[release/1.6] vendor: github.com/containerd/imgcrypt v1.1.4

[thaJeztah]

• Fixed issue in CheckAuthorization() callpath for images with a ManifestList
  • CVE-2022-24778
  • Fix: containerd/imgcrypt@6fdd981
  • Added test case covering this
• Updated to ocicrypt 1.1.3
• Updated to containerd 1.6.1

[thaJeztah]

hmm... interesting; why does it roll back this one? opencontainers/image-spec@v1.0.2...693428a

[kzys]

1.0.2-0.20211117181255-693428a734f5 is actually older than 1.0.2.

https://go.dev/ref/mod#pseudo-versions

vX.Y.(Z+1)-0.yyyymmddhhmmss-abcdefabcdef is used when the base version is a release version like vX.Y.Z. For example, if the base version is v1.2.3, a pseudo-version might be v1.2.4-0.20191109021931-daa7c04131f5.

So 1.0.2-0.[date]-[sha1hex] is 1.0.1 + some changes.

[thaJeztah]

So, it's "older" but different branch so they cannot be compared;

• opencontainers/image-spec@693428a is from the main branch, which has various things that are not in v1.0.2
• v1.0.2 (commit opencontainers/image-spec@67d2d56) is on the v1 branch; perhaps it has a more recent commit date, but the code is older, as it was branched from the v1.0.1 tag

[thaJeztah]

Go modules only works if all tags are either released from the main branch (so no release branches are used), or if a new tag is created on main (v1.0.3-alpha.0) after a release branch is created (even then, I'm not sure if would do the comparison correctly in this case if it's a pseudo tag, and it's looking at the date)

[thaJeztah]

So the situation was something like;

main ---- v1.0.1 ---------------- patch for GHSA-77vh-xpmg-72qh -> 693428a734f5
            |
            |                                                               
            +-------------------- patch for GHSA-77vh-xpmg-72qh -> v1.0.2

But I think the v1 branch was also merged into main

The fun thing is that the commit we use (from the main branch) (opencontainers/image-spec@693428a) looks to be newer;

commit 693428a734f5bab1a84bd2f990d92ef1111cd60c (HEAD)
Merge: 9a7a987 6ced3bd
Author: Vincent Batts <vbatts@hashbangbash.com>
Date:   Wed Nov 17 13:12:55 2021 -0500

    Merge pull request from GHSA-77vh-xpmg-72qh

The v1.0.2 tag (on v1 branch_ (opencontainers/image-spec@67d2d56):

commit 67d2d5658fe0476ab9bf414cec164077ebff3920 (HEAD, tag: v1.0.2)
Author: Vincent Batts <vbatts@hashbangbash.com>
Date:   Tue Nov 9 12:04:38 2021 -0500

    version: release 1.0.2

    Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>

[thaJeztah]

This looks like a possible bug in go modules; this is a direct dependency of containerd, but it ignores the version we specify, and rolls it back to the last tagged release

[thaJeztah]

or is this an instance of release branches on that repo? and opencontainers/image-spec@693428a...v1.0.2

[estesp]

LGTM

[AkihiroSuda]

Could you open a main PR then cherry-pick?

[thaJeztah]

main branch looks to be already ahead of 1.1.4;

containerd/go.mod

Line 17 in 3633cae

github.com/containerd/imgcrypt v1.1.4-0.20220322210345-7eff50ecc4f6

I also have a branch for 1.5, but need to looks at the diff, as it's pushing various other dependencies as well (so possibly some replace rules are needed)

[tonistiigi]

this should be https://github.com/moby/buildkit/pull/2764/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R42

[thaJeztah]

Ah, right, so that's the merge commit that merged back the v1.0 branch into main, right? opencontainers/image-spec@693428a...c5a74bc

I guess that fixes it, without introducing changes, yes (thanks!)

It's still somewhat ridiculous that these things are needed (especially the "roll back to what we think is more current).

[thaJeztah]

opened #6766