicrypt and go-jose CVE-2024-28180 #2292
Conversation
There was a problem hiding this comment.
Thanks!
- Shouldn’t this also include an update to
gopkg.in/go-jose/go-jose.v2? - I don’t mind the
ocicryptupdate, but it seems not to be directly related to the vulnerability. (One major effect it does have is updating from go-jose v2 to v3. That might be a good enough reason to include it.) The downside of this is that it rather extends the scope of the update, so I just wanted to double-check that it is intentional.
Feel free to merge as is if all of this is intentional.
|
@mtrmac I've found a fun vendoring puzzle and would like your opinion. In this branch, as you noted, we are using: gopkg.in/square/go-jose.v2. I went to update that, and there are no updates, as that branch was deprecated a while back. That particular version of go-jose seems to be dragged in via: letsencrypt/boulder, which is pulled in from sigstore v1.5.1, which is pulled in via c/image v5.24. The go-jose issue happens with the Decrypt() call in go-jose. It looks to me that if we bump c/image up to v5.26.latest, then we'll at least get the right go-jose that we can bump from there. Do you think that would work, or do you have other thoughts? Perhaps just bump sigstore to 1.7.1 and see if that cures things. Actually, that might be better (thinking and typing). Anyway, I'm assuming we may have the same issue in other projects, too, so any thoughts will be gratefully accepted. |
|
Oh, I had happily forgotten everything about this situation. To remind myself, there are three locations:
For letsencrypt/boulder, we only call one utility in The user in Assuming the vulnerability is fixed in |
|
@mtrmac This StackOverflow entry, It looks to me that the replace command is good for replacing the same module at the same location with a different version, or to replace the module with one that is stored locally on the system. NOT to replace a module with a "moved" external module like in this case. @Luap99 or @vrothberg I know you two are go.mod wizards, any thoughts? |
No that works fine normally, i.e. we do it all the time when we vendor test commits in podman from our forks.
|
Nevermind copied pasted the wrong source here, with I think the new vendor system is simply not compatible with the old version suffix vendor model used by go-jose v2 |
Ah no it is because the new version uses the new import location while the other packages uses the old one and go only allows one location per module so yes the linked go issue seems to apply here. Not sure how to get unstucked here, I guess bumping all the users of gopkg.in/square/go-jose.v2 to newer version that use the new v3 module instead but yes this will likely bring in a lot of unrelated changes. |
|
Ok I did a check in the repos the pull in the v2, you could bump sigstore to |
|
For the record, per https://go-review.googlesource.com/c/go/+/126156 rejecting the |
I agree, and this seems reasonably low-risk at least for the dependencies we call directly. (The Note that this would bump the required Go version to The worst-case solution would be to “fork”, of sorts, the |
Bump github.com/go-jose/go-jose to v3.0.0 and github.com/containers/ocicrypt to v1.1.10 Addresses: CVE-2024-28180 https://issues.redhat.com/browse/OCPBUGS-30789 https://issues.redhat.com/browse/OCPBUGS-30790 https://issues.redhat.com/browse/OCPBUGS-30791 Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-jose-1.11
branch
from
6c7db6f
to
89cd9b8
Compare
|
Repushed, that tango of a vendor dance seemed to have turned the trick! |
Bump github.com/go-jose/go-jose to v3.0.0 and
github.com/containers/ocicrypt to v1.1.10
Addresses: CVE-2024-28180
https://issues.redhat.com/browse/OCPBUGS-30789
https://issues.redhat.com/browse/OCPBUGS-30790
https://issues.redhat.com/browse/OCPBUGS-30791