Skip to content

Bug 1924532: Update gogo/protobuf to v1.3.2 #161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
EmilienM wants to merge 1 commit into from
Closed

Bug 1924532: Update gogo/protobuf to v1.3.2 #161

EmilienM wants to merge 1 commit into from

Conversation

@EmilienM
Copy link
Member

@EmilienM EmilienM commented Feb 3, 2021

@EmilienM EmilienM changed the title Update gogo/protobuf to v1.3.2 Bug 1924532 - Update gogo/protobuf to v1.3.2 Feb 3, 2021
@EmilienM EmilienM changed the title Bug 1924532 - Update gogo/protobuf to v1.3.2 Bug 1924532: Update gogo/protobuf to v1.3.2 Feb 3, 2021
@openshift-ci-robot openshift-ci-robot added bugzilla/severity-medium Referenced Bugzilla bug's severity is medium for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Feb 3, 2021
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 3, 2021

@EmilienM: This pull request references Bugzilla bug 1924532, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.7.0) matches configured target release for branch (4.7.0)
  • bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
Details

In response to this:

Bug 1924532: Update gogo/protobuf to v1.3.2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@iamemilio
Copy link

iamemilio commented Feb 3, 2021

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 3, 2021
@iamemilio
Copy link

iamemilio commented Feb 3, 2021

/approve
/hold until passing

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 3, 2021
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 3, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: iamemilio

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 3, 2021
@mdbooth
Copy link

mdbooth commented Feb 4, 2021

/hold

This is hopefully just precautionary as I'm honestly not sure what I'm looking at here. However, I have 2 concerns about this patch:

  1. The revendor of gogo/protobuf doesn't seem to contain the CVE fix: gogo/protobuf@b03c65e
  2. I'm not sure about the various dependent mod updates

Presumably (2) is just transitive updates from gogo/protobuf, but I'd like to convince myself of that. The first one seems problematic, though.

mdbooth
mdbooth suggested changes Feb 4, 2021
View reviewed changes
vendor/github.com/gogo/protobuf/proto/text_parser.go
return "", "", fmt.Errorf(`\%c%s is not a valid Unicode code point`, r, ss)
}
return string(i), s, nil
return string(rune(i)), s, nil
Copy link

@mdbooth mdbooth Feb 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't seem to be the actual CVE fix: gogo/protobuf@b03c65e

Going to try to work out what's going on here, as the explicit request was to bump to v1.3.2, which you've done.

Copy link
Member

@pierreprinetti pierreprinetti Feb 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

go mod vendor performs some treeshaking on a subpackage-basis.

The fix you linked refers to the file plugin/unmarshal/unmarshal.go which is not present in the vendor/github.com/gogo/protobuf folder. This means that the fix applies to some code that is not used in CAPO

Copy link
Member

@pierreprinetti pierreprinetti Feb 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bumping the dependency prevents any further code change to introduce the vulnerable version of the affected plugin/unmarshal subpackage; however it can be deferred to 4.8 at this point.

Copy link

@mdbooth mdbooth Feb 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What seems to be going on here is that the vendor copy doesn't contain the plugin/unmarshal/unmarshal.go at all, so doesn't contain the CVE fix. This discussion seems relevant: golang/go#26366 (comment) . If I'm reading that correctly, the go mod vendor is only pulling in files from the target which are actually used to build. If that's the case then presumably:

  • This patch is correctly updating the module version to 1.3.2
  • It turns out it's not critical as we're not touching the CVE code anyway

@mdbooth
Copy link

mdbooth commented Feb 4, 2021

This patch correctly bumps gogo/protobuf to v1.3.2.

HOWEVER, because the CVE is in a code generator, this isn't how this problem needs to be addressed. We need to address the problem in every package which we vendor which generates code with protobuf. As per my original supposition that seems to be almost everything. Grepping for instances of generated vulnerable code reveals 51 instances:

$ git grep -l "if skippy < 0 {"
vendor/k8s.io/api/admission/v1/generated.pb.go
vendor/k8s.io/api/admission/v1beta1/generated.pb.go
vendor/k8s.io/api/admissionregistration/v1/generated.pb.go
vendor/k8s.io/api/admissionregistration/v1beta1/generated.pb.go
vendor/k8s.io/api/apps/v1/generated.pb.go
vendor/k8s.io/api/apps/v1beta1/generated.pb.go
vendor/k8s.io/api/apps/v1beta2/generated.pb.go
vendor/k8s.io/api/authentication/v1/generated.pb.go
vendor/k8s.io/api/authentication/v1beta1/generated.pb.go
vendor/k8s.io/api/authorization/v1/generated.pb.go
vendor/k8s.io/api/authorization/v1beta1/generated.pb.go
vendor/k8s.io/api/autoscaling/v1/generated.pb.go
vendor/k8s.io/api/autoscaling/v2beta1/generated.pb.go
vendor/k8s.io/api/autoscaling/v2beta2/generated.pb.go
vendor/k8s.io/api/batch/v1/generated.pb.go
vendor/k8s.io/api/batch/v1beta1/generated.pb.go
vendor/k8s.io/api/batch/v2alpha1/generated.pb.go
vendor/k8s.io/api/certificates/v1/generated.pb.go
vendor/k8s.io/api/certificates/v1beta1/generated.pb.go
vendor/k8s.io/api/coordination/v1/generated.pb.go
vendor/k8s.io/api/coordination/v1beta1/generated.pb.go
vendor/k8s.io/api/core/v1/generated.pb.go
vendor/k8s.io/api/discovery/v1alpha1/generated.pb.go
vendor/k8s.io/api/discovery/v1beta1/generated.pb.go
vendor/k8s.io/api/events/v1/generated.pb.go
vendor/k8s.io/api/events/v1beta1/generated.pb.go
vendor/k8s.io/api/extensions/v1beta1/generated.pb.go
vendor/k8s.io/api/flowcontrol/v1alpha1/generated.pb.go
vendor/k8s.io/api/imagepolicy/v1alpha1/generated.pb.go
vendor/k8s.io/api/networking/v1/generated.pb.go
vendor/k8s.io/api/networking/v1beta1/generated.pb.go
vendor/k8s.io/api/node/v1alpha1/generated.pb.go
vendor/k8s.io/api/node/v1beta1/generated.pb.go
vendor/k8s.io/api/policy/v1beta1/generated.pb.go
vendor/k8s.io/api/rbac/v1/generated.pb.go
vendor/k8s.io/api/rbac/v1alpha1/generated.pb.go
vendor/k8s.io/api/rbac/v1beta1/generated.pb.go
vendor/k8s.io/api/scheduling/v1/generated.pb.go
vendor/k8s.io/api/scheduling/v1alpha1/generated.pb.go
vendor/k8s.io/api/scheduling/v1beta1/generated.pb.go
vendor/k8s.io/api/settings/v1alpha1/generated.pb.go
vendor/k8s.io/api/storage/v1/generated.pb.go
vendor/k8s.io/api/storage/v1alpha1/generated.pb.go
vendor/k8s.io/api/storage/v1beta1/generated.pb.go
vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/generated.pb.go
vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.pb.go
vendor/k8s.io/apimachinery/pkg/api/resource/quantity_proto.go
vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go
vendor/k8s.io/apimachinery/pkg/apis/meta/v1beta1/generated.pb.go
vendor/k8s.io/apimachinery/pkg/runtime/generated.pb.go
vendor/k8s.io/apimachinery/pkg/util/intstr/generated.pb.go

mandre
mandre reviewed Feb 15, 2021
View reviewed changes
Copy link
Member

@mandre mandre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs a backport of kubernetes/kubernetes#98477 to release-1.20 and bumping the affected k8s modules.

@openshift-bot
Copy link

openshift-bot commented May 16, 2021

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 16, 2021
@openshift-ci
Copy link

openshift-ci bot commented May 16, 2021

@EmilienM: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 16, 2021
@EmilienM EmilienM closed this May 28, 2021
@openshift-ci
Copy link

openshift-ci bot commented May 28, 2021

@EmilienM: This pull request references Bugzilla bug 1924532. The bug has been updated to no longer refer to the pull request using the external bug tracker.

Details

In response to this:

Bug 1924532: Update gogo/protobuf to v1.3.2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

pierreprinetti pushed a commit to shiftstack/cluster-api-provider-openstack that referenced this pull request Apr 22, 2024
@ainmosni @pierreprinetti
Move OS_CLOUD environment variable to ConfigMap. (openshift#187)
bb5fbf0 
This moves the OS_CLOUD data to a ConfigMap and then references that in
the environment of the controller, instead of injecting OS_CLOUD
directly into the environment variables. This fixes openshift#161.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mandre mandre mandre left review comments

+2 more reviewers

@mdbooth mdbooth mdbooth requested changes

@pierreprinetti pierreprinetti pierreprinetti left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@iamemilio iamemilio

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-medium Referenced Bugzilla bug's severity is medium for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@EmilienM @openshift-ci-robot @iamemilio @mdbooth @openshift-bot @mandre @pierreprinetti