search

tianon / gosu

Simple Go-based setuid+setgid+setgroups+exec
Apache License 2.0
4.68k stars 312 forks source link

Upgrade runc to latest. #109

Closed coltonfreeman26 closed 2 years ago

coltonfreeman26 commented 2 years ago

Good day all, I am wondering if there are any plans to update the version of runc you use? Currently you are on 1.1.0 and runc 1.1.2 was released a couple of weeks ago. Thank you. 

Usage: gosu user-spec command [args]
   eg: gosu tianon bash
       gosu nobody:root bash -c 'whoami && id'
       gosu 1000:1 id

gosu version: 1.14 (go1.16.7 on linux/amd64; gc)
gosu license: Apache-2.0 (full text at https://github.com/tianon/gosu)

I just read that gosu 1.14 uses runc 1.0.1

tianon commented 2 years ago

Yeah, I'll update the go.mod to point to the newer version, but I will warn that I don't plan to make a new release that contains that change as there are no functional changes to the bits of runc that gosu actually invokes which make a new release worth doing.

tianon commented 2 years ago

(If this is CVE-motivated, I'd suggest checking out #104)

coltonfreeman26 commented 2 years ago

Thank you for getting back so quickly. I have looked there and this is CVE-motivated. https://github.com/advisories/GHSA-f3fp-gc8g-vw66 Please let me know if there is any other information you need.

tianon commented 2 years ago

Thanks, added!

  • CVE-2022-29162: does not use capabilities (#109)
olljanat commented 2 years ago

@tianon can you also release new version with this fix included?

adberger commented 2 years ago

@tianon I would also love to have a new gosu release with runc v1.1.2. Our security scanner is listing these CVEs because it has no context or information like this: https://github.com/tianon/gosu/issues/104 Making exceptions seems unnecessary.

If you really don't intend to release a new version, am I allowed to build my own version? gosu is Apache License Version 2.0

tianon commented 2 years ago

https://github.com/tianon/gosu/issues/104#issuecomment-1151385412:

I try to keep the main development branch up-to-date with newer package versions, but I have no plans to make a new release of gosu unless there is a compelling reason to do so (changes to/CVEs in the actual codepaths gosu invokes, changes to gosu itself, etc).

(You really should report anything like this to your security scanner vendor -- they're 100% false-positives.)

If you really don't intend to release a new version, am I allowed to build my own version?

You are free to make your own builds of gosu, yes (distributions like Debian already do this, even with different versions of the dependencies than I do). If you are doing more than just rebuilding the upstream project as-is, I only request that you call your project/binaries something other than gosu. :heart: