Skip to content

build(deps): bump zeebe-io/backport-action from 0.0.5 to 0.0.7#12

Closed
dependabot[bot] wants to merge 0 commit intomainfrom
dependabot/github_actions/zeebe-io/backport-action-0.0.7
Closed

build(deps): bump zeebe-io/backport-action from 0.0.5 to 0.0.7#12
dependabot[bot] wants to merge 0 commit intomainfrom
dependabot/github_actions/zeebe-io/backport-action-0.0.7

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Oct 28, 2021
edited
Loading

Bumps zeebe-io/backport-action from 0.0.5 to 0.0.7.

Release notes

Sourced from zeebe-io/backport-action's releases.

Backport-action 0.0.7

Bug fixes

  • baseref is sometimes not found #187

Other

  • update dependencies to latest available

Full Changelog: korthout/backport-action@v0.0.6...v0.0.7

Backport-action 0.0.6

Features

  • add placeholder ${pull_author} for username of the original pull request's author #84

Bug fixes

  • pull request cannot be backported when branch is deleted from github #90

Other

  • deprecate version input #103 From now on, users no longer need to provide this input. Previously, this input was required by the action and had to be kept in-sync with the action's version. For backwards compatibility it was deprecated, but it is no longer used for anything. Users can safely remove it from the with section of their workflow.
  • fetch all necessary git refs #162 The backport action now fetches only the necessary git history. Previously, users had to set fetch-depth: 0 for the actions/checkout@v2 action, to fetch the entire git history. This is no longer needed.
  • update dependencies to latest available
Commits
  • 7273c12 build: release 0.0.7
  • 2fd3fb4 Merge pull request #187 from zeebe-io/fix-baseref-not-found
  • 09eede4 dist: build a new version
  • 04ece8b fix(backport): fetch baseref explicitly
  • bfb93cc Merge pull request #185 from zeebe-io/build-cache-npm-deps
  • 11b8702 ci: cache npm dependencies
  • f7b1813 Merge pull request #184 from zeebe-io/dependabot/github_actions/actions/setup...
  • 306015e build(deps): bump actions/setup-node from 1 to 2.4.1
  • 4ce279f Merge pull request #183 from zeebe-io/dependabot-enable-gh-actions
  • 000c66e ci(dependabot): enable for gh-actions
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot requested a review from Mic92 as a October 28, 2021 23:13
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Oct 28, 2021
@Mic92 Mic92 force-pushed the main branch 2 times, most recently from b947638 to 2068250 Compare October 30, 2021 14:35
@Mic92 Mic92 force-pushed the main branch 2 times, most recently from 0bc22c7 to 391d99c Compare November 4, 2021 12:50
@Mic92 Mic92 force-pushed the main branch 3 times, most recently from a676746 to 8f550a2 Compare November 8, 2021 19:01
@dependabot @github
Copy link
Copy Markdown
Author

dependabot bot commented on behalf of github Nov 8, 2021

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.

@dependabot dependabot bot force-pushed the dependabot/github_actions/zeebe-io/backport-action-0.0.7 branch from 88161fc to 43324e3 Compare November 8, 2021 19:17
@dependabot dependabot bot force-pushed the dependabot/github_actions/zeebe-io/backport-action-0.0.7 branch from 43324e3 to d40c6ac Compare November 13, 2021 05:16
@Mic92 Mic92 force-pushed the main branch 5 times, most recently from ac6835d to 7f611ac Compare November 21, 2021 10:55
@dependabot dependabot bot force-pushed the dependabot/github_actions/zeebe-io/backport-action-0.0.7 branch from d40c6ac to 5cd4f1a Compare November 23, 2021 12:50
@Mic92 Mic92 force-pushed the main branch 3 times, most recently from d7ba4bb to 8639365 Compare December 2, 2021 14:12
@dependabot dependabot bot force-pushed the dependabot/github_actions/zeebe-io/backport-action-0.0.7 branch from 5cd4f1a to 4d0b7e0 Compare December 2, 2021 14:13
@Mic92 Mic92 force-pushed the main branch 2 times, most recently from db152a9 to b31e0be Compare December 11, 2021 12:06
@Mic92 Mic92 force-pushed the main branch 2 times, most recently from cb78371 to f9ce787 Compare December 16, 2021 12:29
@dependabot dependabot bot force-pushed the dependabot/github_actions/zeebe-io/backport-action-0.0.7 branch from 5c70dc7 to 8ca9b88 Compare December 19, 2021 03:06
@Mic92 Mic92 force-pushed the main branch 4 times, most recently from 764b379 to ab7cdc4 Compare December 31, 2021 14:45
@dependabot dependabot bot force-pushed the dependabot/github_actions/zeebe-io/backport-action-0.0.7 branch from 8ca9b88 to 086616b Compare January 8, 2022 20:38
@Mic92 Mic92 force-pushed the main branch 7 times, most recently from 45e92be to 618e45a Compare January 9, 2022 08:26
@Mic92 Mic92 closed this Jan 9, 2022
@dependabot @github
Copy link
Copy Markdown
Author

dependabot bot commented on behalf of github Jan 9, 2022

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@Mic92 Mic92 deleted the dependabot/github_actions/zeebe-io/backport-action-0.0.7 branch January 9, 2022 15:45
@Mic92
Copy link
Copy Markdown
Owner

Mic92 commented Jan 9, 2022

@dependabot ignore this minor version

@dependabot @github
Copy link
Copy Markdown
Author

dependabot bot commented on behalf of github Jan 9, 2022

OK, I won't notify you about version 0.0.x again, unless you re-open this PR or update to a 0.0.x release yourself.

Mic92 pushed a commit that referenced this pull request May 11, 2022
@Ma27
ghostscript: use system-wide openjpeg
d921815 
The following error occurs when using `imagemagickBig`:

    $ ./result/bin/identify sample.jp2
    [1]    699089 IOT instruction (core dumped)  ./result/bin/identify sample.jp2

When looking at the call-trace it seems as if certain symbols, e.g.
`opj_malloc` are mixed up:

    #8  0x00007f78c79ad2f5 in MagickSignalHandler.cold () from /nix/store/bqy80qiw6czqh7vsmmmivwdswp9zzjgl-imagemagick-7.1.0-29/lib/libMagickCore-7.Q16HDRI.so.10
    #9  <signal handler called>
    #10 0x00007f78c5a6095f in opj_malloc () from /nix/store/wg6ly83k1k1fjiygiv1jr7li3p6dwsvq-ghostscript-with-X-9.55.0/lib/libgs.so.9
    #11 0x00007f78c5a60981 in opj_calloc () from /nix/store/wg6ly83k1k1fjiygiv1jr7li3p6dwsvq-ghostscript-with-X-9.55.0/lib/libgs.so.9
    #12 0x00007f78c4f48e24 in opj_create_decompress () from /nix/store/qwalb0kjz1p9c4j48qkk6ql47ds2lnhh-openjpeg-2.4.0/lib/libopenjp2.so.7

The `opj_create_decompress()` is called from the `openjpeg`-integration
of `imagemagick` and thus shouldn't affect `ghostscript` at all.
However, `ghostscript` (`libgs.so` to be precise) also exposes e.g.
`opj_malloc`:

    $ objdump -t /nix/store/wg6ly83k1k1fjiygiv1jr7li3p6dwsvq-ghostscript-with-X-9.55.0/lib/libgs.so.9.55|grep opj_malloc
    0000000000205940 g     F .text	000000000000002b              opj_malloc

Because of that, two incompatible symbols are used in the same process
and thus the `identify`-call breaks because the wrong one is used. To
work around that I decided to use the system-wide openjpeg instead.
I'm not sure why `libgs.so` wants to expose these symbols anyways, but
with that workaround the problem is solved.

Even though it's mentioned that ghostscript's openjpeg is heavily
patched, I think that this is somewhat outdated or at least irrelevant
considering that both ArchLinux[1] and Fedora[2] use the system-wide
`openjpeg` instead.

[1] https://github.com/archlinux/svntogit-packages/blob/bafcb5473b59d5386dd110d1cb249372dce9ea6c/trunk/PKGBUILD#L50
[2] https://src.fedoraproject.org/rpms/ghostscript/blob/e4eec13ab6ace2bad64b740d352964bbf61d1aa7/f/ghostscript.spec#_245
Mic92 pushed a commit that referenced this pull request Apr 2, 2025
@arianvp
fluent-bit: 3.2.9 -> 3.2.6
1ff2c33 
fluent-bit 3.2.7, 3.2.8 and 3.2.9 are segfaulting when
used in combination with the systemd input. Lets
revert to 3.2.6 for now.

Upstream bug: fluent/fluent-bit#10139

Note that fluent-bit-3.2.7 fixes two high CVEs which we are now
reintroducing. However they are only exploitable if you are
using the OpenTelemetry input or the Prometheus Remote Write input.

OpenTelemetry input: [CVE-2024-50609](https://nvd.nist.gov/vuln/detail/CVE-2024-50609)
Prometheus Remote Write input: [CVE-2024-50608](https://nvd.nist.gov/vuln/detail/CVE-2024-50608)

The problem is as follows:

3.2.7 started vendoring a copy of `libzstd` in tree and statically
linking against it. Also, the fluent-bit binary exports the symbols
of static libraries it links against.

This is a problem because `libzstd` gets `dlopen()`ed by `libsystemd`
when enumerating the journal (as journal logs are zstd compressed). and `libzstd` in Nixpkgs is built
with `-DZSTD_LEGACY_SUPPORT=0` which causes `struct ZSTD_DCtx` to be 16
bytes smaller than without this flag https://github.com/facebook/zstd/blob/dev/lib/decompress/zstd_decompress_internal.h#L183-L187

`libsystemd` calls [`sym_ZSTD_createDCtx()`](https://github.com/systemd/systemd/blob/1e79a2923364b65fc9f347884dd5b9b2087f6e32/src/basic/compress.c#L480)
which calls the function pointer returned by `dlsym()` which is calling into
the `libzstd` that comes with `nixpkgs` and thus allocates a struct that is 16 bytes smaller.

Later then `sym_ZSTD_freeDCtx()` is called. However because fluent-bit
has `zstd` in its global symbol table, any functions that `sym_ZSTD_freeDCtx()`
calls will be calls to the functions in the vendored fluent-bit version of the library
which expects the larger struct. This then causes enough heap corruption to cause
a segfault.

E.g. the subsequent calls to `ZSTD_clearDict(dctx)` and `ZSTD_customFree(dctx->inBuff)`
in https://github.com/facebook/zstd/blob/dev/lib/decompress/zstd_decompress.c#L324
will be working on a struct that is 16 bytes smaller than the one that was allocated
by `libsystemd` and will cause a segfault at some point and thus are probably modifying
pieces of memory that they shouldn't

	(gdb) bt
	#0  0x00007f10e7e9916c in __pthread_kill_implementation () from /nix/store/rmy663w9p7xb202rcln4jjzmvivznmz8-glibc-2.40-66/lib/libc.so.6
	#1  0x00007f10e7e40e86 in raise () from /nix/store/rmy663w9p7xb202rcln4jjzmvivznmz8-glibc-2.40-66/lib/libc.so.6
	#2  0x00007f10e7e2893a in abort () from /nix/store/rmy663w9p7xb202rcln4jjzmvivznmz8-glibc-2.40-66/lib/libc.so.6
	#3  0x000000000046a938 in flb_signal_handler ()
	#4  <signal handler called>
	#5  0x00007f10e7ea42b7 in unlink_chunk.isra () from /nix/store/rmy663w9p7xb202rcln4jjzmvivznmz8-glibc-2.40-66/lib/libc.so.6
	#6  0x00007f10e7ea45cd in _int_free_create_chunk () from /nix/store/rmy663w9p7xb202rcln4jjzmvivznmz8-glibc-2.40-66/lib/libc.so.6
	#7  0x00007f10e7ea5a1c in _int_free_merge_chunk () from /nix/store/rmy663w9p7xb202rcln4jjzmvivznmz8-glibc-2.40-66/lib/libc.so.6
	#8  0x00007f10e7ea5dc9 in _int_free () from /nix/store/rmy663w9p7xb202rcln4jjzmvivznmz8-glibc-2.40-66/lib/libc.so.6
	#9  0x00007f10e7ea8613 in free () from /nix/store/rmy663w9p7xb202rcln4jjzmvivznmz8-glibc-2.40-66/lib/libc.so.6
	#10 0x00007f10e80ad3b5 in ZSTD_freeDCtx () from /nix/store/wy0slah6yvchgra8nhp6vgrqa6ay72cq-zstd-1.5.6/lib/libzstd.so.1
	#11 0x00007f10e8c90f6b in decompress_blob_zstd () from /nix/store/b2cfj7yk3wfg1jdwjzim7306hvsc5gnl-systemd-257.3/lib/libsystemd.so.0
	#12 0x00007f10e8bf0efe in journal_file_data_payload () from /nix/store/b2cfj7yk3wfg1jdwjzim7306hvsc5gnl-systemd-257.3/lib/libsystemd.so.0
	#13 0x00007f10e8c00f74 in sd_journal_enumerate_data () from /nix/store/b2cfj7yk3wfg1jdwjzim7306hvsc5gnl-systemd-257.3/lib/libsystemd.so.0
	#14 0x00000000004eae2f in in_systemd_collect ()
	#15 0x00000000004eb5a0 in in_systemd_collect_archive ()
	#16 0x000000000047aa18 in flb_input_collector_fd ()
	#17 0x0000000000495223 in flb_engine_start ()
	#18 0x000000000046f304 in flb_lib_worker ()
	#19 0x00007f10e7e972e3 in start_thread () from /nix/store/rmy663w9p7xb202rcln4jjzmvivznmz8-glibc-2.40-66/lib/libc.so.6
	#20 0x00007f10e7f1b2fc in __clone3 () from /nix/store/rmy663w9p7xb202rcln4jjzmvivznmz8-glibc-2.40-66/lib/libc.so.6

Reverts 7310ab3
Reverts 4fbc6cf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mic92 Mic92 Awaiting requested review from Mic92

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Mic92