search

checkpoint-restore / checkpointctl

A tool for in-depth analysis of container checkpoints
Apache License 2.0
87 stars 15 forks source link

Release 1.1.X+ to remove indirect dependency related to CVE-2024-21626 #126

Closed jpayne3506 closed 2 months ago

jpayne3506 commented 3 months ago

Hi, I noticed that there is an indirect dependency vulnerability on your 1.1.0 release that is correlated to a CVE regarding runc versions <= 1.1.11

https://github.com/checkpoint-restore/checkpointctl/blob/3ba5cad0bd5feb3f87d898b2749326206c6ffede/go.mod#L9-L21

The use of github.com/opencontainers/runtime-spec v1.1.0 is the cause and it looks like you have patched it on main.

https://github.com/checkpoint-restore/checkpointctl/blob/6c3a2639a9d64c7cb7ba3477977d26d930f963c6/go.mod#L9

Is there any timetable for the next release/patch of checkpointctl?

adrianreber commented 3 months ago

A release would be no problem, but isn't the CVE about runc and not the runtime-spec.

rst0git commented 3 months ago

As Adrian mentioned above, CVE-2024-21626 is a vulnerability in runc and it has been fixed with v1.1.12.

@jpayne3506 checkpointctl doesn't use runc or any functionality related to runc init or runc exec. It should not be affected by this CVE.