Next planned container-libs release?

[Billy99]

My project has an indirect dependency on container-libs. We are bumping SELinux package to fix a CVE and now our builds are failing with:

# go.podman.io/storage
vendor/go.podman.io/storage/userns.go:334:29: undefined: securejoin.OpenInRoot
vendor/go.podman.io/storage/userns.go:340:20: undefined: securejoin.Reopen

I see this is already fixed on main (#448), just curious when a release will be scheduled which contains this fix?

[mtrmac]

Thanks for reaching out.

One possible answer is that the opencontainers/selinux package update is only security-relevant in fairly specific situations (“inside runc and the like, where the code is running concurrently with an untrusted attacker”), so there might not be any need to update container-libs. That, of course, depends on a detailed analysis within your use case.

Cc: @TomSweeneyRedHat for other possible answers.

[Billy99]

Yes, github.com/opencontainers/selinux went from 1.12.0 to 1.13.0, which bumped github.com/cyphar/filepath-securejoin from v0.5.1 to v0.6.0, which deprecated securejoin.OpenInRoot and securejoin.Reopen, which caused go.podman.io/storage to fail. (I think)

Not critical at the moment, just wonder if a release was eminent or if I should figure out some other solution.

[Luap99]

@Billy99 But are you actually using the vulnerable code anywhere in a context where it would matter?
AFAICT nothing in this repo is affected by the CVE, the only open question we have is on the buildah side where we do call the problematic code but even there it is not clear to me if it is actually a problem in that context.

It is certainly unfortunate that this selinux update requires the filepath-securejoin update with breaking changes.

But to answer the general question the next minor release would normally happen for the next podman version in late January.
That does not rule out that we might do a patch release any time with the fixes in the meantime if we actually end up needing them.

[Billy99]

I didn't dig deep to see if the CVE was actually affecting our project or not, it was just a dependabot PR that was failing and was trying to resolve. We are not currently in any product, so I'll point to main for the time being, until a release comes out.

Maybe leave this issue open until the next release is cut in case other projects hit the same issue?