Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps): bump actions/checkout from 2 to 3.1.0 #2

Closed
wants to merge 1 commit into from
Closed

build(deps): bump actions/checkout from 2 to 3.1.0 #2

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Oct 10, 2022

Bumps actions/checkout from 2 to 3.1.0.

Release notes

Sourced from actions/checkout's releases.

v3.1.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v3.0.2...v3.1.0

v3.0.2

What's Changed

Full Changelog: actions/checkout@v3...v3.0.2

v3.0.1

v3.0.0

  • Updated to the node16 runtime by default
    • This requires a minimum Actions Runner version of v2.285.0 to run, which is by default available in GHES 3.4 or later.

v2.4.2

What's Changed

Full Changelog: actions/checkout@v2...v2.4.2

v2.4.1

  • Fixed an issue where checkout failed to run in container jobs due to the new git setting safe.directory

v2.4.0

  • Convert SSH URLs like org-<ORG_ID>@github.com: to https://github.com/ - pr

v2.3.5

Update dependencies

v2.3.4

v2.3.3

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

v3.1.0

v3.0.2

v3.0.1

v3.0.0

v2.3.1

v2.3.0

v2.2.0

v2.1.1

  • Changes to support GHES (here and here)

v2.1.0

v2.0.0

v2 (beta)

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): bump actions/checkout from 2 to 3.1.0
b39fe60 
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.1.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v2...v3.1.0)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Oct 10, 2022
@dependabot dependabot bot mentioned this pull request Oct 10, 2022
Closed
tenforward pushed a commit that referenced this pull request Aug 3, 2023
@Teemperor
Fix uninitialized read in parse_cap when libcap is not used
b203e1a 
fuzz-lxc-cgroup-init currently fails for me with the input
```
 lxc.cap.keep=0
```

with this report:

```
==640655==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x833c77 in parse_cap /src/lxc/san_build/../src/lxc/conf.c:3161:6
    #1 0xaa5fd6 in add_cap_entry /src/lxc/san_build/../src/lxc/confile.c:2462:9
    #2 0x9eb69c in set_config_cap_keep /src/lxc/san_build/../src/lxc/confile.c:2503:8
    #3 0x974a76 in parse_line /src/lxc/san_build/../src/lxc/confile.c:3115:9
    lxc#4 0xea8cac in lxc_file_for_each_line_mmap /src/lxc/san_build/../src/lxc/parse.c:123:9
    lxc#5 0x9700a1 in lxc_config_read /src/lxc/san_build/../src/lxc/confile.c:3192:9
    lxc#6 0x4a3b50 in LLVMFuzzerTestOneInput /src/lxc/san_build/../src/tests/fuzz-lxc-cgroup-init.c:40:8
    lxc#7 0x10556e3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    lxc#8 0x1041372 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    lxc#9 0x1046bbc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    lxc#10 0x106f7b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    lxc#11 0x7ffff7bc00b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    lxc#12 0x420a9d in _start (/home/fuzzer/oss-fuzz/build/out/lxc/fuzz-lxc-cgroup-init+0x420a9d)

  Uninitialized value was created by an allocation of 'last_cap' in the stack frame of function 'parse_cap'
    #0 0x832e30 in parse_cap /src/lxc/san_build/../src/lxc/conf.c:3131
```

The reason is that without libcap we parse_cap ends up comparing two
uninitialized values. See the snippet below:

```
int parse_cap(const char *cap_name, __u32 *cap)
{
	int ret;
	unsigned int res;
	__u32 last_cap;

  [...]

	ret = lxc_caps_last_cap(&last_cap); // NOTE: 1. Call here.
	if (ret) // Not taken as dummy lxc_caps_last_cap returned 0.
		return -1;

	if ((__u32)res > last_cap) // last_cap is uninitialized.
		return -1;

	*cap = (__u32)res;
	return 0;
}
```

Root cause seems to be that the dummy `lxc_caps_last_cap` returns 0 but
doesn't set the last_cap value. This patch just returns -1 as an error code
to avoid the uninitialized read.

Note: When reproducing the bug you need to compile with O0 and *not* with O1
otherwise you will not see the report.

Signed-off-by: Raphael Isemann <[email protected]>
@dependabot dependabot bot changed the base branch from master to main August 3, 2023 13:49
@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Sep 11, 2023

Superseded by #3.

@dependabot dependabot bot closed this Sep 11, 2023
@dependabot dependabot bot deleted the dependabot/github_actions/actions/checkout-3.1.0 branch September 11, 2023 01:21
tenforward pushed a commit that referenced this pull request May 17, 2024
@stgraber
Merge pull request lxc#4418 from mihalicyn/cumulative_fixes_2apr2024
b0fd9a9 
confile_utils: fix incorrect multiply_overflow test #2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants