Bug 30422 - docker, bundled golang-x-sys new security issue CVE-2022-29526
Summary: docker, bundled golang-x-sys new security issue CVE-2022-29526
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Bruno Cornec
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-13 22:13 CEST by David Walser
Modified: 2022-07-17 23:02 CEST (History)
4 users (show)

See Also:
Source RPM: docker-20.10.14-3.mga8.src.rpm, golang-x-sys-0-0.43.mga9.src.rpm
CVE:
Status comment: Need to see if golang-x-sys can be unbundled


Attachments

Description David Walser 2022-05-13 22:13:41 CEST
Docker 20.10.16 has been released on May 12:
https://github.com/moby/moby/releases/tag/v20.10.16

It includes a fix for a security issue in its bundled golang-x-sys.

Mageia 8 is also affected.
David Walser 2022-05-13 22:14:11 CEST

CC: (none) => bruno, guillomovitch
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-05-14 18:08:09 CEST
Updated docker built by Bruno, but golang-x-sys hasn't been fixed yet.

Speaking of which, our docker package BuildRequires some of our packaged golang modules, but not x-sys.  I wonder if that could be fixed.

Current Mageia 8 docker build:
docker-fish-completion-20.10.16-1.mga8
docker-zsh-completion-20.10.16-1.mga8
docker-nano-20.10.16-1.mga8
docker-logrotate-20.10.16-1.mga8
docker-20.10.16-1.mga8
docker-devel-20.10.16-1.mga8

from docker-20.10.16-1.mga8.src.rpm

Status comment: (none) => docker has been updated, golang-x-sys needs to be fixed

Comment 2 Marja Van Waes 2022-05-17 13:08:05 CEST
(In reply to David Walser from comment #1)
> Updated docker built by Bruno, but golang-x-sys hasn't been fixed yet.

Our own golang-x-sys, right? 

CC'ing its registered maintainer, pterjan.

Keeping this report assigned to Bugsquad, because with two packages involved I can't figure out whom to assign to.

> 
> Speaking of which, our docker package BuildRequires some of our packaged
> golang modules, but not x-sys.  I wonder if that could be fixed.
> 
> Current Mageia 8 docker build:
> docker-fish-completion-20.10.16-1.mga8
> docker-zsh-completion-20.10.16-1.mga8
> docker-nano-20.10.16-1.mga8
> docker-logrotate-20.10.16-1.mga8
> docker-20.10.16-1.mga8
> docker-devel-20.10.16-1.mga8
> 
> from docker-20.10.16-1.mga8.src.rpm

CC: (none) => marja11, pterjan

Comment 3 Marja Van Waes 2022-07-16 12:21:52 CEST
I'll clone this report for golang-x-sys and keep this one for docker.


Assigning QA, despite this line in David Walser's comment #1:


> Speaking of which, our docker package BuildRequires some of our packaged
> golang modules, but not x-sys.  I wonder if that could be fixed.

because Bruno already fixed his bundled golang-x-sys in docker a month ago, but our own golang-x-sys still isn't fixed.

> Current Mageia 8 docker build:
> docker-fish-completion-20.10.16-1.mga8
> docker-zsh-completion-20.10.16-1.mga8
> docker-nano-20.10.16-1.mga8
> docker-logrotate-20.10.16-1.mga8
> docker-20.10.16-1.mga8
> docker-devel-20.10.16-1.mga8
> 
> from docker-20.10.16-1.mga8.src.rpm

Assignee: bugsquad => qa-bugs

Marja Van Waes 2022-07-16 12:24:50 CEST

Blocks: (none) => 30646

Marja Van Waes 2022-07-16 13:19:41 CEST

Status comment: docker has been updated, golang-x-sys needs to be fixed => bug 30646 is for our own golang-x-sys now
Blocks: 30646 => (none)
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=30646
Summary: docker, golang-x-sys new security issue CVE-2022-29526 => docker, bundled golang-x-sys new security issue CVE-2022-29526

Comment 4 David Walser 2022-07-16 13:40:24 CEST
Where do you see that the bundled golang-x-sys is fixed?

Whiteboard: MGA8TOO => (none)
Assignee: qa-bugs => bruno
Version: Cauldron => 8
Status comment: bug 30646 is for our own golang-x-sys now => Need to see if golang-x-sys can be unbundled

Comment 5 Marja Van Waes 2022-07-16 13:52:58 CEST
(In reply to David Walser from comment #4)
> Where do you see that the bundled golang-x-sys is fixed?

If it isn't, then I misunderstood your comment 1

When you wrote:

> Updated docker built by Bruno, but golang-x-sys hasn't been fixed yet.

I understood that you meant that docker's golang-x-sys had been fixed, but our own golang-x-sys hadn't.

I admit I wasn't sure at first, that why I asked (in comment 2)

> Our own golang-x-sys, right? 

However, this morning I misread the docker changelog:

bcornec <bcornec> 20.10.14-3.mga8:
+ Revision: 1825307
- Fix mga#30205 and CVE-2022-24769
- Fix mga#30205 and CVE-2022-24769
- Update libnetwork and requires_exclude golang-ipath
- Update to upstream docker 20.10.9
- Update to upstream docker 20.10 for cgroupv2 support

I saw "Fix mga#30422 and CVE-2022-29526" there :-((((

As soon as I make so many of such mistakes that I become more of a hassle than a help, then don't hesitate to tell me.
Comment 6 Marja Van Waes 2022-07-16 14:13:04 CEST
Ah, that was the wrong revision, this one says mga#30422 was fixed, but I still misread the CVE

bcornec <bcornec> 20.10.16-1.mga8:
+ Revision: 1858109
- Update docker to upstream 20.10.16 to fix mga#30422
- Fix mga#30205 and CVE-2022-24769
- Fix mga#30205 and CVE-2022-24769
- Update libnetwork and requires_exclude golang-ipath
- Update to upstream docker 20.10.9
- Update to upstream docker 20.10 for cgroupv2 support
Comment 7 Marja Van Waes 2022-07-16 14:22:10 CEST
And it really is fixed, from https://docs.docker.com/engine/release-notes/:

20.10.16

2022-05-12

This release of Docker Engine fixes a regression in the Docker CLI builds for macOS, fixes an issue with docker stats when using containerd 1.5 and up, and updates the Go runtime to include a fix for CVE-2022-29526.
Comment 8 Marja Van Waes 2022-07-16 14:24:52 CEST
this belongs to those release notes, too:

Client

    Fixed a regression in binaries for macOS introduced in 20.10.15, which resulted in a panic docker/cli#43426.
    Update golang.org/x/sys dependency which contains a fix for CVE-2022-29526.

Daemon

    Fixed an issue where docker stats was showing empty stats when running with containerd 1.5.0 or up moby/moby#43567.
    Updated the golang.org/x/sys build-time dependency which contains a fix for CVE-2022-29526.

Packaging

    Updated Go runtime to 1.17.10, which contains a fix for CVE-2022-29526.
Comment 9 David Walser 2022-07-16 14:43:26 CEST
So the package is bundling it.  I wanted to know if it can be unbundled.  Would be nice to fix the other package too.
Comment 10 Marja Van Waes 2022-07-16 18:03:40 CEST
(In reply to David Walser from comment #9)
> So the package is bundling it.  I wanted to know if it can be unbundled. 
> Would be nice to fix the other package too.

Here https://github.com/golang/go/issues/52313#issuecomment-1097210431
it says:

"golang.org/x/sys/unix".Faccessat suffers from the same problem, but only on Linux kernels < 5.8.

We have kernel-5.15.50-1.mga8 and kernel-5.18.12-1.mga9, so there's no need to test and push docker-20.10.16-1.mga8, right?

If so, this report can be re-used for your request about the unbundling, in that case, please change the summary and obsolete the unrelated comments.

If not, then it would be better to have a separate bug report for the unbundling
Comment 11 David Walser 2022-07-17 22:50:23 CEST
Ok, the CVE does appear to be a non-issue.  Waiting for comment from Bruno about the bundling before closing.
Comment 12 Marja Van Waes 2022-07-17 23:02:37 CEST
(In reply to David Walser from comment #11)
> Ok, the CVE does appear to be a non-issue.  Waiting for comment from Bruno
> about the bundling before closing.

Oh, I was just filing bug 30647 about that. Well, this report is messy anyway, so closing this one

Resolution: (none) => INVALID
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.