Skip to content

[v4.4.1-rhel] CVE-2025-47913 x/crypto to v0.43.0#28092

Merged
lsm5 merged 2 commits into
podman-container-tools:v4.4.1-rhelfrom
TomSweeneyRedHat:dev/tsweeney/cve-2025-47913-v4.4.1-rhel
Apr 6, 2026
Merged

[v4.4.1-rhel] CVE-2025-47913 x/crypto to v0.43.0#28092
lsm5 merged 2 commits into
podman-container-tools:v4.4.1-rhelfrom
TomSweeneyRedHat:dev/tsweeney/cve-2025-47913-v4.4.1-rhel

Conversation

@TomSweeneyRedHat

@TomSweeneyRedHat TomSweeneyRedHat commented Feb 13, 2026

Copy link
Copy Markdown
Contributor

Bump golang.org/x/crypto to v0.43.0 to fix CVE-2025-47913. Note: This change has bumped Go requirement to v1.24 and I have removed the old replacement to the private crypto repository.

Fixes: https://issues.redhat.com/browse/OCPBUGS-67036, https://issues.redhat.com/browse/OCPBUGS-67053,
https://issues.redhat.com/browse/OCPBUGS-67070,
https://issues.redhat.com/browse/OCPBUGS-67090,
https://issues.redhat.com/browse/RHEL-134783,
https://issues.redhat.com/browse/RHEL-134787

NOTE: Shortly before merging, it was discovered that 3 commits need to be added to handle volume bind mounts appropriately with the latest version of runc. That was done in this PR: #28450, and the associated Jira cards in this PR will not be closed until that PR is merged.

Checklist

Ensure you have completed the following checklist for your pull request to be reviewed:

  • Certify you wrote the patch or otherwise have the right to pass it on as an open-source patch by signing all
    commits. (git commit -s). (If needed, use git commit -s --amend). The author email must match
    the sign-off email address. See CONTRIBUTING.md
    for more information.
  • Referenced issues using Fixes: #00000 in commit message (if applicable)
  • Tests have been added/updated (or no tests are needed)
  • Documentation has been updated (or no documentation changes are needed)
  • All commits pass make validatepr (format/lint checks)
  • Release note entered in the section below (or None if no user-facing changes)

Does this PR introduce a user-facing change?

None

@TomSweeneyRedHat

Copy link
Copy Markdown
Contributor Author

@cevich and @dashea PTAL

Tom Sweeney added 2 commits February 14, 2026 18:54
Bump Fedora to v42 to get the necessary version of Go for this
change.

Signed-off-by: Tom Sweeney <tomsweney@redhat.com>
Bump golang.org/x/crypto to v0.43.0 to fix CVE-2025-47913.
Note:  This change has bumped Go requirement to v1.24 and I have
removed the old replacement to the private crypto repository.

Fixes: https://issues.redhat.com/browse/OCPBUGS-67036,
https://issues.redhat.com/browse/OCPBUGS-67053,
https://issues.redhat.com/browse/OCPBUGS-67070,
https://issues.redhat.com/browse/OCPBUGS-67090,
https://issues.redhat.com/browse/RHEL-134783,
https://issues.redhat.com/browse/RHEL-134787

Signed-off-by: Tom Sweeney <tomsweney@redhat.com>
@TomSweeneyRedHat TomSweeneyRedHat force-pushed the dev/tsweeney/cve-2025-47913-v4.4.1-rhel branch from 6809e0a to 0d8a107 Compare February 14, 2026 23:55
@cevich

cevich commented Feb 16, 2026

Copy link
Copy Markdown
Contributor

I'm assuming all the other version bumps were side-effects of the crypto & golang bump. If so, LGTM. Want me to try running this through the system tests?

@TomSweeneyRedHat

Copy link
Copy Markdown
Contributor Author

@cevich if you could run it through the system tests, it would be much appreciated!

@lsm5 lsm5 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (assuming system tests pass).

Ideally we should run integration, compose and apiv2 tests as well.

@cevich

cevich commented Feb 17, 2026

Copy link
Copy Markdown
Contributor

Ugg, I did a scratch build yesterday hoping that would also catch the system tests. But no, this package also requires the updated crun to function. I have a workaround for that but it takes 4-hours to run 😯 Starting it now.

@cevich

cevich commented Feb 17, 2026

Copy link
Copy Markdown
Contributor

The remote tests are still running, here are the local results:

0d8a107_local-rootless.txt
0d8a107_local-root.txt

  • (rootless) The not ok 210 image events failures is new to me, but it seems reasonable that it could be a flake caused by the event-ordering changes.
  • (rootless) The pasta IPv6 failures are all expected in this environment.
  • (rootless) The login failures are also expected (they try to use an IPv6 address)
  • (rootful) The not ok 305 pod resource limits timeout is new to me, may want to investigate deeper.

@lsm5

lsm5 commented Feb 24, 2026

Copy link
Copy Markdown
Contributor

Can we defer such huge version bumps by patching the affected file during rpm build time? The actual fix for this CVE is very small.

security scanners might complain about this branch being vulnerable, in which case maybe we should move such branches to an RH-internal git host? Current CI setup on these branches isn't doing much anyway.

@TomSweeneyRedHat TomSweeneyRedHat added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 4, 2026
@TomSweeneyRedHat

Copy link
Copy Markdown
Contributor Author

Putting a hold on this now as there's much discussion going on with the OCP Builder team about this patch and alternatives.

@TomSweeneyRedHat TomSweeneyRedHat removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 11, 2026
@TomSweeneyRedHat

Copy link
Copy Markdown
Contributor Author

@lsm5 @cevich I've decided to take the hold off this now, and if necessary, based on continuing OCP deliberations, I may revert this later.

Given the prior comments, can we merge this and get the Jira cards moving along? @lsm5 I hear the bloat concern, but this is much smaller bloat than the Frankenstein runc one.

@lsm5

lsm5 commented Mar 11, 2026

Copy link
Copy Markdown
Contributor

I guess we still need to run some kind of tests on this one before merging. @cevich are you / SE taking this up?

EDIT: never mind, I read the history, and Chris already ran tests. Do we want to do another run? Also, maybe e2e, apiv2 tests etc?

@cevich

cevich commented Mar 11, 2026

Copy link
Copy Markdown
Contributor

As a heavily biased, former QE-person, I'm always in favor of more testing and deeper 😉

@TomSweeneyRedHat

Copy link
Copy Markdown
Contributor Author

@cevich have you been able to test more, and/or do we push this one along?

@cevich

cevich commented Mar 23, 2026

Copy link
Copy Markdown
Contributor

Happy to run our tests against this, it'll take a few hours since the manual runs can't easily operate in parallel.

Comment thread go.mod
go.opentelemetry.io/otel/metric v1.19.0 // indirect
go.opentelemetry.io/otel/trace v1.19.0 // indirect
golang.org/x/crypto v0.31.0 // indirect
golang.org/x/crypto v0.43.0 // indirect

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not a golang expert by any stretch, but I'll ask anyway: Would it make sense to have this be an explicit requirement? I'm 🤔 on the off-chance a future version breaks compatibility or introduces an unwanted bug/problem? Or would doing so risk breaking the project every time go is updated?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cevich, maybe, but in cases like this, it's stretching my own Goland noodle, and I tend to stick with whatever the "go mod *" process cooks up.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's probably fine, just my new paranoia working with AI where I have to question every damn thing even if it appears[1] to make sense 😞


[1]: AI's rationalize, they do not reason. Though they sure will try to convince you.

@cevich

cevich commented Mar 23, 2026

Copy link
Copy Markdown
Contributor

Update: The "runc" flavor of the system tests are done and all the expected ones passed. As before (and as is on #27933) the remote "default connection" test has a minor failure and all the pasta tests fail (because the test system has multiple IPv6 routes and pasta can't pick one).

I'm running the "crun" flavor now, but I am not expecting anything drastically different.

@cevich

cevich commented Mar 24, 2026

Copy link
Copy Markdown
Contributor

Crun testing is done, results are exactly the same by my 👁️

So from a system testing perspective on RHEL 9.2, this seems 👍

@lsm5 lsm5 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM from the system test results. If we need to run integration and others, would take a while.

@lsm5

lsm5 commented Mar 28, 2026

Copy link
Copy Markdown
Contributor

Tested on RHEL 9.2.0-Nightly (kernel 5.14.0-284.160.1.el9_2.x86_64) via Testing Farm.

Build: podman 4.4.1 @ 0d8a107, Go 1.24.1, build tags exclude_graphdriver_btrfs seccomp systemd

System Tests

  • sys-local-root-crun: 498 passed, 41 failed, 127 skipped
  • sys-local-root-runc: 499 passed, 40 failed, 127 skipped
  • sys-remote-root-crun: 499 passed, 40 failed, 127 skipped
  • sys-remote-root-runc: 499 passed, 40 failed, 127 skipped
  • sys-local-rootless-crun: 527 passed, 12 failed, 162 skipped
  • sys-local-rootless-runc: 528 passed, 11 failed, 162 skipped
  • sys-remote-rootless-crun: 528 passed, 11 failed, 162 skipped
  • sys-remote-rootless-runc: 528 passed, 11 failed, 162 skipped

Integration Tests

  • int-local-root-crun: 1803 passed, 12 failed, 3 flaked, 126 skipped
  • int-local-root-runc: 1796 passed, 13 failed, 2 flaked, 132 skipped
  • int-remote-root-crun: 1564 passed, 52 failed, 1 flaked, 279 skipped
  • int-remote-root-runc: 1601 passed, 9 failed, 1 flaked, 285 skipped
  • int-local-rootless-crun: 1814 passed, 1 failed, 0 flaked, 126 skipped
  • int-local-rootless-runc: 1797 passed, 12 failed, 0 flaked, 132 skipped

API & Compose Tests

  • apiv2-bash: 1233 passed, 3 failed
  • apiv2-python: 44 passed, 0 failed
  • compose v2: 31 passed, 3 failed

Failure Analysis

All failures are environment-specific, none related to the PR changes:

  • Root system tests (~40 failures): systemd/quadlet/sdnotify/auto-update service startup issues + no tty in test environment
  • Rootless system tests (~11 failures): sigproxy, ps --external, sdnotify, tty
  • int-local-root-crun (12): manifest auth push, privileged device restart, ps filter, kube generate user/entrypoint
  • int-local-root-runc (13): same as crun + seccomp, volume copyup, idmapped volume (runc 1.2.9 compat)
  • int-remote-root-crun (52): remote API image operation issues (diff/save/inspect/entrypoint)
  • int-remote-root-runc (9): seccomp, volume, manifest push, kube generate
  • int-local-rootless-crun (1): manifest authenticated push (flake)
  • int-local-rootless-runc (12): seccomp, volume/mount driver-opts, exec, update cgroup limits (runc 1.2.9 compat)
  • compose (3): buildkit container name collision, MAC address mismatch, output whitespace diff

No regressions from the x/crypto bump to v0.43.0.

@lsm5 lsm5 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@TomSweeneyRedHat

Copy link
Copy Markdown
Contributor Author

@cevich or @dashea can I get a LGTM and hopefully a merge from one or both of you please?

@cevich

cevich commented Mar 31, 2026

Copy link
Copy Markdown
Contributor

Ugh that's a lot of failures but as Lokesh said, many may be environmental. When I ran the system tests many more passed. So LGTM FWIW, but I don't have "merge button" authority.

@dashea

dashea commented Apr 2, 2026

Copy link
Copy Markdown

LGTM. On my runs through the tests I didn't see any new failures to worry about, just the usual problems with the 1mt environment or test flakiness.

@lsm5 lsm5 merged commit dfe1819 into podman-container-tools:v4.4.1-rhel Apr 6, 2026
6 checks passed
TomSweeneyRedHat pushed a commit to TomSweeneyRedHat/podman that referenced this pull request Apr 6, 2026
Starting with runc 1.3.0 it errors when we pass unknown mount options to
the runtime, the volume-opt options are specifc to the volume we create
and should not be passed to the mount in the oci spec.

Fixes: podman-container-tools#26938 (originally)

Follow up PR to: podman-container-tools#28092
Just before merging it was realized that the commit in this PR were also
needed to completely address CVE-2025-52881

Fixes: https://issues.redhat.com/browse/OCPBUGS-67036, https://issues.redhat.com/browse/OCPBUGS-67053,
https://issues.redhat.com/browse/OCPBUGS-67070,
https://issues.redhat.com/browse/OCPBUGS-67090,
https://issues.redhat.com/browse/RHEL-134783,
https://issues.redhat.com/browse/RHEL-134787

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 4e2a04d)
Signed-off-by: Tom Sweeney <tsweeney@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants