Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Address CVE GO-2024-2611 #1959

Merged
merged 1 commit into from
Mar 7, 2024

Conversation

torredil
Copy link
Member

@torredil torredil commented Mar 7, 2024

Is this a bug fix or adding new feature?

CVE fix

What is this PR about? / Why do we need it?

Unblock CI:

Screenshot 2024-03-07 at 10 15 45 AM
Vulnerability #1: GO-2024-2611
    Infinite loop in JSON unmarshaling in google.golang.org/protobuf
  More info: https://pkg.go.dev/vuln/GO-2024-2611
  Module: google.golang.org/protobuf
    Found in: google.golang.org/[email protected]
    Fixed in: google.golang.org/[email protected]
    Example traces found:
Error:       #1: pkg/driver/mount_linux.go:151:46: driver.NodeMounter.Unstage calls fmt.Sprint, which eventually calls json.Decoder.Peek
Error:       #2: pkg/driver/mount_linux.go:151:46: driver.NodeMounter.Unstage calls fmt.Sprint, which eventually calls json.Decoder.Read
Error:       #3: pkg/driver/mount_linux.go:151:46: driver.NodeMounter.Unstage calls fmt.Sprint, which eventually calls protojson.Unmarshal

What testing is done?

make test && CI

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Mar 7, 2024
Signed-off-by: Eddie Torres <[email protected]>
@torredil torredil force-pushed the fix-cve-go-2024-2611 branch from c860b17 to b6650fe Compare March 7, 2024 15:21
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Mar 7, 2024
Copy link

github-actions bot commented Mar 7, 2024

Code Coverage Diff

This PR does not change the code coverage

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 7, 2024
@ConnorJC3
Copy link
Contributor

/lgtm
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ConnorJC3

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 7, 2024
@k8s-ci-robot k8s-ci-robot merged commit f335f99 into kubernetes-sigs:master Mar 7, 2024
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants