This release includes a few fixes for MkdirAll when dealing with S_ISUID
and S_ISGID, to solve a regression runc hit when switching to MkdirAll.
Passing the S_ISUID or S_ISGID modes to MkdirAllInRoot will now return
an explicit error saying that those bits are ignored by mkdirat(2). In
the past a different error was returned, but since the silent ignoring
behaviour is codified in the man pages a more explicit error seems
apt. While silently ignoring these bits would be the most compatible
option, it could lead to users thinking their code sets these bits
when it doesn't. Programs that need to deal with compatibility can
mask the bits themselves. (#23, #25)
If a directory has S_ISGID set, then all child directories will have
S_ISGID set when created and a different gid will be used for any
inode created under the directory. Previously, the "expected owner and
mode" validation in securejoin.MkdirAll did not correctly handle this.
We now correctly handle this case. (#24, #25)
By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll
to do the necessary "partial lookups", Open(at)InRoot now does less work
for both implementations (resulting in a many-fold decrease in the number of
operations for openat2, and a modest improvement for non-openat2) and is
far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT)
behaviour.
We now use readlinkat(fd, "") where possible. For Open(at)InRoot this
effectively just means that we no longer risk getting spurious errors during
rename races. However, for our hardened procfs handler, this in theory should
prevent mount attacks from tricking us when doing magic-link readlinks (even
when using the unsafe host /proc handle). Unfortunately Reopen is still
potentially vulnerable to those kinds of somewhat-esoteric attacks.
Technically this [will only work on post-2.6.39 kernels][linux-readlinkat-emptypath]
but it seems incredibly unlikely anyone is using filepath-securejoin on a
pre-2011 kernel.
Several improvements were made to the errors returned by Open(at)InRoot and
MkdirAll when dealing with invalid paths under the emulated (ie.
non-openat2) implementation. Previously, some paths would return the wrong
error (ENOENT when the last component was a non-directory), and other paths
would be returned as though they were acceptable (trailing-slash components
after a non-directory would be ignored by Open(at)InRoot).
These changes were done to match openat2's behaviour and purely is a
consistency fix (most users are going to be using openat2 anyway).
Passing the S_ISUID or S_ISGID modes to MkdirAllInRoot will now return
an explicit error saying that those bits are ignored by mkdirat(2). In the
past a different error was returned, but since the silent ignoring behaviour
is codified in the man pages a more explicit error seems apt. While silently
ignoring these bits would be the most compatible option, it could lead to
users thinking their code sets these bits when it doesn't. Programs that need
to deal with compatibility can mask the bits themselves. (#23, #25)
Fixed
If a directory has S_ISGID set, then all child directories will have
S_ISGID set when created and a different gid will be used for any inode
created under the directory. Previously, the "expected owner and mode"
validation in securejoin.MkdirAll did not correctly handle this. We now
correctly handle this case. (#24, #25)
[0.3.1] - 2024-07-23
Changed
By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll
to do the necessary "partial lookups", Open(at)InRoot now does less work
for both implementations (resulting in a many-fold decrease in the number of
operations for openat2, and a modest improvement for non-openat2) and is
far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT)
behaviour.
We now use readlinkat(fd, "") where possible. For Open(at)InRoot this
effectively just means that we no longer risk getting spurious errors during
rename races. However, for our hardened procfs handler, this in theory should
prevent mount attacks from tricking us when doing magic-link readlinks (even
when using the unsafe host /proc handle). Unfortunately Reopen is still
potentially vulnerable to those kinds of somewhat-esoteric attacks.
Several improvements were made to the errors returned by Open(at)InRoot and
MkdirAll when dealing with invalid paths under the emulated (ie.
non-openat2) implementation. Previously, some paths would return the wrong
error (ENOENT when the last component was a non-directory), and other paths
would be returned as though they were acceptable (trailing-slash components
after a non-directory would be ignored by Open(at)InRoot).
These changes were done to match openat2's behaviour and purely is a
consistency fix (most users are going to be using openat2 anyway).
Bumps the go-modules group with 14 updates in the / directory:
1.33.1
1.34.2
0.18.7
0.18.8
1.0.0
1.0.1
1.5.5
1.5.6
3.2.1
3.3.0
3.2.3
3.3.0
0.12.4
0.12.6
1.3.9
1.4.0
0.1.0
0.2.0
0.2.5
0.3.2
0.0.15
0.0.16
0.5.0
0.6.0
1.2.2
1.3.0
2.17.0
2.19.1
Updates
github.com/onsi/gomega
from 1.33.1 to 1.34.2Release notes
Sourced from github.com/onsi/gomega's releases.
Changelog
Sourced from github.com/onsi/gomega's changelog.
Commits
7cabed6
v1.34.2c59c6dc
bump ginkgo as well8158b99
bump to go 1.22 - remove x/exp dependencyfa057b8
v1.34.15e71dcd
Use slices from exp/slices to keep golang 1.20 compat32e5498
v1.34.0cb3fa6a
run go mod tidy and wonder why go get doesnt just run it for me in the first ...8af2ece
bump ginkgo878940c
fix incorrect handling of nil slices in HaveExactElements (fixes #771)f5bec80
clean up bipartitegraph testsUpdates
github.com/paketo-buildpacks/occam
from 0.18.7 to 0.18.8Release notes
Sourced from github.com/paketo-buildpacks/occam's releases.
Commits
1193f3c
Bump docker to version 26.1.5 to fix CVE-2024-411105cd4ede
Updates go mod version to 1.23.02e5b930
Updates go mod version to 1.22.6815b014
Bump github.com/paketo-buildpacks/packit/v2 from 2.14.1 to 2.14.274a79fb
Bump github.com/paketo-buildpacks/packit/v2 from 2.14.0 to 2.14.190134a5
Bump github.com/google/go-containerregistry from 0.20.1 to 0.20.2653a6fb
Bump github.com/onsi/gomega from 1.34.0 to 1.34.1ed0e429
Bump github.com/onsi/gomega from 1.33.1 to 1.34.0f467245
Updates go mod version to 1.22.5c97acf2
Bump github.com/google/go-containerregistry from 0.20.0 to 0.20.1Updates
github.com/paketo-buildpacks/packit/v2
from 2.14.0 to 2.14.2Release notes
Sourced from github.com/paketo-buildpacks/packit/v2's releases.
Commits
3bc586e
do not run draft release workflow on branches named v2-<something>d558b87
Bump github.com/onsi/gomega from 1.33.1 to 1.34.19f2a7b3
Bump github.com/gabriel-vasile/mimetype from 1.4.4 to 1.4.5b117031
Updating github-configb6530bc
Include error handling7222905
Fix override of existing values in prepend & appende366827
Updating github-configa8ac405
Bump github.com/gabriel-vasile/mimetype from 1.4.3 to 1.4.44ff7347
Bump github.com/BurntSushi/toml from 1.3.2 to 1.4.0Updates
dario.cat/mergo
from 1.0.0 to 1.0.1Release notes
Sourced from dario.cat/mergo's releases.
Commits
59ea6a9
Merge pull request #251 from joshkaplinsky/joshkaplinsky/without-dereference-...96f24af
Merge pull request #253 from vsemichev/master2f1a615
fixes issue #187. adds test to verify the fix.4da170b
fixes issue #187. attempt #3a13a117
fixes issue #187. attempt #26b830ff
fixes issue #187f33862a
WithoutDereference should respect structscde9f0e
Merge pull request #246 from darccio/darccio/v1-frozenf1e2fe5
chore: frozen v17f7b4af
Update FUNDING.ymlUpdates
github.com/DataDog/zstd
from 1.5.5 to 1.5.6Release notes
Sourced from github.com/DataDog/zstd's releases.
Commits
b52f603
Merge pull request #143 from DataDog/viq111/1.5.6cf4778e
Update Readme for 1.5.6ed87d43
Update vendored zstd to 1.5.6dd7b332
Merge pull request #136 from colinlyguo/fix-readmebeb4dfd
Merge pull request #141 from DataDog/sfluor-patch-1e75a26a
Update upperBound ratio when guessing the required decompression buffer sizec9a5141
fix readme869dae0
Merge pull request #132 from DataDog/viq111/bulk-fix-highlycompressed-payloadsbf7b920
[bulk] Add extra empty payload decompression test9c0d33f
[bulk] Fix namingUpdates
github.com/Masterminds/semver/v3
from 3.2.1 to 3.3.0Release notes
Sourced from github.com/Masterminds/semver/v3's releases.
Changelog
Sourced from github.com/Masterminds/semver/v3's changelog.
Commits
e6e3d4d
Merge pull request #249 from mattfarina/update-changelog-3.3.0e80c4ea
Updating changelog for 3.3.080427ad
Merge pull request #248 from mattfarina/bump-min-versionb610837
bumping min version in go.mod based on what's testeda4cccd8
Merge pull request #246 from mattfarina/bump-go-1.237c178cf
Updating the testing version of Go used29f94c1
Merge pull request #241 from grosser/grosser/validate2cf1b16
Merge pull request #245 from mattfarina/remove-vertb55476a
Removing reference to vertd07450b
simplify StrictNewVersionUpdates
github.com/Masterminds/sprig/v3
from 3.2.3 to 3.3.0Release notes
Sourced from github.com/Masterminds/sprig/v3's releases.
Changelog
Sourced from github.com/Masterminds/sprig/v3's changelog.
Commits
e708470
Merge pull request #408 from mattfarina/update-changelog-3.38fc4354
Updating the changelog for the 3.3.0 releasecb81a32
Merge pull request #407 from mattfarina/remove-dup-math-functions2637693
Removing duplicate documentation06b9a87
Merge pull request #290 from zzhu41/patch-1e663ec6
Merge pull request #369 from chey/patch-1bb2f73f
Merge pull request #375 from carlpett/patch-1f07659e
Merge pull request #400 from itzik-elayev/master98b35c1
Add closing bracket7a88928
Merge pull request #406 from mattfarina/update-mergoUpdates
github.com/Microsoft/hcsshim
from 0.12.4 to 0.12.6Release notes
Sourced from github.com/Microsoft/hcsshim's releases.
Commits
f922f2a
Omnibus dependency updates (#2051)7d25ce2
Update module versions85a5a57
drop usage of deprecated package/methodsd4b1cc0
Bump opa/containerd to latest versions6a5ebd3
Upgrade deps to resolve CVEs (#2225)4f46058
Omnibus dependency update (#2166)e970943
Modifying network flag EnableIov.4f77a09
Hcsshim wrapper over HNS API needed for exclusion of management mac addresses...3b5bd8a
[release/0.12] vendor: github.com/containerd/containerd v17.1840cdbc8
Adding state attribute to the HNSEndpoint struct to support hyperv containers...Updates
github.com/cloudflare/circl
from 1.3.9 to 1.4.0Release notes
Sourced from github.com/cloudflare/circl's releases.
Commits
c311e46
Preparing for release v1.4.062385a8
Add ML-KEM decapsulation key check.2b4626d
Add ML-KEM (FIPS 203).d26845f
eddilithium3: fix typosUpdates
github.com/containerd/errdefs
from 0.1.0 to 0.2.0Release notes
Sourced from github.com/containerd/errdefs's releases.
Commits
02b65bc
Merge pull request #18 from dmcgowan/add-missing-interfaces41d12e1
Complete interface definitions for errors70440b8
Merge pull request #7 from dmcgowan/grpc-error-detailsb9dce4d
Add support for grpc error detailsffb0349
Update Resolve function to support Is interface124d0dc
Merge pull request #10 from dmcgowan/custom-error-messagesdc9b20e
Add support for custom error messages6c7f402
Merge pull request #9 from dmcgowan/resolve-error9f87502
Add a resolve error function to return first error6fb6cf0
Merge pull request #8 from dmcgowan/add-stack-supportUpdates
github.com/cyphar/filepath-securejoin
from 0.2.5 to 0.3.2Release notes
Sourced from github.com/cyphar/filepath-securejoin's releases.
... (truncated)
Changelog
Sourced from github.com/cyphar/filepath-securejoin's changelog.
... (truncated)
Commits
e408943
VERSION: release v0.3.21c875f5
CHANGELOG: fix headersfdaafcc
merge #25 into cyphar/filepath-securejoin:main1acda83
mkdirall: correctly handle sgid directory parent8484faf
tests: mkdirall: refactor check and mkdirall helpers350d697
mkdirall: explicitly return an error for suid/sgid bits43b1026
tests: procfs: skip procfs tests if overmounting is blocked82e5725
VERSION: back to developmentce7b28a
VERSION: release v0.3.1a2c14f8
CHANGELOG: add readlinkat(fd, "") shout-outUpdates
github.com/docker/cli
from 27.0.2+incompatible to 27.1.1+incompatibleCommits
6312585
Merge pull request #5274 from thaJeztah/27.1_backport_compose_oomc599566
Allow for OomScoreAdjfb19def
Merge pull request #5271 from thaJeztah/27.1_backport_custom_headers_env_varbccd478
Merge pull request #5270 from thaJeztah/27.1_backport_test_spring_cleaning8992378
add support for DOCKER_CUSTOM_HEADERS env-var (experimental)f90273c
Merge pull request #5269 from thaJeztah/27.1_backport_add_macos_apple_siliconca9636a
test spring-cleaningad47d2a
gha: update to macOS 13, add macOS 14 arm64 (Apple Silicon M1)a2a0fb7
Merge pull request #5263 from thaJeztah/27.1_backport_relax_pr_check16d6c90
Merge pull request #5265 from thaJeztah/27.1_backport_bump_buildx_composeUpdates
github.com/gabriel-vasile/mimetype
from...Description has been truncated