From 53423b4e1bc33760966ab4d48f40f26edd08bd7e Mon Sep 17 00:00:00 2001 From: zhangxingrong Date: Fri, 5 Jul 2024 16:30:56 +0800 Subject: [PATCH] add some upstream patchs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit update podman.spec. 添加遗漏的patch内容 Signed-off-by: zhangxingrong update spec Delete the conflicting parts of the patch --- ...CI-Maintenance-Disable-machine-tests.patch | 170 + 0006-Fix-for-CVE-2024-3727.patch | 3450 +++++++++++++++++ podman.spec | 13 +- 3 files changed, 3631 insertions(+), 2 deletions(-) create mode 100644 0005-CI-Maintenance-Disable-machine-tests.patch create mode 100644 0006-Fix-for-CVE-2024-3727.patch diff --git a/0005-CI-Maintenance-Disable-machine-tests.patch b/0005-CI-Maintenance-Disable-machine-tests.patch new file mode 100644 index 0000000..6f72179 --- /dev/null +++ b/0005-CI-Maintenance-Disable-machine-tests.patch @@ -0,0 +1,170 @@ +From 5ab4b7b63268555cf7dc2dd53e934fcabf349718 Mon Sep 17 00:00:00 2001 +From: Chris Evich +Date: Mon, 29 Apr 2024 14:25:58 -0400 +Subject: [PATCH 1/2] CI Maintenance: Disable machine tests + +Older versions of podman machine do not support being run against the +latest version of the machine VM images. As there is no built-in +provision to pin older machine VM image versions, these tests will +simply fail forever. Disable them. + +Signed-off-by: Chris Evich +--- + .cirrus.yml | 101 +++------------------------------------------------- + 1 file changed, 4 insertions(+), 97 deletions(-) + +diff --git a/.cirrus.yml b/.cirrus.yml +index bf4c12cd2148..b2f27f83260c 100644 +--- a/.cirrus.yml ++++ b/.cirrus.yml +@@ -703,99 +703,6 @@ rootless_integration_test_task: + always: *int_logs_artifacts + + +-podman_machine_task: +- name: *std_name_fmt +- alias: podman_machine +- # Don't create task for tags, or if using [CI:DOCS], [CI:BUILD] +- # Docs: ./contrib/cirrus/CIModes.md +- only_if: ¬_tag_build_docs >- +- $CIRRUS_TAG == '' && +- $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' && +- $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*' +- depends_on: +- - build +- - local_integration_test +- - remote_integration_test +- - container_integration_test +- - rootless_integration_test +- ec2_instance: +- image: "${VM_IMAGE_NAME}" +- type: "${EC2_INST_TYPE}" +- region: us-east-1 +- env: +- EC2_INST_TYPE: "m5zn.metal" # Bare-metal instance is required +- TEST_FLAVOR: "machine-linux" +- PRIV_NAME: "rootless" # intended use-case +- DISTRO_NV: "${FEDORA_NAME}" +- VM_IMAGE_NAME: "${FEDORA_AMI}" +- CI_DESIRED_NETWORK: netavark +- clone_script: *get_gosrc +- setup_script: *setup +- main_script: *main +- always: *int_logs_artifacts +- +- +-podman_machine_aarch64_task: +- name: *std_name_fmt +- alias: podman_machine_aarch64 +- only_if: *not_tag_build_docs +- depends_on: +- - build_aarch64 +- - validate_aarch64 +- - local_integration_test +- - remote_integration_test +- - container_integration_test +- - rootless_integration_test +- ec2_instance: +- <<: *standard_build_ec2_aarch64 +- env: +- TEST_FLAVOR: "machine-linux" +- EC2_INST_TYPE: c6g.metal +- PRIV_NAME: "rootless" # intended use-case +- DISTRO_NV: "${FEDORA_AARCH64_NAME}" +- VM_IMAGE_NAME: "${FEDORA_AARCH64_AMI}" +- CI_DESIRED_NETWORK: netavark +- clone_script: *get_gosrc_aarch64 +- setup_script: *setup +- main_script: *main +- always: *int_logs_artifacts +- +- +-podman_machine_windows_task: +- name: *std_name_fmt +- alias: podman_machine_windows +- # TODO: These tests are new and mostly fail. Disable all failures impacting overall CI status +- # until the tests, scripts, and environment stabalize. +- allow_failures: $CI == $CI +- # Only run for non-docs/copr PRs and non-release branch builds +- # and never for tags. Docs: ./contrib/cirrus/CIModes.md +- only_if: >- +- $CIRRUS_TAG == '' && +- $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' && +- $CIRRUS_BRANCH !=~ 'v[0-9\.]+-rhel' && +- $CIRRUS_BASE_BRANCH !=~ 'v[0-9\.]+-rhel' +- depends_on: +- - alt_build +- - build +- - win_installer +- - local_integration_test +- - remote_integration_test +- - container_integration_test +- - rootless_integration_test +- ec2_instance: +- <<: *windows +- type: m5zn.metal +- platform: windows +- env: *winenv +- matrix: +- - env: +- TEST_FLAVOR: "machine-wsl" +- - env: +- TEST_FLAVOR: "machine-hyperv" +- clone_script: *winclone +- main_script: ".\\repo\\contrib\\cirrus\\win-podman-machine-main.ps1" +- +- + # Always run subsequent to integration tests. While parallelism is lost + # with runtime, debugging system-test failures can be more challenging + # for some golang developers. Otherwise the following tasks run across +@@ -803,7 +710,10 @@ podman_machine_windows_task: + local_system_test_task: &local_system_test_task + name: *std_name_fmt + alias: local_system_test +- only_if: *not_tag_build_docs ++ only_if: ¬_tag_build_docs >- ++ $CIRRUS_TAG == '' && ++ $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' && ++ $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*' + depends_on: *build_unit + matrix: *platform_axis + gce_instance: *standardvm +@@ -1059,9 +969,6 @@ success_task: + - remote_integration_test + - container_integration_test + - rootless_integration_test +- - podman_machine +- - podman_machine_aarch64 +- - podman_machine_windows + - local_system_test + - local_system_test_aarch64 + - remote_system_test + +From a2d894224f229fc87f6c95cddd42a532af36a1cb Mon Sep 17 00:00:00 2001 +From: Chris Evich +Date: Tue, 30 Apr 2024 13:48:51 -0400 +Subject: [PATCH 2/2] Disable failing bud test + +This is a release-branch that will be unsupported before too long. +Test failing for unknown reason, not worth effort to debug. + +Signed-off-by: Chris Evich +--- + test/buildah-bud/apply-podman-deltas | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/test/buildah-bud/apply-podman-deltas b/test/buildah-bud/apply-podman-deltas +index 53e5a8caeaed..5d46e1c10599 100755 +--- a/test/buildah-bud/apply-podman-deltas ++++ b/test/buildah-bud/apply-podman-deltas +@@ -288,6 +288,10 @@ skip_if_rootless_remote "FIXME: not sure if 17788 or some other bug" \ + skip "FIXME: 2023-06-13 buildah PR 4746 broke this test" \ + "bud with encrypted FROM image" + ++# v4.9 release branch ++skip "FIXME: 2024-04-30 test is broken, no clue" \ ++ "bud and test --unsetlabel" ++ + # END temporary workarounds that must be reevaluated periodically + ############################################################################### + diff --git a/0006-Fix-for-CVE-2024-3727.patch b/0006-Fix-for-CVE-2024-3727.patch new file mode 100644 index 0000000..69ca63b --- /dev/null +++ b/0006-Fix-for-CVE-2024-3727.patch @@ -0,0 +1,3450 @@ +From 0d1d6b14ef61af8ed47008392615a284089a980f Mon Sep 17 00:00:00 2001 +From: tomsweeneyredhat +Date: Thu, 23 May 2024 15:00:56 -0400 +Subject: [PATCH] [v4.9] Fix for CVE-2024-3727 + +This adds a fix for CVE-2024-3727 and as a bonus, also +fixes, at least from a build perspective, CVE-2024-28180 + +Signed-off-by: tomsweeneyredhat +--- + go.mod | 18 +-- + go.sum | 46 ++++--- + .../containers/buildah/CHANGELOG.md | 7 + + .../containers/buildah/changelog.txt | 6 + + .../containers/buildah/define/types.go | 2 +- + .../containers/common/pkg/config/config.go | 2 +- + .../common/pkg/config/containers.conf | 9 ++ + .../containers/common/pkg/config/default.go | 8 ++ + .../containers/common/version/version.go | 2 +- + .../containers/image/v5/copy/progress_bars.go | 7 +- + .../containers/image/v5/copy/single.go | 39 ++++-- + .../image/v5/directory/directory_dest.go | 22 ++- + .../image/v5/directory/directory_src.go | 17 ++- + .../image/v5/directory/directory_transport.go | 25 ++-- + .../image/v5/docker/docker_client.go | 20 ++- + .../image/v5/docker/docker_image.go | 7 +- + .../image/v5/docker/docker_image_dest.go | 22 ++- + .../image/v5/docker/docker_image_src.go | 18 ++- + .../image/v5/docker/internal/tarfile/dest.go | 12 +- + .../v5/docker/internal/tarfile/writer.go | 34 ++++- + .../image/v5/docker/registries_d.go | 7 +- + .../image/v5/openshift/openshift_src.go | 3 + + .../containers/image/v5/ostree/ostree_dest.go | 10 ++ + .../containers/image/v5/ostree/ostree_src.go | 4 +- + .../image/v5/pkg/blobcache/blobcache.go | 12 +- + .../containers/image/v5/pkg/blobcache/dest.go | 93 +++++++------ + .../containers/image/v5/pkg/blobcache/src.go | 16 ++- + .../image/v5/storage/storage_dest.go | 32 +++-- + .../image/v5/storage/storage_image.go | 14 +- + .../image/v5/storage/storage_reference.go | 10 +- + .../image/v5/storage/storage_src.go | 19 ++- + .../containers/image/v5/version/version.go | 2 +- + .../ocicrypt/keywrap/jwe/keywrapper_jwe.go | 17 ++- + .../containers/ocicrypt/utils/testing.go | 13 +- + .../go-jose/go-jose/v3/BUG-BOUNTY.md | 10 -- + .../go-jose/go-jose/v3/CHANGELOG.md | 72 +++++++++- + .../github.com/go-jose/go-jose/v3/README.md | 60 ++++----- + .../github.com/go-jose/go-jose/v3/SECURITY.md | 13 ++ + .../go-jose/go-jose/v3/asymmetric.go | 3 + + .../github.com/go-jose/go-jose/v3/crypter.go | 99 ++++++++++---- + vendor/github.com/go-jose/go-jose/v3/doc.go | 2 - + .../github.com/go-jose/go-jose/v3/encoding.go | 54 +++++++- + .../go-jose/go-jose/v3/json/decode.go | 3 +- + .../go-jose/go-jose/v3/json/encode.go | 28 ++-- + .../go-jose/go-jose/v3/json/stream.go | 1 - + vendor/github.com/go-jose/go-jose/v3/jwe.go | 14 +- + vendor/github.com/go-jose/go-jose/v3/jwk.go | 18 ++- + vendor/github.com/go-jose/go-jose/v3/jws.go | 13 +- + .../github.com/go-jose/go-jose/v3/opaque.go | 2 +- + .../github.com/go-jose/go-jose/v3/shared.go | 9 +- + .../github.com/go-jose/go-jose/v3/signing.go | 59 +++++++-- + .../go-jose/go-jose/v3/symmetric.go | 15 ++- + vendor/golang.org/x/sys/unix/mkerrors.sh | 2 +- + vendor/golang.org/x/sys/unix/zerrors_linux.go | 36 ++++- + .../x/sys/unix/zerrors_linux_386.go | 3 + + .../x/sys/unix/zerrors_linux_amd64.go | 3 + + .../x/sys/unix/zerrors_linux_arm.go | 3 + + .../x/sys/unix/zerrors_linux_arm64.go | 3 + + .../x/sys/unix/zerrors_linux_loong64.go | 3 + + .../x/sys/unix/zerrors_linux_mips.go | 3 + + .../x/sys/unix/zerrors_linux_mips64.go | 3 + + .../x/sys/unix/zerrors_linux_mips64le.go | 3 + + .../x/sys/unix/zerrors_linux_mipsle.go | 3 + + .../x/sys/unix/zerrors_linux_ppc.go | 3 + + .../x/sys/unix/zerrors_linux_ppc64.go | 3 + + .../x/sys/unix/zerrors_linux_ppc64le.go | 3 + + .../x/sys/unix/zerrors_linux_riscv64.go | 3 + + .../x/sys/unix/zerrors_linux_s390x.go | 3 + + .../x/sys/unix/zerrors_linux_sparc64.go | 3 + + .../x/sys/unix/zsysnum_linux_386.go | 4 + + .../x/sys/unix/zsysnum_linux_amd64.go | 3 + + .../x/sys/unix/zsysnum_linux_arm.go | 4 + + .../x/sys/unix/zsysnum_linux_arm64.go | 4 + + .../x/sys/unix/zsysnum_linux_loong64.go | 4 + + .../x/sys/unix/zsysnum_linux_mips.go | 4 + + .../x/sys/unix/zsysnum_linux_mips64.go | 4 + + .../x/sys/unix/zsysnum_linux_mips64le.go | 4 + + .../x/sys/unix/zsysnum_linux_mipsle.go | 4 + + .../x/sys/unix/zsysnum_linux_ppc.go | 4 + + .../x/sys/unix/zsysnum_linux_ppc64.go | 4 + + .../x/sys/unix/zsysnum_linux_ppc64le.go | 4 + + .../x/sys/unix/zsysnum_linux_riscv64.go | 4 + + .../x/sys/unix/zsysnum_linux_s390x.go | 4 + + .../x/sys/unix/zsysnum_linux_sparc64.go | 4 + + vendor/golang.org/x/sys/unix/ztypes_linux.go | 125 +++++++++--------- + .../golang.org/x/sys/windows/env_windows.go | 17 ++- + .../x/sys/windows/syscall_windows.go | 3 +- + .../gopkg.in/go-jose/go-jose.v2/CHANGELOG.md | 84 ++++++++++++ + vendor/gopkg.in/go-jose/go-jose.v2/README.md | 120 +---------------- + .../gopkg.in/go-jose/go-jose.v2/asymmetric.go | 3 + + vendor/gopkg.in/go-jose/go-jose.v2/crypter.go | 6 + + .../gopkg.in/go-jose/go-jose.v2/symmetric.go | 5 + + vendor/modules.txt | 18 +-- + 94 files changed, 1116 insertions(+), 478 deletions(-) + delete mode 100644 vendor/github.com/go-jose/go-jose/v3/BUG-BOUNTY.md + create mode 100644 vendor/github.com/go-jose/go-jose/v3/SECURITY.md + create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md + +diff --git a/go.mod b/go.mod +index b1e27589b928..a84fbbb1b4bb 100644 +--- a/go.mod ++++ b/go.mod +@@ -11,13 +11,13 @@ require ( + github.com/checkpoint-restore/go-criu/v7 v7.0.0 + github.com/containernetworking/cni v1.1.2 + github.com/containernetworking/plugins v1.3.0 +- github.com/containers/buildah v1.33.7 +- github.com/containers/common v0.57.4 ++ github.com/containers/buildah v1.33.8 ++ github.com/containers/common v0.57.5 + github.com/containers/conmon v2.0.20+incompatible + github.com/containers/gvisor-tap-vsock v0.7.2 +- github.com/containers/image/v5 v5.29.2 ++ github.com/containers/image/v5 v5.29.3 + github.com/containers/libhvee v0.5.0 +- github.com/containers/ocicrypt v1.1.9 ++ github.com/containers/ocicrypt v1.1.10 + github.com/containers/psgo v1.8.0 + github.com/containers/storage v1.51.0 + github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 +@@ -69,8 +69,8 @@ require ( + golang.org/x/exp v0.0.0-20231006140011-7918f672742d + golang.org/x/net v0.18.0 + golang.org/x/sync v0.6.0 +- golang.org/x/sys v0.16.0 +- golang.org/x/term v0.16.0 ++ golang.org/x/sys v0.17.0 ++ golang.org/x/term v0.17.0 + golang.org/x/text v0.14.0 + google.golang.org/protobuf v1.33.0 + gopkg.in/inf.v0 v0.9.1 +@@ -114,7 +114,7 @@ require ( + github.com/gabriel-vasile/mimetype v1.4.2 // indirect + github.com/gin-contrib/sse v0.1.0 // indirect + github.com/gin-gonic/gin v1.9.1 // indirect +- github.com/go-jose/go-jose/v3 v3.0.1 // indirect ++ github.com/go-jose/go-jose/v3 v3.0.3 // indirect + github.com/go-logr/logr v1.3.0 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/go-ole/go-ole v1.2.6 // indirect +@@ -205,14 +205,14 @@ require ( + go.opentelemetry.io/otel/metric v1.19.0 // indirect + go.opentelemetry.io/otel/trace v1.19.0 // indirect + golang.org/x/arch v0.5.0 // indirect +- golang.org/x/crypto v0.18.0 // indirect ++ golang.org/x/crypto v0.19.0 // indirect + golang.org/x/mod v0.13.0 // indirect + golang.org/x/oauth2 v0.14.0 // indirect + golang.org/x/tools v0.14.0 // indirect + google.golang.org/appengine v1.6.8 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13 // indirect + google.golang.org/grpc v1.58.3 // indirect +- gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect ++ gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect + gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + tags.cncf.io/container-device-interface/specs-go v0.6.0 // indirect +diff --git a/go.sum b/go.sum +index 42178b0994ff..495035a32b6e 100644 +--- a/go.sum ++++ b/go.sum +@@ -258,16 +258,16 @@ github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHV + github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8= + github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q6mVDp5H1HnjM= + github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0= +-github.com/containers/buildah v1.33.7 h1:Y2kNea+hNNyZ74ppYFWmD0cLc/DwZ5A4NEUPQWPj5Zw= +-github.com/containers/buildah v1.33.7/go.mod h1:pphfdjrwtTWkuIy1aDyZMEVyMfmm0DsbvxLGxxEU1cM= +-github.com/containers/common v0.57.4 h1:kmfBad92kUjP5X44BPpOwMe+eZQqaKETfS+ASeL0g+g= +-github.com/containers/common v0.57.4/go.mod h1:o3L3CyOI9yr+JC8l4dZgvqTxcjs3qdKmkek00uchgvw= ++github.com/containers/buildah v1.33.8 h1:/IfJm5gTHwWshFdRHgLTHkoHNZY85B/xePkpOypBKUw= ++github.com/containers/buildah v1.33.8/go.mod h1:aS1MZukKW39pe/yeJ7sRq9Jf2Sl04uePugPIto6ItNo= ++github.com/containers/common v0.57.5 h1:EgIahxAeYpcE0JKl4A4Z2oEUseve1jt+lMuXIqYnalE= ++github.com/containers/common v0.57.5/go.mod h1:dRw+mJGANzTOJZSs+KfJzrSVNQ4zK0u46/MhLCUfzPY= + github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= + github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= + github.com/containers/gvisor-tap-vsock v0.7.2 h1:6CyU5D85C0/DciRRd7W0bPljK4FAS+DPrrHEQMHfZKY= + github.com/containers/gvisor-tap-vsock v0.7.2/go.mod h1:6NiTxh2GCVxZQLPzfuEB78/Osp2Usd9uf6nLdd6PiUY= +-github.com/containers/image/v5 v5.29.2 h1:b8U0XYWhaQbKucK73IbmSm8WQyKAhKDbAHQc45XlsOw= +-github.com/containers/image/v5 v5.29.2/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E= ++github.com/containers/image/v5 v5.29.3 h1:RJHdxP+ZiC+loIFG2DTmjlVNWTS7o5jrdrRScUrY1VE= ++github.com/containers/image/v5 v5.29.3/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E= + github.com/containers/libhvee v0.5.0 h1:rDhfG2NI8Q+VgeXht2dXezanxEdpj9pHqYX3vWfOGUw= + github.com/containers/libhvee v0.5.0/go.mod h1:yvU3Em2u1ZLl2VLd2glMIBWriBwfhWsDaRJsvixUIB0= + github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA= +@@ -277,8 +277,8 @@ github.com/containers/luksy v0.0.0-20231030195837-b5a7f79da98b/go.mod h1:menB9p4 + github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc= + github.com/containers/ocicrypt v1.1.0/go.mod h1:b8AOe0YR67uU8OqfVNcznfFpAzu3rdgUV4GP9qXPfu4= + github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY= +-github.com/containers/ocicrypt v1.1.9 h1:2Csfba4jse85Raxk5HIyEk8OwZNjRvfkhEGijOjIdEM= +-github.com/containers/ocicrypt v1.1.9/go.mod h1:dTKx1918d8TDkxXvarscpNVY+lyPakPNFN4jwA9GBys= ++github.com/containers/ocicrypt v1.1.10 h1:r7UR6o8+lyhkEywetubUUgcKFjOWOaWz8cEBrCPX0ic= ++github.com/containers/ocicrypt v1.1.10/go.mod h1:YfzSSr06PTHQwSTUKqDSjish9BeW1E4HUmreluQcMd8= + github.com/containers/psgo v1.8.0 h1:2loGekmGAxM9ir5OsXWEfGwFxorMPYnc6gEDsGFQvhY= + github.com/containers/psgo v1.8.0/go.mod h1:T8ZxnX3Ur4RvnhxFJ7t8xJ1F48RhiZB4rSrOaR/qGHc= + github.com/containers/storage v1.43.0/go.mod h1:uZ147thiIFGdVTjMmIw19knttQnUCl3y9zjreHrg11s= +@@ -413,8 +413,8 @@ github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9 + github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= + github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= + github.com/go-ini/ini v1.25.4/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= +-github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA= +-github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= ++github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k= ++github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= + github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= + github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= + github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +@@ -1172,7 +1172,6 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U + golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= + golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= + golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +-golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= + golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= + golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= + golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +@@ -1182,8 +1181,8 @@ golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm + golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= + golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= + golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= +-golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +-golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= ++golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo= ++golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= + golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +@@ -1218,6 +1217,7 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= + golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= + golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= + golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= ++golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= + golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= + golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= + golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +@@ -1265,6 +1265,8 @@ golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qx + golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= + golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= + golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= ++golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= ++golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= + golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg= + golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ= + golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +@@ -1287,6 +1289,7 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ + golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= ++golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= + golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= + golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +@@ -1383,13 +1386,15 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +-golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +-golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= ++golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= + golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= + golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +-golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= +-golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= ++golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= ++golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= ++golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U= ++golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= + golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +@@ -1401,6 +1406,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= + golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= + golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= ++golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= ++golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= + golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= + golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= + golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +@@ -1460,6 +1467,7 @@ golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4f + golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= + golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= + golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= ++golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= + golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc= + golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg= + golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +@@ -1563,8 +1571,8 @@ gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qS + gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= + gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= + gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo= +-gopkg.in/go-jose/go-jose.v2 v2.6.1 h1:qEzJlIDmG9q5VO0M/o8tGS65QMHMS1w01TQJB1VPJ4U= +-gopkg.in/go-jose/go-jose.v2 v2.6.1/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI= ++gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs= ++gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI= + gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= + gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= + gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +diff --git a/vendor/github.com/containers/buildah/CHANGELOG.md b/vendor/github.com/containers/buildah/CHANGELOG.md +index c46eb3ed9136..6f8821722deb 100644 +--- a/vendor/github.com/containers/buildah/CHANGELOG.md ++++ b/vendor/github.com/containers/buildah/CHANGELOG.md +@@ -2,6 +2,13 @@ + + # Changelog + ++## v1.33.8 (2024-05-17) ++ ++ [release-1.33] Bump c/image v5.29.3, c/common v0.57.5, CVE-2024-3727 ++ integration test: handle new labels in "bud and test --unsetlabel" ++ [release-1.33] Bump go-jose CVE-2024-28180 ++ [release-1.33] Bump ocicrypt and go-jose CVE-2024-28180 ++ + ## v1.33.7 (2024-03-18) + + CVE-2024-1753 container escape fix +diff --git a/vendor/github.com/containers/buildah/changelog.txt b/vendor/github.com/containers/buildah/changelog.txt +index ef2049f38a23..3d903e04abc6 100644 +--- a/vendor/github.com/containers/buildah/changelog.txt ++++ b/vendor/github.com/containers/buildah/changelog.txt +@@ -1,3 +1,9 @@ ++- Changelog for v1.33.8 (2024-05-17) ++ * [release-1.33] Bump c/image v5.29.3, c/common v0.57.5, CVE-2024-3727 ++ * integration test: handle new labels in "bud and test --unsetlabel" ++ * [release-1.33] Bump go-jose CVE-2024-28180 ++ * [release-1.33] Bump ocicrypt and go-jose CVE-2024-28180 ++ + - Changelog for v1.33.7 (2024-03-18) + * CVE-2024-1753 container escape fix + * tests: skip_if_no_unshare(): check for --setuid +diff --git a/vendor/github.com/containers/buildah/define/types.go b/vendor/github.com/containers/buildah/define/types.go +index 50adce015b3e..583e0b81f3d6 100644 +--- a/vendor/github.com/containers/buildah/define/types.go ++++ b/vendor/github.com/containers/buildah/define/types.go +@@ -29,7 +29,7 @@ const ( + // identify working containers. + Package = "buildah" + // Version for the Package. Also used by .packit.sh for Packit builds. +- Version = "1.33.7" ++ Version = "1.33.8" + + // DefaultRuntime if containers.conf fails. + DefaultRuntime = "runc" +diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go +index 75b917f013ea..03da4d638a39 100644 +--- a/vendor/github.com/containers/common/pkg/config/config.go ++++ b/vendor/github.com/containers/common/pkg/config/config.go +@@ -759,7 +759,7 @@ func (m *MachineConfig) URI() string { + } + + func (c *EngineConfig) findRuntime() string { +- // Search for crun first followed by runc, kata, runsc ++ // Search for crun first followed by runc, runj, kata, runsc, ocijail + for _, name := range []string{"crun", "runc", "runj", "kata", "runsc", "ocijail"} { + for _, v := range c.OCIRuntimes[name] { + if _, err := os.Stat(v); err == nil { +diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf +index 8c532f0798c4..e1f59a7a0f2c 100644 +--- a/vendor/github.com/containers/common/pkg/config/containers.conf ++++ b/vendor/github.com/containers/common/pkg/config/containers.conf +@@ -729,6 +729,15 @@ default_sysctls = [ + # "/run/current-system/sw/bin/crun", + #] + ++#crun-vm = [ ++# "/usr/bin/crun-vm", ++# "/usr/local/bin/crun-vm", ++# "/usr/local/sbin/crun-vm", ++# "/sbin/crun-vm", ++# "/bin/crun-vm", ++# "/run/current-system/sw/bin/crun-vm", ++#] ++ + #kata = [ + # "/usr/bin/kata-runtime", + # "/usr/sbin/kata-runtime", +diff --git a/vendor/github.com/containers/common/pkg/config/default.go b/vendor/github.com/containers/common/pkg/config/default.go +index ea2ede1cb44e..8ddd8b914f03 100644 +--- a/vendor/github.com/containers/common/pkg/config/default.go ++++ b/vendor/github.com/containers/common/pkg/config/default.go +@@ -363,6 +363,14 @@ func defaultEngineConfig() (*EngineConfig, error) { + "/bin/crun", + "/run/current-system/sw/bin/crun", + }, ++ "crun-vm": { ++ "/usr/bin/crun-vm", ++ "/usr/local/bin/crun-vm", ++ "/usr/local/sbin/crun-vm", ++ "/sbin/crun-vm", ++ "/bin/crun-vm", ++ "/run/current-system/sw/bin/crun-vm", ++ }, + "crun-wasm": { + "/usr/bin/crun-wasm", + "/usr/sbin/crun-wasm", +diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go +index 19ba92c0f01d..9182b589f104 100644 +--- a/vendor/github.com/containers/common/version/version.go ++++ b/vendor/github.com/containers/common/version/version.go +@@ -1,4 +1,4 @@ + package version + + // Version is the version of the build. +-const Version = "0.57.4" ++const Version = "0.57.5" +diff --git a/vendor/github.com/containers/image/v5/copy/progress_bars.go b/vendor/github.com/containers/image/v5/copy/progress_bars.go +index ce078234cb6a..ba6a2738910b 100644 +--- a/vendor/github.com/containers/image/v5/copy/progress_bars.go ++++ b/vendor/github.com/containers/image/v5/copy/progress_bars.go +@@ -48,10 +48,13 @@ type progressBar struct { + // As a convention, most users of progress bars should call mark100PercentComplete on full success; + // by convention, we don't leave progress bars in partial state when fully done + // (even if we copied much less data than anticipated). +-func (c *copier) createProgressBar(pool *mpb.Progress, partial bool, info types.BlobInfo, kind string, onComplete string) *progressBar { ++func (c *copier) createProgressBar(pool *mpb.Progress, partial bool, info types.BlobInfo, kind string, onComplete string) (*progressBar, error) { + // shortDigestLen is the length of the digest used for blobs. + const shortDigestLen = 12 + ++ if err := info.Digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return nil, err ++ } + prefix := fmt.Sprintf("Copying %s %s", kind, info.Digest.Encoded()) + // Truncate the prefix (chopping of some part of the digest) to make all progress bars aligned in a column. + maxPrefixLen := len("Copying blob ") + shortDigestLen +@@ -104,7 +107,7 @@ func (c *copier) createProgressBar(pool *mpb.Progress, partial bool, info types. + return &progressBar{ + Bar: bar, + originalSize: info.Size, +- } ++ }, nil + } + + // printCopyInfo prints a "Copying ..." message on the copier if the output is +diff --git a/vendor/github.com/containers/image/v5/copy/single.go b/vendor/github.com/containers/image/v5/copy/single.go +index 67ca43f7bcf7..d36b8542d6f7 100644 +--- a/vendor/github.com/containers/image/v5/copy/single.go ++++ b/vendor/github.com/containers/image/v5/copy/single.go +@@ -599,7 +599,10 @@ func (ic *imageCopier) copyConfig(ctx context.Context, src types.Image) error { + destInfo, err := func() (types.BlobInfo, error) { // A scope for defer + progressPool := ic.c.newProgressPool() + defer progressPool.Wait() +- bar := ic.c.createProgressBar(progressPool, false, srcInfo, "config", "done") ++ bar, err := ic.c.createProgressBar(progressPool, false, srcInfo, "config", "done") ++ if err != nil { ++ return types.BlobInfo{}, err ++ } + defer bar.Abort(false) + ic.c.printCopyInfo("config", srcInfo) + +@@ -707,11 +710,17 @@ func (ic *imageCopier) copyLayer(ctx context.Context, srcInfo types.BlobInfo, to + } + if reused { + logrus.Debugf("Skipping blob %s (already present):", srcInfo.Digest) +- func() { // A scope for defer +- bar := ic.c.createProgressBar(pool, false, types.BlobInfo{Digest: reusedBlob.Digest, Size: 0}, "blob", "skipped: already exists") ++ if err := func() error { // A scope for defer ++ bar, err := ic.c.createProgressBar(pool, false, types.BlobInfo{Digest: reusedBlob.Digest, Size: 0}, "blob", "skipped: already exists") ++ if err != nil { ++ return err ++ } + defer bar.Abort(false) + bar.mark100PercentComplete() +- }() ++ return nil ++ }(); err != nil { ++ return types.BlobInfo{}, "", err ++ } + + // Throw an event that the layer has been skipped + if ic.c.options.Progress != nil && ic.c.options.ProgressInterval > 0 { +@@ -730,8 +739,11 @@ func (ic *imageCopier) copyLayer(ctx context.Context, srcInfo types.BlobInfo, to + // Attempt a partial only when the source allows to retrieve a blob partially and + // the destination has support for it. + if canAvoidProcessingCompleteLayer && ic.c.rawSource.SupportsGetBlobAt() && ic.c.dest.SupportsPutBlobPartial() { +- if reused, blobInfo := func() (bool, types.BlobInfo) { // A scope for defer +- bar := ic.c.createProgressBar(pool, true, srcInfo, "blob", "done") ++ reused, blobInfo, err := func() (bool, types.BlobInfo, error) { // A scope for defer ++ bar, err := ic.c.createProgressBar(pool, true, srcInfo, "blob", "done") ++ if err != nil { ++ return false, types.BlobInfo{}, err ++ } + hideProgressBar := true + defer func() { // Note that this is not the same as defer bar.Abort(hideProgressBar); we need hideProgressBar to be evaluated lazily. + bar.Abort(hideProgressBar) +@@ -751,18 +763,25 @@ func (ic *imageCopier) copyLayer(ctx context.Context, srcInfo types.BlobInfo, to + bar.mark100PercentComplete() + hideProgressBar = false + logrus.Debugf("Retrieved partial blob %v", srcInfo.Digest) +- return true, updatedBlobInfoFromUpload(srcInfo, uploadedBlob) ++ return true, updatedBlobInfoFromUpload(srcInfo, uploadedBlob), nil + } + logrus.Debugf("Failed to retrieve partial blob: %v", err) +- return false, types.BlobInfo{} +- }(); reused { ++ return false, types.BlobInfo{}, nil ++ }() ++ if err != nil { ++ return types.BlobInfo{}, "", err ++ } ++ if reused { + return blobInfo, cachedDiffID, nil + } + } + + // Fallback: copy the layer, computing the diffID if we need to do so + return func() (types.BlobInfo, digest.Digest, error) { // A scope for defer +- bar := ic.c.createProgressBar(pool, false, srcInfo, "blob", "done") ++ bar, err := ic.c.createProgressBar(pool, false, srcInfo, "blob", "done") ++ if err != nil { ++ return types.BlobInfo{}, "", err ++ } + defer bar.Abort(false) + + srcStream, srcBlobSize, err := ic.c.rawSource.GetBlob(ctx, srcInfo, ic.c.blobInfoCache) +diff --git a/vendor/github.com/containers/image/v5/directory/directory_dest.go b/vendor/github.com/containers/image/v5/directory/directory_dest.go +index 222723a8f536..d32877e0ca59 100644 +--- a/vendor/github.com/containers/image/v5/directory/directory_dest.go ++++ b/vendor/github.com/containers/image/v5/directory/directory_dest.go +@@ -173,7 +173,10 @@ func (d *dirImageDestination) PutBlobWithOptions(ctx context.Context, stream io. + } + } + +- blobPath := d.ref.layerPath(blobDigest) ++ blobPath, err := d.ref.layerPath(blobDigest) ++ if err != nil { ++ return private.UploadedBlob{}, err ++ } + // need to explicitly close the file, since a rename won't otherwise not work on Windows + blobFile.Close() + explicitClosed = true +@@ -196,7 +199,10 @@ func (d *dirImageDestination) TryReusingBlobWithOptions(ctx context.Context, inf + if info.Digest == "" { + return false, private.ReusedBlob{}, fmt.Errorf("Can not check for a blob with unknown digest") + } +- blobPath := d.ref.layerPath(info.Digest) ++ blobPath, err := d.ref.layerPath(info.Digest) ++ if err != nil { ++ return false, private.ReusedBlob{}, err ++ } + finfo, err := os.Stat(blobPath) + if err != nil && os.IsNotExist(err) { + return false, private.ReusedBlob{}, nil +@@ -216,7 +222,11 @@ func (d *dirImageDestination) TryReusingBlobWithOptions(ctx context.Context, inf + // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema), + // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError. + func (d *dirImageDestination) PutManifest(ctx context.Context, manifest []byte, instanceDigest *digest.Digest) error { +- return os.WriteFile(d.ref.manifestPath(instanceDigest), manifest, 0644) ++ path, err := d.ref.manifestPath(instanceDigest) ++ if err != nil { ++ return err ++ } ++ return os.WriteFile(path, manifest, 0644) + } + + // PutSignaturesWithFormat writes a set of signatures to the destination. +@@ -229,7 +239,11 @@ func (d *dirImageDestination) PutSignaturesWithFormat(ctx context.Context, signa + if err != nil { + return err + } +- if err := os.WriteFile(d.ref.signaturePath(i, instanceDigest), blob, 0644); err != nil { ++ path, err := d.ref.signaturePath(i, instanceDigest) ++ if err != nil { ++ return err ++ } ++ if err := os.WriteFile(path, blob, 0644); err != nil { + return err + } + } +diff --git a/vendor/github.com/containers/image/v5/directory/directory_src.go b/vendor/github.com/containers/image/v5/directory/directory_src.go +index 5fc83bb6f921..6d725bcfaf5e 100644 +--- a/vendor/github.com/containers/image/v5/directory/directory_src.go ++++ b/vendor/github.com/containers/image/v5/directory/directory_src.go +@@ -55,7 +55,11 @@ func (s *dirImageSource) Close() error { + // If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list); + // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists). + func (s *dirImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) { +- m, err := os.ReadFile(s.ref.manifestPath(instanceDigest)) ++ path, err := s.ref.manifestPath(instanceDigest) ++ if err != nil { ++ return nil, "", err ++ } ++ m, err := os.ReadFile(path) + if err != nil { + return nil, "", err + } +@@ -66,7 +70,11 @@ func (s *dirImageSource) GetManifest(ctx context.Context, instanceDigest *digest + // The Digest field in BlobInfo is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided. + // May update BlobInfoCache, preferably after it knows for certain that a blob truly exists at a specific location. + func (s *dirImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache types.BlobInfoCache) (io.ReadCloser, int64, error) { +- r, err := os.Open(s.ref.layerPath(info.Digest)) ++ path, err := s.ref.layerPath(info.Digest) ++ if err != nil { ++ return nil, -1, err ++ } ++ r, err := os.Open(path) + if err != nil { + return nil, -1, err + } +@@ -84,7 +92,10 @@ func (s *dirImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache + func (s *dirImageSource) GetSignaturesWithFormat(ctx context.Context, instanceDigest *digest.Digest) ([]signature.Signature, error) { + signatures := []signature.Signature{} + for i := 0; ; i++ { +- path := s.ref.signaturePath(i, instanceDigest) ++ path, err := s.ref.signaturePath(i, instanceDigest) ++ if err != nil { ++ return nil, err ++ } + sigBlob, err := os.ReadFile(path) + if err != nil { + if os.IsNotExist(err) { +diff --git a/vendor/github.com/containers/image/v5/directory/directory_transport.go b/vendor/github.com/containers/image/v5/directory/directory_transport.go +index 7e3068693db6..4f7d596b4418 100644 +--- a/vendor/github.com/containers/image/v5/directory/directory_transport.go ++++ b/vendor/github.com/containers/image/v5/directory/directory_transport.go +@@ -161,25 +161,34 @@ func (ref dirReference) DeleteImage(ctx context.Context, sys *types.SystemContex + } + + // manifestPath returns a path for the manifest within a directory using our conventions. +-func (ref dirReference) manifestPath(instanceDigest *digest.Digest) string { ++func (ref dirReference) manifestPath(instanceDigest *digest.Digest) (string, error) { + if instanceDigest != nil { +- return filepath.Join(ref.path, instanceDigest.Encoded()+".manifest.json") ++ if err := instanceDigest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return "", err ++ } ++ return filepath.Join(ref.path, instanceDigest.Encoded()+".manifest.json"), nil + } +- return filepath.Join(ref.path, "manifest.json") ++ return filepath.Join(ref.path, "manifest.json"), nil + } + + // layerPath returns a path for a layer tarball within a directory using our conventions. +-func (ref dirReference) layerPath(digest digest.Digest) string { ++func (ref dirReference) layerPath(digest digest.Digest) (string, error) { ++ if err := digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return "", err ++ } + // FIXME: Should we keep the digest identification? +- return filepath.Join(ref.path, digest.Encoded()) ++ return filepath.Join(ref.path, digest.Encoded()), nil + } + + // signaturePath returns a path for a signature within a directory using our conventions. +-func (ref dirReference) signaturePath(index int, instanceDigest *digest.Digest) string { ++func (ref dirReference) signaturePath(index int, instanceDigest *digest.Digest) (string, error) { + if instanceDigest != nil { +- return filepath.Join(ref.path, fmt.Sprintf(instanceDigest.Encoded()+".signature-%d", index+1)) ++ if err := instanceDigest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return "", err ++ } ++ return filepath.Join(ref.path, fmt.Sprintf(instanceDigest.Encoded()+".signature-%d", index+1)), nil + } +- return filepath.Join(ref.path, fmt.Sprintf("signature-%d", index+1)) ++ return filepath.Join(ref.path, fmt.Sprintf("signature-%d", index+1)), nil + } + + // versionPath returns a path for the version file within a directory using our conventions. +diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go +index 6ce8f7008385..d03f87a02ed2 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_client.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_client.go +@@ -952,6 +952,8 @@ func (c *dockerClient) detectProperties(ctx context.Context) error { + return c.detectPropertiesError + } + ++// fetchManifest fetches a manifest for (the repo of ref) + tagOrDigest. ++// The caller is responsible for ensuring tagOrDigest uses the expected format. + func (c *dockerClient) fetchManifest(ctx context.Context, ref dockerReference, tagOrDigest string) ([]byte, string, error) { + path := fmt.Sprintf(manifestPath, reference.Path(ref.ref), tagOrDigest) + headers := map[string][]string{ +@@ -1034,6 +1036,9 @@ func (c *dockerClient) getBlob(ctx context.Context, ref dockerReference, info ty + } + } + ++ if err := info.Digest.Validate(); err != nil { // Make sure info.Digest.String() does not contain any unexpected characters ++ return nil, 0, err ++ } + path := fmt.Sprintf(blobsPath, reference.Path(ref.ref), info.Digest.String()) + logrus.Debugf("Downloading %s", path) + res, err := c.makeRequest(ctx, http.MethodGet, path, nil, nil, v2Auth, nil) +@@ -1097,7 +1102,10 @@ func isManifestUnknownError(err error) bool { + // digest in ref. + // It returns (nil, nil) if the manifest does not exist. + func (c *dockerClient) getSigstoreAttachmentManifest(ctx context.Context, ref dockerReference, digest digest.Digest) (*manifest.OCI1, error) { +- tag := sigstoreAttachmentTag(digest) ++ tag, err := sigstoreAttachmentTag(digest) ++ if err != nil { ++ return nil, err ++ } + sigstoreRef, err := reference.WithTag(reference.TrimNamed(ref.ref), tag) + if err != nil { + return nil, err +@@ -1130,6 +1138,9 @@ func (c *dockerClient) getSigstoreAttachmentManifest(ctx context.Context, ref do + // getExtensionsSignatures returns signatures from the X-Registry-Supports-Signatures API extension, + // using the original data structures. + func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerReference, manifestDigest digest.Digest) (*extensionSignatureList, error) { ++ if err := manifestDigest.Validate(); err != nil { // Make sure manifestDigest.String() does not contain any unexpected characters ++ return nil, err ++ } + path := fmt.Sprintf(extensionsSignaturePath, reference.Path(ref.ref), manifestDigest) + res, err := c.makeRequest(ctx, http.MethodGet, path, nil, nil, v2Auth, nil) + if err != nil { +@@ -1153,8 +1164,11 @@ func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerRe + } + + // sigstoreAttachmentTag returns a sigstore attachment tag for the specified digest. +-func sigstoreAttachmentTag(d digest.Digest) string { +- return strings.Replace(d.String(), ":", "-", 1) + ".sig" ++func sigstoreAttachmentTag(d digest.Digest) (string, error) { ++ if err := d.Validate(); err != nil { // Make sure d.String() doesn’t contain any unexpected characters ++ return "", err ++ } ++ return strings.Replace(d.String(), ":", "-", 1) + ".sig", nil + } + + // Close removes resources associated with an initialized dockerClient, if any. +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go +index 93160480ea22..4c80bb2b5251 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image.go +@@ -88,7 +88,12 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types. + if err = json.NewDecoder(res.Body).Decode(&tagsHolder); err != nil { + return nil, err + } +- tags = append(tags, tagsHolder.Tags...) ++ for _, tag := range tagsHolder.Tags { ++ if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values ++ return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err) ++ } ++ tags = append(tags, tag) ++ } + + link := res.Header.Get("Link") + if link == "" { +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go +index a9a36f0a34a8..0c0505a8d990 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go +@@ -229,6 +229,9 @@ func (d *dockerImageDestination) PutBlobWithOptions(ctx context.Context, stream + // If the destination does not contain the blob, or it is unknown, blobExists ordinarily returns (false, -1, nil); + // it returns a non-nil error only on an unexpected failure. + func (d *dockerImageDestination) blobExists(ctx context.Context, repo reference.Named, digest digest.Digest, extraScope *authScope) (bool, int64, error) { ++ if err := digest.Validate(); err != nil { // Make sure digest.String() does not contain any unexpected characters ++ return false, -1, err ++ } + checkPath := fmt.Sprintf(blobsPath, reference.Path(repo), digest.String()) + logrus.Debugf("Checking %s", checkPath) + res, err := d.c.makeRequest(ctx, http.MethodHead, checkPath, nil, nil, v2Auth, extraScope) +@@ -466,6 +469,7 @@ func (d *dockerImageDestination) PutManifest(ctx context.Context, m []byte, inst + // particular instance. + refTail = instanceDigest.String() + // Double-check that the manifest we've been given matches the digest we've been given. ++ // This also validates the format of instanceDigest. + matches, err := manifest.MatchesDigest(m, *instanceDigest) + if err != nil { + return fmt.Errorf("digesting manifest in PutManifest: %w", err) +@@ -632,11 +636,13 @@ func (d *dockerImageDestination) putSignaturesToLookaside(signatures []signature + + // NOTE: Keep this in sync with docs/signature-protocols.md! + for i, signature := range signatures { +- sigURL := lookasideStorageURL(d.c.signatureBase, manifestDigest, i) +- err := d.putOneSignature(sigURL, signature) ++ sigURL, err := lookasideStorageURL(d.c.signatureBase, manifestDigest, i) + if err != nil { + return err + } ++ if err := d.putOneSignature(sigURL, signature); err != nil { ++ return err ++ } + } + // Remove any other signatures, if present. + // We stop at the first missing signature; if a previous deleting loop aborted +@@ -644,7 +650,10 @@ func (d *dockerImageDestination) putSignaturesToLookaside(signatures []signature + // is enough for dockerImageSource to stop looking for other signatures, so that + // is sufficient. + for i := len(signatures); ; i++ { +- sigURL := lookasideStorageURL(d.c.signatureBase, manifestDigest, i) ++ sigURL, err := lookasideStorageURL(d.c.signatureBase, manifestDigest, i) ++ if err != nil { ++ return err ++ } + missing, err := d.c.deleteOneSignature(sigURL) + if err != nil { + return err +@@ -775,8 +784,12 @@ func (d *dockerImageDestination) putSignaturesToSigstoreAttachments(ctx context. + if err != nil { + return err + } ++ attachmentTag, err := sigstoreAttachmentTag(manifestDigest) ++ if err != nil { ++ return err ++ } + logrus.Debugf("Uploading sigstore attachment manifest") +- return d.uploadManifest(ctx, manifestBlob, sigstoreAttachmentTag(manifestDigest)) ++ return d.uploadManifest(ctx, manifestBlob, attachmentTag) + } + + func layerMatchesSigstoreSignature(layer imgspecv1.Descriptor, mimeType string, +@@ -892,6 +905,7 @@ func (d *dockerImageDestination) putSignaturesToAPIExtension(ctx context.Context + return err + } + ++ // manifestDigest is known to be valid because it was not rejected by getExtensionsSignatures above. + path := fmt.Sprintf(extensionsSignaturePath, reference.Path(d.ref.ref), manifestDigest.String()) + res, err := d.c.makeRequest(ctx, http.MethodPut, path, nil, bytes.NewReader(body), v2Auth, nil) + if err != nil { +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go +index f9d4d6030f0b..274cd6dd2cbd 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go +@@ -194,6 +194,9 @@ func simplifyContentType(contentType string) string { + // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists). + func (s *dockerImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) { + if instanceDigest != nil { ++ if err := instanceDigest.Validate(); err != nil { // Make sure instanceDigest.String() does not contain any unexpected characters ++ return nil, "", err ++ } + return s.fetchManifest(ctx, instanceDigest.String()) + } + err := s.ensureManifestIsLoaded(ctx) +@@ -203,6 +206,8 @@ func (s *dockerImageSource) GetManifest(ctx context.Context, instanceDigest *dig + return s.cachedManifest, s.cachedManifestMIMEType, nil + } + ++// fetchManifest fetches a manifest for tagOrDigest. ++// The caller is responsible for ensuring tagOrDigest uses the expected format. + func (s *dockerImageSource) fetchManifest(ctx context.Context, tagOrDigest string) ([]byte, string, error) { + return s.c.fetchManifest(ctx, s.physicalRef, tagOrDigest) + } +@@ -352,6 +357,9 @@ func (s *dockerImageSource) GetBlobAt(ctx context.Context, info types.BlobInfo, + return nil, nil, fmt.Errorf("external URLs not supported with GetBlobAt") + } + ++ if err := info.Digest.Validate(); err != nil { // Make sure info.Digest.String() does not contain any unexpected characters ++ return nil, nil, err ++ } + path := fmt.Sprintf(blobsPath, reference.Path(s.physicalRef.ref), info.Digest.String()) + logrus.Debugf("Downloading %s", path) + res, err := s.c.makeRequest(ctx, http.MethodGet, path, headers, nil, v2Auth, nil) +@@ -462,7 +470,10 @@ func (s *dockerImageSource) getSignaturesFromLookaside(ctx context.Context, inst + return nil, fmt.Errorf("server provided %d signatures, assuming that's unreasonable and a server error", maxLookasideSignatures) + } + +- sigURL := lookasideStorageURL(s.c.signatureBase, manifestDigest, i) ++ sigURL, err := lookasideStorageURL(s.c.signatureBase, manifestDigest, i) ++ if err != nil { ++ return nil, err ++ } + signature, missing, err := s.getOneSignature(ctx, sigURL) + if err != nil { + return nil, err +@@ -660,7 +671,10 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere + } + + for i := 0; ; i++ { +- sigURL := lookasideStorageURL(c.signatureBase, manifestDigest, i) ++ sigURL, err := lookasideStorageURL(c.signatureBase, manifestDigest, i) ++ if err != nil { ++ return err ++ } + missing, err := c.deleteOneSignature(sigURL) + if err != nil { + return err +diff --git a/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go b/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go +index 7507d855957a..106490cb39f7 100644 +--- a/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go ++++ b/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go +@@ -111,11 +111,19 @@ func (d *Destination) PutBlobWithOptions(ctx context.Context, stream io.Reader, + return private.UploadedBlob{}, fmt.Errorf("reading Config file stream: %w", err) + } + d.config = buf +- if err := d.archive.sendFileLocked(d.archive.configPath(inputInfo.Digest), inputInfo.Size, bytes.NewReader(buf)); err != nil { ++ configPath, err := d.archive.configPath(inputInfo.Digest) ++ if err != nil { ++ return private.UploadedBlob{}, err ++ } ++ if err := d.archive.sendFileLocked(configPath, inputInfo.Size, bytes.NewReader(buf)); err != nil { + return private.UploadedBlob{}, fmt.Errorf("writing Config file: %w", err) + } + } else { +- if err := d.archive.sendFileLocked(d.archive.physicalLayerPath(inputInfo.Digest), inputInfo.Size, stream); err != nil { ++ layerPath, err := d.archive.physicalLayerPath(inputInfo.Digest) ++ if err != nil { ++ return private.UploadedBlob{}, err ++ } ++ if err := d.archive.sendFileLocked(layerPath, inputInfo.Size, stream); err != nil { + return private.UploadedBlob{}, err + } + } +diff --git a/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go b/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go +index df7b2c090600..7f6bd0e6be90 100644 +--- a/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go ++++ b/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go +@@ -95,7 +95,10 @@ func (w *Writer) ensureSingleLegacyLayerLocked(layerID string, layerDigest diges + if !w.legacyLayers.Contains(layerID) { + // Create a symlink for the legacy format, where there is one subdirectory per layer ("image"). + // See also the comment in physicalLayerPath. +- physicalLayerPath := w.physicalLayerPath(layerDigest) ++ physicalLayerPath, err := w.physicalLayerPath(layerDigest) ++ if err != nil { ++ return err ++ } + if err := w.sendSymlinkLocked(filepath.Join(layerID, legacyLayerFileName), filepath.Join("..", physicalLayerPath)); err != nil { + return fmt.Errorf("creating layer symbolic link: %w", err) + } +@@ -139,6 +142,9 @@ func (w *Writer) writeLegacyMetadataLocked(layerDescriptors []manifest.Schema2De + } + + // This chainID value matches the computation in docker/docker/layer.CreateChainID … ++ if err := l.Digest.Validate(); err != nil { // This should never fail on this code path, still: make sure the chainID computation is unambiguous. ++ return err ++ } + if chainID == "" { + chainID = l.Digest + } else { +@@ -204,12 +210,20 @@ func checkManifestItemsMatch(a, b *ManifestItem) error { + func (w *Writer) ensureManifestItemLocked(layerDescriptors []manifest.Schema2Descriptor, configDigest digest.Digest, repoTags []reference.NamedTagged) error { + layerPaths := []string{} + for _, l := range layerDescriptors { +- layerPaths = append(layerPaths, w.physicalLayerPath(l.Digest)) ++ p, err := w.physicalLayerPath(l.Digest) ++ if err != nil { ++ return err ++ } ++ layerPaths = append(layerPaths, p) + } + + var item *ManifestItem ++ configPath, err := w.configPath(configDigest) ++ if err != nil { ++ return err ++ } + newItem := ManifestItem{ +- Config: w.configPath(configDigest), ++ Config: configPath, + RepoTags: []string{}, + Layers: layerPaths, + Parent: "", // We don’t have this information +@@ -294,21 +308,27 @@ func (w *Writer) Close() error { + // configPath returns a path we choose for storing a config with the specified digest. + // NOTE: This is an internal implementation detail, not a format property, and can change + // any time. +-func (w *Writer) configPath(configDigest digest.Digest) string { +- return configDigest.Hex() + ".json" ++func (w *Writer) configPath(configDigest digest.Digest) (string, error) { ++ if err := configDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in unexpected paths, so validate explicitly. ++ return "", err ++ } ++ return configDigest.Hex() + ".json", nil + } + + // physicalLayerPath returns a path we choose for storing a layer with the specified digest + // (the actual path, i.e. a regular file, not a symlink that may be used in the legacy format). + // NOTE: This is an internal implementation detail, not a format property, and can change + // any time. +-func (w *Writer) physicalLayerPath(layerDigest digest.Digest) string { ++func (w *Writer) physicalLayerPath(layerDigest digest.Digest) (string, error) { ++ if err := layerDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in unexpected paths, so validate explicitly. ++ return "", err ++ } + // Note that this can't be e.g. filepath.Join(l.Digest.Hex(), legacyLayerFileName); due to the way + // writeLegacyMetadata constructs layer IDs differently from inputinfo.Digest values (as described + // inside it), most of the layers would end up in subdirectories alone without any metadata; (docker load) + // tries to load every subdirectory as an image and fails if the config is missing. So, keep the layers + // in the root of the tarball. +- return layerDigest.Hex() + ".tar" ++ return layerDigest.Hex() + ".tar", nil + } + + type tarFI struct { +diff --git a/vendor/github.com/containers/image/v5/docker/registries_d.go b/vendor/github.com/containers/image/v5/docker/registries_d.go +index c7b884ab3c03..9d651d9bd2b5 100644 +--- a/vendor/github.com/containers/image/v5/docker/registries_d.go ++++ b/vendor/github.com/containers/image/v5/docker/registries_d.go +@@ -286,8 +286,11 @@ func (ns registryNamespace) signatureTopLevel(write bool) string { + // lookasideStorageURL returns an URL usable for accessing signature index in base with known manifestDigest. + // base is not nil from the caller + // NOTE: Keep this in sync with docs/signature-protocols.md! +-func lookasideStorageURL(base lookasideStorageBase, manifestDigest digest.Digest, index int) *url.URL { ++func lookasideStorageURL(base lookasideStorageBase, manifestDigest digest.Digest, index int) (*url.URL, error) { ++ if err := manifestDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return nil, err ++ } + sigURL := *base + sigURL.Path = fmt.Sprintf("%s@%s=%s/signature-%d", sigURL.Path, manifestDigest.Algorithm(), manifestDigest.Hex(), index+1) +- return &sigURL ++ return &sigURL, nil + } +diff --git a/vendor/github.com/containers/image/v5/openshift/openshift_src.go b/vendor/github.com/containers/image/v5/openshift/openshift_src.go +index 0ac0127ee776..62774afbb741 100644 +--- a/vendor/github.com/containers/image/v5/openshift/openshift_src.go ++++ b/vendor/github.com/containers/image/v5/openshift/openshift_src.go +@@ -109,6 +109,9 @@ func (s *openshiftImageSource) GetSignaturesWithFormat(ctx context.Context, inst + } + imageStreamImageName = s.imageStreamImageName + } else { ++ if err := instanceDigest.Validate(); err != nil { // Make sure instanceDigest.String() does not contain any unexpected characters ++ return nil, err ++ } + imageStreamImageName = instanceDigest.String() + } + image, err := s.client.getImage(ctx, imageStreamImageName) +diff --git a/vendor/github.com/containers/image/v5/ostree/ostree_dest.go b/vendor/github.com/containers/image/v5/ostree/ostree_dest.go +index d00a0cdf861b..29177f11a366 100644 +--- a/vendor/github.com/containers/image/v5/ostree/ostree_dest.go ++++ b/vendor/github.com/containers/image/v5/ostree/ostree_dest.go +@@ -345,6 +345,10 @@ func (d *ostreeImageDestination) TryReusingBlobWithOptions(ctx context.Context, + } + d.repo = repo + } ++ ++ if err := info.Digest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, so validate explicitly. ++ return false, private.ReusedBlob{}, err ++ } + branch := fmt.Sprintf("ociimage/%s", info.Digest.Hex()) + + found, data, err := readMetadata(d.repo, branch, "docker.uncompressed_digest") +@@ -470,12 +474,18 @@ func (d *ostreeImageDestination) Commit(context.Context, types.UnparsedImage) er + return nil + } + for _, layer := range d.schema.LayersDescriptors { ++ if err := layer.Digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return err ++ } + hash := layer.Digest.Hex() + if err = checkLayer(hash); err != nil { + return err + } + } + for _, layer := range d.schema.FSLayers { ++ if err := layer.BlobSum.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return err ++ } + hash := layer.BlobSum.Hex() + if err = checkLayer(hash); err != nil { + return err +diff --git a/vendor/github.com/containers/image/v5/ostree/ostree_src.go b/vendor/github.com/containers/image/v5/ostree/ostree_src.go +index 9983acc0a64d..a9568c2d323b 100644 +--- a/vendor/github.com/containers/image/v5/ostree/ostree_src.go ++++ b/vendor/github.com/containers/image/v5/ostree/ostree_src.go +@@ -286,7 +286,9 @@ func (s *ostreeImageSource) readSingleFile(commit, path string) (io.ReadCloser, + // The Digest field in BlobInfo is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided. + // May update BlobInfoCache, preferably after it knows for certain that a blob truly exists at a specific location. + func (s *ostreeImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache types.BlobInfoCache) (io.ReadCloser, int64, error) { +- ++ if err := info.Digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return nil, -1, err ++ } + blob := info.Digest.Hex() + + // Ensure s.compressed is initialized. It is build by LayerInfosForCopy. +diff --git a/vendor/github.com/containers/image/v5/pkg/blobcache/blobcache.go b/vendor/github.com/containers/image/v5/pkg/blobcache/blobcache.go +index 2bbf48848a65..f4de6cebfe55 100644 +--- a/vendor/github.com/containers/image/v5/pkg/blobcache/blobcache.go ++++ b/vendor/github.com/containers/image/v5/pkg/blobcache/blobcache.go +@@ -78,12 +78,15 @@ func (b *BlobCache) DeleteImage(ctx context.Context, sys *types.SystemContext) e + } + + // blobPath returns the path appropriate for storing a blob with digest. +-func (b *BlobCache) blobPath(digest digest.Digest, isConfig bool) string { ++func (b *BlobCache) blobPath(digest digest.Digest, isConfig bool) (string, error) { ++ if err := digest.Validate(); err != nil { // Make sure digest.String() does not contain any unexpected characters ++ return "", err ++ } + baseName := digest.String() + if isConfig { + baseName += ".config" + } +- return filepath.Join(b.directory, baseName) ++ return filepath.Join(b.directory, baseName), nil + } + + // findBlob checks if we have a blob for info in cache (whether a config or not) +@@ -95,7 +98,10 @@ func (b *BlobCache) findBlob(info types.BlobInfo) (string, int64, bool, error) { + } + + for _, isConfig := range []bool{false, true} { +- path := b.blobPath(info.Digest, isConfig) ++ path, err := b.blobPath(info.Digest, isConfig) ++ if err != nil { ++ return "", -1, false, err ++ } + fileInfo, err := os.Stat(path) + if err == nil && (info.Size == -1 || info.Size == fileInfo.Size()) { + return path, fileInfo.Size(), isConfig, nil +diff --git a/vendor/github.com/containers/image/v5/pkg/blobcache/dest.go b/vendor/github.com/containers/image/v5/pkg/blobcache/dest.go +index 9bda085158e2..bae167584e3f 100644 +--- a/vendor/github.com/containers/image/v5/pkg/blobcache/dest.go ++++ b/vendor/github.com/containers/image/v5/pkg/blobcache/dest.go +@@ -80,47 +80,58 @@ func (d *blobCacheDestination) IgnoresEmbeddedDockerReference() bool { + // and this new file. + func (d *blobCacheDestination) saveStream(wg *sync.WaitGroup, decompressReader io.ReadCloser, tempFile *os.File, compressedFilename string, compressedDigest digest.Digest, isConfig bool, alternateDigest *digest.Digest) { + defer wg.Done() +- // Decompress from and digest the reading end of that pipe. +- decompressed, err3 := archive.DecompressStream(decompressReader) ++ defer decompressReader.Close() ++ ++ succeeded := false ++ defer func() { ++ if !succeeded { ++ // Remove the temporary file. ++ if err := os.Remove(tempFile.Name()); err != nil { ++ logrus.Debugf("error cleaning up temporary file %q for decompressed copy of blob %q: %v", tempFile.Name(), compressedDigest.String(), err) ++ } ++ } ++ }() ++ + digester := digest.Canonical.Digester() +- if err3 == nil { ++ if err := func() error { // A scope for defer ++ defer tempFile.Close() ++ ++ // Decompress from and digest the reading end of that pipe. ++ decompressed, err := archive.DecompressStream(decompressReader) ++ if err != nil { ++ // Drain the pipe to keep from stalling the PutBlob() thread. ++ if _, err2 := io.Copy(io.Discard, decompressReader); err2 != nil { ++ logrus.Debugf("error draining the pipe: %v", err2) ++ } ++ return err ++ } ++ defer decompressed.Close() + // Read the decompressed data through the filter over the pipe, blocking until the + // writing end is closed. +- _, err3 = io.Copy(io.MultiWriter(tempFile, digester.Hash()), decompressed) +- } else { +- // Drain the pipe to keep from stalling the PutBlob() thread. +- if _, err := io.Copy(io.Discard, decompressReader); err != nil { +- logrus.Debugf("error draining the pipe: %v", err) +- } ++ _, err = io.Copy(io.MultiWriter(tempFile, digester.Hash()), decompressed) ++ return err ++ }(); err != nil { ++ return + } +- decompressReader.Close() +- decompressed.Close() +- tempFile.Close() ++ + // Determine the name that we should give to the uncompressed copy of the blob. +- decompressedFilename := d.reference.blobPath(digester.Digest(), isConfig) +- if err3 == nil { +- // Rename the temporary file. +- if err3 = os.Rename(tempFile.Name(), decompressedFilename); err3 != nil { +- logrus.Debugf("error renaming new decompressed copy of blob %q into place at %q: %v", digester.Digest().String(), decompressedFilename, err3) +- // Remove the temporary file. +- if err3 = os.Remove(tempFile.Name()); err3 != nil { +- logrus.Debugf("error cleaning up temporary file %q for decompressed copy of blob %q: %v", tempFile.Name(), compressedDigest.String(), err3) +- } +- } else { +- *alternateDigest = digester.Digest() +- // Note the relationship between the two files. +- if err3 = ioutils.AtomicWriteFile(decompressedFilename+compressedNote, []byte(compressedDigest.String()), 0600); err3 != nil { +- logrus.Debugf("error noting that the compressed version of %q is %q: %v", digester.Digest().String(), compressedDigest.String(), err3) +- } +- if err3 = ioutils.AtomicWriteFile(compressedFilename+decompressedNote, []byte(digester.Digest().String()), 0600); err3 != nil { +- logrus.Debugf("error noting that the decompressed version of %q is %q: %v", compressedDigest.String(), digester.Digest().String(), err3) +- } +- } +- } else { +- // Remove the temporary file. +- if err3 = os.Remove(tempFile.Name()); err3 != nil { +- logrus.Debugf("error cleaning up temporary file %q for decompressed copy of blob %q: %v", tempFile.Name(), compressedDigest.String(), err3) +- } ++ decompressedFilename, err := d.reference.blobPath(digester.Digest(), isConfig) ++ if err != nil { ++ return ++ } ++ // Rename the temporary file. ++ if err := os.Rename(tempFile.Name(), decompressedFilename); err != nil { ++ logrus.Debugf("error renaming new decompressed copy of blob %q into place at %q: %v", digester.Digest().String(), decompressedFilename, err) ++ return ++ } ++ succeeded = true ++ *alternateDigest = digester.Digest() ++ // Note the relationship between the two files. ++ if err := ioutils.AtomicWriteFile(decompressedFilename+compressedNote, []byte(compressedDigest.String()), 0600); err != nil { ++ logrus.Debugf("error noting that the compressed version of %q is %q: %v", digester.Digest().String(), compressedDigest.String(), err) ++ } ++ if err := ioutils.AtomicWriteFile(compressedFilename+decompressedNote, []byte(digester.Digest().String()), 0600); err != nil { ++ logrus.Debugf("error noting that the decompressed version of %q is %q: %v", compressedDigest.String(), digester.Digest().String(), err) + } + } + +@@ -145,7 +156,10 @@ func (d *blobCacheDestination) PutBlobWithOptions(ctx context.Context, stream io + needToWait := false + compression := archive.Uncompressed + if inputInfo.Digest != "" { +- filename := d.reference.blobPath(inputInfo.Digest, options.IsConfig) ++ filename, err2 := d.reference.blobPath(inputInfo.Digest, options.IsConfig) ++ if err2 != nil { ++ return private.UploadedBlob{}, err2 ++ } + tempfile, err = os.CreateTemp(filepath.Dir(filename), filepath.Base(filename)) + if err == nil { + stream = io.TeeReader(stream, tempfile) +@@ -274,7 +288,10 @@ func (d *blobCacheDestination) PutManifest(ctx context.Context, manifestBytes [] + if err != nil { + logrus.Warnf("error digesting manifest %q: %v", string(manifestBytes), err) + } else { +- filename := d.reference.blobPath(manifestDigest, false) ++ filename, err := d.reference.blobPath(manifestDigest, false) ++ if err != nil { ++ return err ++ } + if err = ioutils.AtomicWriteFile(filename, manifestBytes, 0600); err != nil { + logrus.Warnf("error saving manifest as %q: %v", filename, err) + } +diff --git a/vendor/github.com/containers/image/v5/pkg/blobcache/src.go b/vendor/github.com/containers/image/v5/pkg/blobcache/src.go +index 2fe108cda198..600d2fa7a536 100644 +--- a/vendor/github.com/containers/image/v5/pkg/blobcache/src.go ++++ b/vendor/github.com/containers/image/v5/pkg/blobcache/src.go +@@ -56,7 +56,10 @@ func (s *blobCacheSource) Close() error { + + func (s *blobCacheSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) { + if instanceDigest != nil { +- filename := s.reference.blobPath(*instanceDigest, false) ++ filename, err := s.reference.blobPath(*instanceDigest, false) ++ if err != nil { ++ return nil, "", err ++ } + manifestBytes, err := os.ReadFile(filename) + if err == nil { + s.cacheHits++ +@@ -136,8 +139,10 @@ func (s *blobCacheSource) LayerInfosForCopy(ctx context.Context, instanceDigest + replacedInfos := make([]types.BlobInfo, 0, len(infos)) + for _, info := range infos { + var replaceDigest []byte +- var err error +- blobFile := s.reference.blobPath(info.Digest, false) ++ blobFile, err := s.reference.blobPath(info.Digest, false) ++ if err != nil { ++ return nil, err ++ } + var alternate string + switch s.reference.compress { + case types.Compress: +@@ -148,7 +153,10 @@ func (s *blobCacheSource) LayerInfosForCopy(ctx context.Context, instanceDigest + replaceDigest, err = os.ReadFile(alternate) + } + if err == nil && digest.Digest(replaceDigest).Validate() == nil { +- alternate = s.reference.blobPath(digest.Digest(replaceDigest), false) ++ alternate, err = s.reference.blobPath(digest.Digest(replaceDigest), false) ++ if err != nil { ++ return nil, err ++ } + fileInfo, err := os.Stat(alternate) + if err == nil { + switch info.MediaType { +diff --git a/vendor/github.com/containers/image/v5/storage/storage_dest.go b/vendor/github.com/containers/image/v5/storage/storage_dest.go +index 07e1d5e1f9e7..6b59be1fd97f 100644 +--- a/vendor/github.com/containers/image/v5/storage/storage_dest.go ++++ b/vendor/github.com/containers/image/v5/storage/storage_dest.go +@@ -324,6 +324,13 @@ func (s *storageImageDestination) TryReusingBlobWithOptions(ctx context.Context, + // tryReusingBlobAsPending implements TryReusingBlobWithOptions for (digest, size or -1), filling s.blobDiffIDs and other metadata. + // The caller must arrange the blob to be eventually committed using s.commitLayer(). + func (s *storageImageDestination) tryReusingBlobAsPending(digest digest.Digest, size int64, options *private.TryReusingBlobOptions) (bool, private.ReusedBlob, error) { ++ if digest == "" { ++ return false, private.ReusedBlob{}, errors.New(`Can not check for a blob with unknown digest`) ++ } ++ if err := digest.Validate(); err != nil { ++ return false, private.ReusedBlob{}, fmt.Errorf("Can not check for a blob with invalid digest: %w", err) ++ } ++ + // lock the entire method as it executes fairly quickly + s.lock.Lock() + defer s.lock.Unlock() +@@ -344,13 +351,6 @@ func (s *storageImageDestination) tryReusingBlobAsPending(digest digest.Digest, + } + } + +- if digest == "" { +- return false, private.ReusedBlob{}, errors.New(`Can not check for a blob with unknown digest`) +- } +- if err := digest.Validate(); err != nil { +- return false, private.ReusedBlob{}, fmt.Errorf("Can not check for a blob with invalid digest: %w", err) +- } +- + // Check if we've already cached it in a file. + if size, ok := s.fileSizes[digest]; ok { + return true, private.ReusedBlob{ +@@ -803,8 +803,12 @@ func (s *storageImageDestination) Commit(ctx context.Context, unparsedToplevel t + if err != nil { + return fmt.Errorf("digesting top-level manifest: %w", err) + } ++ key, err := manifestBigDataKey(manifestDigest) ++ if err != nil { ++ return err ++ } + options.BigData = append(options.BigData, storage.ImageBigDataOption{ +- Key: manifestBigDataKey(manifestDigest), ++ Key: key, + Data: toplevelManifest, + Digest: manifestDigest, + }) +@@ -812,8 +816,12 @@ func (s *storageImageDestination) Commit(ctx context.Context, unparsedToplevel t + // Set up to save the image's manifest. Allow looking it up by digest by using the key convention defined by the Store. + // Record the manifest twice: using a digest-specific key to allow references to that specific digest instance, + // and using storage.ImageDigestBigDataKey for future users that don’t specify any digest and for compatibility with older readers. ++ key, err := manifestBigDataKey(s.manifestDigest) ++ if err != nil { ++ return err ++ } + options.BigData = append(options.BigData, storage.ImageBigDataOption{ +- Key: manifestBigDataKey(s.manifestDigest), ++ Key: key, + Data: s.manifest, + Digest: s.manifestDigest, + }) +@@ -831,8 +839,12 @@ func (s *storageImageDestination) Commit(ctx context.Context, unparsedToplevel t + }) + } + for instanceDigest, signatures := range s.signatureses { ++ key, err := signatureBigDataKey(instanceDigest) ++ if err != nil { ++ return err ++ } + options.BigData = append(options.BigData, storage.ImageBigDataOption{ +- Key: signatureBigDataKey(instanceDigest), ++ Key: key, + Data: signatures, + Digest: digest.Canonical.FromBytes(signatures), + }) +diff --git a/vendor/github.com/containers/image/v5/storage/storage_image.go b/vendor/github.com/containers/image/v5/storage/storage_image.go +index ac09f3dbbc4c..ba25a0cba71f 100644 +--- a/vendor/github.com/containers/image/v5/storage/storage_image.go ++++ b/vendor/github.com/containers/image/v5/storage/storage_image.go +@@ -26,14 +26,20 @@ type storageImageCloser struct { + // manifestBigDataKey returns a key suitable for recording a manifest with the specified digest using storage.Store.ImageBigData and related functions. + // If a specific manifest digest is explicitly requested by the user, the key returned by this function should be used preferably; + // for compatibility, if a manifest is not available under this key, check also storage.ImageDigestBigDataKey +-func manifestBigDataKey(digest digest.Digest) string { +- return storage.ImageDigestManifestBigDataNamePrefix + "-" + digest.String() ++func manifestBigDataKey(digest digest.Digest) (string, error) { ++ if err := digest.Validate(); err != nil { // Make sure info.Digest.String() uses the expected format and does not collide with other BigData keys. ++ return "", err ++ } ++ return storage.ImageDigestManifestBigDataNamePrefix + "-" + digest.String(), nil + } + + // signatureBigDataKey returns a key suitable for recording the signatures associated with the manifest with the specified digest using storage.Store.ImageBigData and related functions. + // If a specific manifest digest is explicitly requested by the user, the key returned by this function should be used preferably; +-func signatureBigDataKey(digest digest.Digest) string { +- return "signature-" + digest.Encoded() ++func signatureBigDataKey(digest digest.Digest) (string, error) { ++ if err := digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return "", err ++ } ++ return "signature-" + digest.Encoded(), nil + } + + // Size() returns the previously-computed size of the image, with no error. +diff --git a/vendor/github.com/containers/image/v5/storage/storage_reference.go b/vendor/github.com/containers/image/v5/storage/storage_reference.go +index a55e34054ab9..6b7565fd8553 100644 +--- a/vendor/github.com/containers/image/v5/storage/storage_reference.go ++++ b/vendor/github.com/containers/image/v5/storage/storage_reference.go +@@ -73,7 +73,10 @@ func multiArchImageMatchesSystemContext(store storage.Store, img *storage.Image, + // We don't need to care about storage.ImageDigestBigDataKey because + // manifests lists are only stored into storage by c/image versions + // that know about manifestBigDataKey, and only using that key. +- key := manifestBigDataKey(manifestDigest) ++ key, err := manifestBigDataKey(manifestDigest) ++ if err != nil { ++ return false // This should never happen, manifestDigest comes from a reference.Digested, and that validates the format. ++ } + manifestBytes, err := store.ImageBigData(img.ID, key) + if err != nil { + return false +@@ -95,7 +98,10 @@ func multiArchImageMatchesSystemContext(store storage.Store, img *storage.Image, + if err != nil { + return false + } +- key = manifestBigDataKey(chosenInstance) ++ key, err = manifestBigDataKey(chosenInstance) ++ if err != nil { ++ return false ++ } + _, err = store.ImageBigData(img.ID, key) + return err == nil // true if img.ID is based on chosenInstance. + } +diff --git a/vendor/github.com/containers/image/v5/storage/storage_src.go b/vendor/github.com/containers/image/v5/storage/storage_src.go +index f1ce0861e0cc..7e4b69f222bd 100644 +--- a/vendor/github.com/containers/image/v5/storage/storage_src.go ++++ b/vendor/github.com/containers/image/v5/storage/storage_src.go +@@ -202,7 +202,10 @@ func (s *storageImageSource) getBlobAndLayerID(digest digest.Digest, layers []st + // GetManifest() reads the image's manifest. + func (s *storageImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) (manifestBlob []byte, mimeType string, err error) { + if instanceDigest != nil { +- key := manifestBigDataKey(*instanceDigest) ++ key, err := manifestBigDataKey(*instanceDigest) ++ if err != nil { ++ return nil, "", err ++ } + blob, err := s.imageRef.transport.store.ImageBigData(s.image.ID, key) + if err != nil { + return nil, "", fmt.Errorf("reading manifest for image instance %q: %w", *instanceDigest, err) +@@ -214,7 +217,10 @@ func (s *storageImageSource) GetManifest(ctx context.Context, instanceDigest *di + // Prefer the manifest corresponding to the user-specified digest, if available. + if s.imageRef.named != nil { + if digested, ok := s.imageRef.named.(reference.Digested); ok { +- key := manifestBigDataKey(digested.Digest()) ++ key, err := manifestBigDataKey(digested.Digest()) ++ if err != nil { ++ return nil, "", err ++ } + blob, err := s.imageRef.transport.store.ImageBigData(s.image.ID, key) + if err != nil && !os.IsNotExist(err) { // os.IsNotExist is true if the image exists but there is no data corresponding to key + return nil, "", err +@@ -329,7 +335,14 @@ func (s *storageImageSource) GetSignaturesWithFormat(ctx context.Context, instan + instance := "default instance" + if instanceDigest != nil { + signatureSizes = s.SignaturesSizes[*instanceDigest] +- key = signatureBigDataKey(*instanceDigest) ++ k, err := signatureBigDataKey(*instanceDigest) ++ if err != nil { ++ return nil, err ++ } ++ key = k ++ if err := instanceDigest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return nil, err ++ } + instance = instanceDigest.Encoded() + } + if len(signatureSizes) > 0 { +diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go +index b24ee881a439..62d824b3eb20 100644 +--- a/vendor/github.com/containers/image/v5/version/version.go ++++ b/vendor/github.com/containers/image/v5/version/version.go +@@ -8,7 +8,7 @@ const ( + // VersionMinor is for functionality in a backwards-compatible manner + VersionMinor = 29 + // VersionPatch is for backwards-compatible bug fixes +- VersionPatch = 2 ++ VersionPatch = 3 + + // VersionDev indicates development branch. Releases will be empty string. + VersionDev = "" +diff --git a/vendor/github.com/containers/ocicrypt/keywrap/jwe/keywrapper_jwe.go b/vendor/github.com/containers/ocicrypt/keywrap/jwe/keywrapper_jwe.go +index cd2241cbc69e..24e1d619d6e7 100644 +--- a/vendor/github.com/containers/ocicrypt/keywrap/jwe/keywrapper_jwe.go ++++ b/vendor/github.com/containers/ocicrypt/keywrap/jwe/keywrapper_jwe.go +@@ -123,9 +123,24 @@ func addPubKeys(joseRecipients *[]jose.Recipient, pubKeys [][]byte) error { + } + + alg := jose.RSA_OAEP +- switch key.(type) { ++ switch key := key.(type) { + case *ecdsa.PublicKey: + alg = jose.ECDH_ES_A256KW ++ case *jose.JSONWebKey: ++ if key.Algorithm != "" { ++ alg = jose.KeyAlgorithm(key.Algorithm) ++ switch alg { ++ /* accepted algorithms */ ++ case jose.RSA_OAEP: ++ case jose.RSA_OAEP_256: ++ case jose.ECDH_ES_A128KW: ++ case jose.ECDH_ES_A192KW: ++ case jose.ECDH_ES_A256KW: ++ /* all others are rejected */ ++ default: ++ return fmt.Errorf("%s is an unsupported JWE key algorithm", alg) ++ } ++ } + } + + *joseRecipients = append(*joseRecipients, jose.Recipient{ +diff --git a/vendor/github.com/containers/ocicrypt/utils/testing.go b/vendor/github.com/containers/ocicrypt/utils/testing.go +index 69bb9d12f1fb..050aa885e329 100644 +--- a/vendor/github.com/containers/ocicrypt/utils/testing.go ++++ b/vendor/github.com/containers/ocicrypt/utils/testing.go +@@ -38,6 +38,15 @@ func CreateRSAKey(bits int) (*rsa.PrivateKey, error) { + return key, nil + } + ++// CreateECDSAKey creates an elliptic curve key for the given curve ++func CreateECDSAKey(curve elliptic.Curve) (*ecdsa.PrivateKey, error) { ++ key, err := ecdsa.GenerateKey(curve, rand.Reader) ++ if err != nil { ++ return nil, fmt.Errorf("ecdsa.GenerateKey failed: %w", err) ++ } ++ return key, nil ++} ++ + // CreateRSATestKey creates an RSA key of the given size and returns + // the public and private key in PEM or DER format + func CreateRSATestKey(bits int, password []byte, pemencode bool) ([]byte, []byte, error) { +@@ -85,9 +94,9 @@ func CreateRSATestKey(bits int, password []byte, pemencode bool) ([]byte, []byte + // CreateECDSATestKey creates and elliptic curve key for the given curve and returns + // the public and private key in DER format + func CreateECDSATestKey(curve elliptic.Curve) ([]byte, []byte, error) { +- key, err := ecdsa.GenerateKey(curve, rand.Reader) ++ key, err := CreateECDSAKey(curve) + if err != nil { +- return nil, nil, fmt.Errorf("ecdsa.GenerateKey failed: %w", err) ++ return nil, nil, err + } + + pubData, err := x509.MarshalPKIXPublicKey(&key.PublicKey) +diff --git a/vendor/github.com/go-jose/go-jose/v3/BUG-BOUNTY.md b/vendor/github.com/go-jose/go-jose/v3/BUG-BOUNTY.md +deleted file mode 100644 +index 3305db0f653f..000000000000 +--- a/vendor/github.com/go-jose/go-jose/v3/BUG-BOUNTY.md ++++ /dev/null +@@ -1,10 +0,0 @@ +-Serious about security +-====================== +- +-Square recognizes the important contributions the security research community +-can make. We therefore encourage reporting security issues with the code +-contained in this repository. +- +-If you believe you have discovered a security vulnerability, please follow the +-guidelines at . +- +diff --git a/vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md b/vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md +index 7820c2f4d78f..ce2a54ebf246 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md ++++ b/vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md +@@ -1,6 +1,76 @@ ++# v4.0.1 ++ ++## Fixed ++ ++ - An attacker could send a JWE containing compressed data that used large ++ amounts of memory and CPU when decompressed by `Decrypt` or `DecryptMulti`. ++ Those functions now return an error if the decompressed data would exceed ++ 250kB or 10x the compressed size (whichever is larger). Thanks to ++ Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) ++ for reporting. ++ ++# v4.0.0 ++ ++This release makes some breaking changes in order to more thoroughly ++address the vulnerabilities discussed in [Three New Attacks Against JSON Web ++Tokens][1], "Sign/encrypt confusion", "Billion hash attack", and "Polyglot ++token". ++ ++## Changed ++ ++ - Limit JWT encryption types (exclude password or public key types) (#78) ++ - Enforce minimum length for HMAC keys (#85) ++ - jwt: match any audience in a list, rather than requiring all audiences (#81) ++ - jwt: accept only Compact Serialization (#75) ++ - jws: Add expected algorithms for signatures (#74) ++ - Require specifying expected algorithms for ParseEncrypted, ++ ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned, ++ jwt.ParseSignedAndEncrypted (#69, #74) ++ - Usually there is a small, known set of appropriate algorithms for a program ++ to use and it's a mistake to allow unexpected algorithms. For instance the ++ "billion hash attack" relies in part on programs accepting the PBES2 ++ encryption algorithm and doing the necessary work even if they weren't ++ specifically configured to allow PBES2. ++ - Revert "Strip padding off base64 strings" (#82) ++ - The specs require base64url encoding without padding. ++ - Minimum supported Go version is now 1.21 ++ ++## Added ++ ++ - ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON. ++ - These allow parsing a specific serialization, as opposed to ParseSigned and ++ ParseEncrypted, which try to automatically detect which serialization was ++ provided. It's common to require a specific serialization for a specific ++ protocol - for instance JWT requires Compact serialization. ++ ++[1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf ++ ++# v3.0.3 ++ ++## Fixed ++ ++ - Limit decompression output size to prevent a DoS. Backport from v4.0.1. ++ ++# v3.0.2 ++ ++## Fixed ++ ++ - DecryptMulti: handle decompression error (#19) ++ ++## Changed ++ ++ - jwe/CompactSerialize: improve performance (#67) ++ - Increase the default number of PBKDF2 iterations to 600k (#48) ++ - Return the proper algorithm for ECDSA keys (#45) ++ ++## Added ++ ++ - Add Thumbprint support for opaque signers (#38) ++ + # v3.0.1 + +-Fixed: ++## Fixed ++ + - Security issue: an attacker specifying a large "p2c" value can cause + JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large + amounts of CPU, causing a DoS. Thanks to Matt Schwager (@mschwager) for the +diff --git a/vendor/github.com/go-jose/go-jose/v3/README.md b/vendor/github.com/go-jose/go-jose/v3/README.md +index b90c7e5c6ba1..282cd9e135b6 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/README.md ++++ b/vendor/github.com/go-jose/go-jose/v3/README.md +@@ -1,10 +1,17 @@ + # Go JOSE + +-[![godoc](http://img.shields.io/badge/godoc-jose_package-blue.svg?style=flat)](https://godoc.org/gopkg.in/go-jose/go-jose.v2) +-[![godoc](http://img.shields.io/badge/godoc-jwt_package-blue.svg?style=flat)](https://godoc.org/gopkg.in/go-jose/go-jose.v2/jwt) +-[![license](http://img.shields.io/badge/license-apache_2.0-blue.svg?style=flat)](https://raw.githubusercontent.com/go-jose/go-jose/master/LICENSE) +-[![build](https://travis-ci.org/go-jose/go-jose.svg?branch=master)](https://travis-ci.org/go-jose/go-jose) +-[![coverage](https://coveralls.io/repos/github/go-jose/go-jose/badge.svg?branch=master)](https://coveralls.io/r/go-jose/go-jose) ++### Versions ++ ++[Version 4](https://github.com/go-jose/go-jose) ++([branch](https://github.com/go-jose/go-jose/), ++[doc](https://pkg.go.dev/github.com/go-jose/go-jose/v4), [releases](https://github.com/go-jose/go-jose/releases)) is the current stable version: ++ ++ import "github.com/go-jose/go-jose/v4" ++ ++The old [square/go-jose](https://github.com/square/go-jose) repo contains the prior v1 and v2 versions, which ++are deprecated. ++ ++### Summary + + Package jose aims to provide an implementation of the Javascript Object Signing + and Encryption set of standards. This includes support for JSON Web Encryption, +@@ -21,13 +28,13 @@ US maintained blocked list. + ## Overview + + The implementation follows the +-[JSON Web Encryption](http://dx.doi.org/10.17487/RFC7516) (RFC 7516), +-[JSON Web Signature](http://dx.doi.org/10.17487/RFC7515) (RFC 7515), and +-[JSON Web Token](http://dx.doi.org/10.17487/RFC7519) (RFC 7519) specifications. ++[JSON Web Encryption](https://dx.doi.org/10.17487/RFC7516) (RFC 7516), ++[JSON Web Signature](https://dx.doi.org/10.17487/RFC7515) (RFC 7515), and ++[JSON Web Token](https://dx.doi.org/10.17487/RFC7519) (RFC 7519) specifications. + Tables of supported algorithms are shown below. The library supports both + the compact and JWS/JWE JSON Serialization formats, and has optional support for + multiple recipients. It also comes with a small command-line utility +-([`jose-util`](https://github.com/go-jose/go-jose/tree/master/jose-util)) ++([`jose-util`](https://pkg.go.dev/github.com/go-jose/go-jose/jose-util)) + for dealing with JOSE messages in a shell. + + **Note**: We use a forked version of the `encoding/json` package from the Go +@@ -36,31 +43,10 @@ of [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/curren + This is to avoid differences in interpretation of messages between go-jose and + libraries in other languages. + +-### Versions +- +-[Version 2](https://gopkg.in/go-jose/go-jose.v2) +-([branch](https://github.com/go-jose/go-jose/tree/v2), +-[doc](https://godoc.org/gopkg.in/go-jose/go-jose.v2)) is the current stable version: +- +- import "gopkg.in/go-jose/go-jose.v2" +- +-[Version 3](https://github.com/go-jose/go-jose) +-([branch](https://github.com/go-jose/go-jose/tree/master), +-[doc](https://godoc.org/github.com/go-jose/go-jose)) is the under development/unstable version (not released yet): +- +- import "github.com/go-jose/go-jose/v3" +- +-All new feature development takes place on the `master` branch, which we are +-preparing to release as version 3 soon. Version 2 will continue to receive +-critical bug and security fixes. Note that starting with version 3 we are +-using Go modules for versioning instead of `gopkg.in` as before. Version 3 also will require Go version 1.13 or higher. +- +-Version 1 (on the `v1` branch) is frozen and not supported anymore. +- + ### Supported algorithms + + See below for a table of supported algorithms. Algorithm identifiers match +-the names in the [JSON Web Algorithms](http://dx.doi.org/10.17487/RFC7518) ++the names in the [JSON Web Algorithms](https://dx.doi.org/10.17487/RFC7518) + standard where possible. The Godoc reference has a list of constants. + + Key encryption | Algorithm identifier(s) +@@ -103,20 +89,20 @@ allows attaching a key id. + + Algorithm(s) | Corresponding types + :------------------------- | ------------------------------- +- RSA | *[rsa.PublicKey](http://golang.org/pkg/crypto/rsa/#PublicKey), *[rsa.PrivateKey](http://golang.org/pkg/crypto/rsa/#PrivateKey) +- ECDH, ECDSA | *[ecdsa.PublicKey](http://golang.org/pkg/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](http://golang.org/pkg/crypto/ecdsa/#PrivateKey) +- EdDSA1 | [ed25519.PublicKey](https://godoc.org/pkg/crypto/ed25519#PublicKey), [ed25519.PrivateKey](https://godoc.org/pkg/crypto/ed25519#PrivateKey) ++ RSA | *[rsa.PublicKey](https://pkg.go.dev/crypto/rsa/#PublicKey), *[rsa.PrivateKey](https://pkg.go.dev/crypto/rsa/#PrivateKey) ++ ECDH, ECDSA | *[ecdsa.PublicKey](https://pkg.go.dev/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](https://pkg.go.dev/crypto/ecdsa/#PrivateKey) ++ EdDSA1 | [ed25519.PublicKey](https://pkg.go.dev/crypto/ed25519#PublicKey), [ed25519.PrivateKey](https://pkg.go.dev/crypto/ed25519#PrivateKey) + AES, HMAC | []byte + + 1. Only available in version 2 or later of the package + + ## Examples + +-[![godoc](http://img.shields.io/badge/godoc-jose_package-blue.svg?style=flat)](https://godoc.org/gopkg.in/go-jose/go-jose.v2) +-[![godoc](http://img.shields.io/badge/godoc-jwt_package-blue.svg?style=flat)](https://godoc.org/gopkg.in/go-jose/go-jose.v2/jwt) ++[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v3.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v3) ++[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v3/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v3/jwt) + + Examples can be found in the Godoc + reference for this package. The +-[`jose-util`](https://github.com/go-jose/go-jose/tree/master/jose-util) ++[`jose-util`](https://github.com/go-jose/go-jose/tree/v3/jose-util) + subdirectory also contains a small command-line utility which might be useful + as an example as well. +diff --git a/vendor/github.com/go-jose/go-jose/v3/SECURITY.md b/vendor/github.com/go-jose/go-jose/v3/SECURITY.md +new file mode 100644 +index 000000000000..2f18a75a8228 +--- /dev/null ++++ b/vendor/github.com/go-jose/go-jose/v3/SECURITY.md +@@ -0,0 +1,13 @@ ++# Security Policy ++This document explains how to contact the Let's Encrypt security team to report security vulnerabilities. ++ ++## Supported Versions ++| Version | Supported | ++| ------- | ----------| ++| >= v3 | ✓ | ++| v2 | ✗ | ++| v1 | ✗ | ++ ++## Reporting a vulnerability ++ ++Please see [https://letsencrypt.org/contact/#security](https://letsencrypt.org/contact/#security) for the email address to report a vulnerability. Ensure that the subject line for your report contains the word `vulnerability` and is descriptive. Your email should be acknowledged within 24 hours. If you do not receive a response within 24 hours, please follow-up again with another email. +diff --git a/vendor/github.com/go-jose/go-jose/v3/asymmetric.go b/vendor/github.com/go-jose/go-jose/v3/asymmetric.go +index 78abc3268300..d4d4961b2401 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/asymmetric.go ++++ b/vendor/github.com/go-jose/go-jose/v3/asymmetric.go +@@ -285,6 +285,9 @@ func (ctx rsaDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm + + switch alg { + case RS256, RS384, RS512: ++ // TODO(https://github.com/go-jose/go-jose/issues/40): As of go1.20, the ++ // random parameter is legacy and ignored, and it can be nil. ++ // https://cs.opensource.google/go/go/+/refs/tags/go1.20:src/crypto/rsa/pkcs1v15.go;l=263;bpv=0;bpt=1 + out, err = rsa.SignPKCS1v15(RandReader, ctx.privateKey, hash, hashed) + case PS256, PS384, PS512: + out, err = rsa.SignPSS(RandReader, ctx.privateKey, hash, hashed, &rsa.PSSOptions{ +diff --git a/vendor/github.com/go-jose/go-jose/v3/crypter.go b/vendor/github.com/go-jose/go-jose/v3/crypter.go +index 6901137e4469..8870e8905f0d 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/crypter.go ++++ b/vendor/github.com/go-jose/go-jose/v3/crypter.go +@@ -21,7 +21,6 @@ import ( + "crypto/rsa" + "errors" + "fmt" +- "reflect" + + "github.com/go-jose/go-jose/v3/json" + ) +@@ -76,14 +75,24 @@ type recipientKeyInfo struct { + type EncrypterOptions struct { + Compression CompressionAlgorithm + +- // Optional map of additional keys to be inserted into the protected header +- // of a JWS object. Some specifications which make use of JWS like to insert +- // additional values here. All values must be JSON-serializable. ++ // Optional map of name/value pairs to be inserted into the protected ++ // header of a JWS object. Some specifications which make use of ++ // JWS require additional values here. ++ // ++ // Values will be serialized by [json.Marshal] and must be valid inputs to ++ // that function. ++ // ++ // [json.Marshal]: https://pkg.go.dev/encoding/json#Marshal + ExtraHeaders map[HeaderKey]interface{} + } + + // WithHeader adds an arbitrary value to the ExtraHeaders map, initializing it +-// if necessary. It returns itself and so can be used in a fluent style. ++// if necessary, and returns the updated EncrypterOptions. ++// ++// The v parameter will be serialized by [json.Marshal] and must be a valid ++// input to that function. ++// ++// [json.Marshal]: https://pkg.go.dev/encoding/json#Marshal + func (eo *EncrypterOptions) WithHeader(k HeaderKey, v interface{}) *EncrypterOptions { + if eo.ExtraHeaders == nil { + eo.ExtraHeaders = map[HeaderKey]interface{}{} +@@ -111,7 +120,17 @@ func (eo *EncrypterOptions) WithType(typ ContentType) *EncrypterOptions { + // default of 100000 will be used for the count and a 128-bit random salt will + // be generated. + type Recipient struct { +- Algorithm KeyAlgorithm ++ Algorithm KeyAlgorithm ++ // Key must have one of these types: ++ // - ed25519.PublicKey ++ // - *ecdsa.PublicKey ++ // - *rsa.PublicKey ++ // - *JSONWebKey ++ // - JSONWebKey ++ // - []byte (a symmetric key) ++ // - Any type that satisfies the OpaqueKeyEncrypter interface ++ // ++ // The type of Key must match the value of Algorithm. + Key interface{} + KeyID string + PBES2Count int +@@ -150,16 +169,17 @@ func NewEncrypter(enc ContentEncryption, rcpt Recipient, opts *EncrypterOptions) + switch rcpt.Algorithm { + case DIRECT: + // Direct encryption mode must be treated differently +- if reflect.TypeOf(rawKey) != reflect.TypeOf([]byte{}) { ++ keyBytes, ok := rawKey.([]byte) ++ if !ok { + return nil, ErrUnsupportedKeyType + } +- if encrypter.cipher.keySize() != len(rawKey.([]byte)) { ++ if encrypter.cipher.keySize() != len(keyBytes) { + return nil, ErrInvalidKeySize + } + encrypter.keyGenerator = staticKeyGenerator{ +- key: rawKey.([]byte), ++ key: keyBytes, + } +- recipientInfo, _ := newSymmetricRecipient(rcpt.Algorithm, rawKey.([]byte)) ++ recipientInfo, _ := newSymmetricRecipient(rcpt.Algorithm, keyBytes) + recipientInfo.keyID = keyID + if rcpt.KeyID != "" { + recipientInfo.keyID = rcpt.KeyID +@@ -168,16 +188,16 @@ func NewEncrypter(enc ContentEncryption, rcpt Recipient, opts *EncrypterOptions) + return encrypter, nil + case ECDH_ES: + // ECDH-ES (w/o key wrapping) is similar to DIRECT mode +- typeOf := reflect.TypeOf(rawKey) +- if typeOf != reflect.TypeOf(&ecdsa.PublicKey{}) { ++ keyDSA, ok := rawKey.(*ecdsa.PublicKey) ++ if !ok { + return nil, ErrUnsupportedKeyType + } + encrypter.keyGenerator = ecKeyGenerator{ + size: encrypter.cipher.keySize(), + algID: string(enc), +- publicKey: rawKey.(*ecdsa.PublicKey), ++ publicKey: keyDSA, + } +- recipientInfo, _ := newECDHRecipient(rcpt.Algorithm, rawKey.(*ecdsa.PublicKey)) ++ recipientInfo, _ := newECDHRecipient(rcpt.Algorithm, keyDSA) + recipientInfo.keyID = keyID + if rcpt.KeyID != "" { + recipientInfo.keyID = rcpt.KeyID +@@ -270,9 +290,8 @@ func makeJWERecipient(alg KeyAlgorithm, encryptionKey interface{}) (recipientKey + recipient, err := makeJWERecipient(alg, encryptionKey.Key) + recipient.keyID = encryptionKey.KeyID + return recipient, err +- } +- if encrypter, ok := encryptionKey.(OpaqueKeyEncrypter); ok { +- return newOpaqueKeyEncrypter(alg, encrypter) ++ case OpaqueKeyEncrypter: ++ return newOpaqueKeyEncrypter(alg, encryptionKey) + } + return recipientKeyInfo{}, ErrUnsupportedKeyType + } +@@ -300,11 +319,11 @@ func newDecrypter(decryptionKey interface{}) (keyDecrypter, error) { + return newDecrypter(decryptionKey.Key) + case *JSONWebKey: + return newDecrypter(decryptionKey.Key) ++ case OpaqueKeyDecrypter: ++ return &opaqueKeyDecrypter{decrypter: decryptionKey}, nil ++ default: ++ return nil, ErrUnsupportedKeyType + } +- if okd, ok := decryptionKey.(OpaqueKeyDecrypter); ok { +- return &opaqueKeyDecrypter{decrypter: okd}, nil +- } +- return nil, ErrUnsupportedKeyType + } + + // Implementation of encrypt method producing a JWE object. +@@ -403,9 +422,27 @@ func (ctx *genericEncrypter) Options() EncrypterOptions { + } + } + +-// Decrypt and validate the object and return the plaintext. Note that this +-// function does not support multi-recipient, if you desire multi-recipient ++// Decrypt and validate the object and return the plaintext. This ++// function does not support multi-recipient. If you desire multi-recipient + // decryption use DecryptMulti instead. ++// ++// The decryptionKey argument must contain a private or symmetric key ++// and must have one of these types: ++// - *ecdsa.PrivateKey ++// - *rsa.PrivateKey ++// - *JSONWebKey ++// - JSONWebKey ++// - *JSONWebKeySet ++// - JSONWebKeySet ++// - []byte (a symmetric key) ++// - string (a symmetric key) ++// - Any type that satisfies the OpaqueKeyDecrypter interface. ++// ++// Note that ed25519 is only available for signatures, not encryption, so is ++// not an option here. ++// ++// Automatically decompresses plaintext, but returns an error if the decompressed ++// data would be >250kB or >10x the size of the compressed data, whichever is larger. + func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) { + headers := obj.mergedHeaders(nil) + +@@ -462,15 +499,24 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) + // The "zip" header parameter may only be present in the protected header. + if comp := obj.protected.getCompression(); comp != "" { + plaintext, err = decompress(comp, plaintext) ++ if err != nil { ++ return nil, fmt.Errorf("go-jose/go-jose: failed to decompress plaintext: %v", err) ++ } + } + +- return plaintext, err ++ return plaintext, nil + } + + // DecryptMulti decrypts and validates the object and returns the plaintexts, + // with support for multiple recipients. It returns the index of the recipient + // for which the decryption was successful, the merged headers for that recipient, + // and the plaintext. ++// ++// The decryptionKey argument must have one of the types allowed for the ++// decryptionKey argument of Decrypt(). ++// ++// Automatically decompresses plaintext, but returns an error if the decompressed ++// data would be >250kB or >3x the size of the compressed data, whichever is larger. + func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) { + globalHeaders := obj.mergedHeaders(nil) + +@@ -532,7 +578,10 @@ func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Heade + + // The "zip" header parameter may only be present in the protected header. + if comp := obj.protected.getCompression(); comp != "" { +- plaintext, _ = decompress(comp, plaintext) ++ plaintext, err = decompress(comp, plaintext) ++ if err != nil { ++ return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: failed to decompress plaintext: %v", err) ++ } + } + + sanitized, err := headers.sanitized() +diff --git a/vendor/github.com/go-jose/go-jose/v3/doc.go b/vendor/github.com/go-jose/go-jose/v3/doc.go +index 71ec1c419b17..0ad40ca085f1 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/doc.go ++++ b/vendor/github.com/go-jose/go-jose/v3/doc.go +@@ -15,13 +15,11 @@ + */ + + /* +- + Package jose aims to provide an implementation of the Javascript Object Signing + and Encryption set of standards. It implements encryption and signing based on + the JSON Web Encryption and JSON Web Signature standards, with optional JSON Web + Token support available in a sub-package. The library supports both the compact + and JWS/JWE JSON Serialization formats, and has optional support for multiple + recipients. +- + */ + package jose +diff --git a/vendor/github.com/go-jose/go-jose/v3/encoding.go b/vendor/github.com/go-jose/go-jose/v3/encoding.go +index 968a42496e16..9f07cfdcb8c5 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/encoding.go ++++ b/vendor/github.com/go-jose/go-jose/v3/encoding.go +@@ -202,3 +202,36 @@ func base64URLDecode(value string) ([]byte, error) { + value = strings.TrimRight(value, "=") + return base64.RawURLEncoding.DecodeString(value) + } ++ ++func base64EncodeLen(sl []byte) int { ++ return base64.RawURLEncoding.EncodedLen(len(sl)) ++} ++ ++func base64JoinWithDots(inputs ...[]byte) string { ++ if len(inputs) == 0 { ++ return "" ++ } ++ ++ // Count of dots. ++ totalCount := len(inputs) - 1 ++ ++ for _, input := range inputs { ++ totalCount += base64EncodeLen(input) ++ } ++ ++ out := make([]byte, totalCount) ++ startEncode := 0 ++ for i, input := range inputs { ++ base64.RawURLEncoding.Encode(out[startEncode:], input) ++ ++ if i == len(inputs)-1 { ++ continue ++ } ++ ++ startEncode += base64EncodeLen(input) ++ out[startEncode] = '.' ++ startEncode++ ++ } ++ ++ return string(out) ++} +diff --git a/vendor/github.com/go-jose/go-jose/v3/json/decode.go b/vendor/github.com/go-jose/go-jose/v3/json/decode.go +index 4dbc4146cf9f..50634dd84781 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/json/decode.go ++++ b/vendor/github.com/go-jose/go-jose/v3/json/decode.go +@@ -75,14 +75,13 @@ import ( + // + // The JSON null value unmarshals into an interface, map, pointer, or slice + // by setting that Go value to nil. Because null is often used in JSON to mean +-// ``not present,'' unmarshaling a JSON null into any other Go type has no effect ++// “not present,” unmarshaling a JSON null into any other Go type has no effect + // on the value and produces no error. + // + // When unmarshaling quoted strings, invalid UTF-8 or + // invalid UTF-16 surrogate pairs are not treated as an error. + // Instead, they are replaced by the Unicode replacement + // character U+FFFD. +-// + func Unmarshal(data []byte, v interface{}) error { + // Check for well-formedness. + // Avoids filling out half a data structure +diff --git a/vendor/github.com/go-jose/go-jose/v3/json/encode.go b/vendor/github.com/go-jose/go-jose/v3/json/encode.go +index ea0a1361987d..98de68ce1e9b 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/json/encode.go ++++ b/vendor/github.com/go-jose/go-jose/v3/json/encode.go +@@ -58,6 +58,7 @@ import ( + // becomes a member of the object unless + // - the field's tag is "-", or + // - the field is empty and its tag specifies the "omitempty" option. ++// + // The empty values are false, 0, any + // nil pointer or interface value, and any array, slice, map, or string of + // length zero. The object's default key string is the struct field name +@@ -65,28 +66,28 @@ import ( + // the struct field's tag value is the key name, followed by an optional comma + // and options. Examples: + // +-// // Field is ignored by this package. +-// Field int `json:"-"` ++// // Field is ignored by this package. ++// Field int `json:"-"` + // +-// // Field appears in JSON as key "myName". +-// Field int `json:"myName"` ++// // Field appears in JSON as key "myName". ++// Field int `json:"myName"` + // +-// // Field appears in JSON as key "myName" and +-// // the field is omitted from the object if its value is empty, +-// // as defined above. +-// Field int `json:"myName,omitempty"` ++// // Field appears in JSON as key "myName" and ++// // the field is omitted from the object if its value is empty, ++// // as defined above. ++// Field int `json:"myName,omitempty"` + // +-// // Field appears in JSON as key "Field" (the default), but +-// // the field is skipped if empty. +-// // Note the leading comma. +-// Field int `json:",omitempty"` ++// // Field appears in JSON as key "Field" (the default), but ++// // the field is skipped if empty. ++// // Note the leading comma. ++// Field int `json:",omitempty"` + // + // The "string" option signals that a field is stored as JSON inside a + // JSON-encoded string. It applies only to fields of string, floating point, + // integer, or boolean types. This extra level of encoding is sometimes used + // when communicating with JavaScript programs: + // +-// Int64String int64 `json:",string"` ++// Int64String int64 `json:",string"` + // + // The key name will be used if it's a non-empty string consisting of + // only Unicode letters, digits, dollar signs, percent signs, hyphens, +@@ -133,7 +134,6 @@ import ( + // JSON cannot represent cyclic data structures and Marshal does not + // handle them. Passing cyclic structures to Marshal will result in + // an infinite recursion. +-// + func Marshal(v interface{}) ([]byte, error) { + e := &encodeState{} + err := e.marshal(v) +diff --git a/vendor/github.com/go-jose/go-jose/v3/json/stream.go b/vendor/github.com/go-jose/go-jose/v3/json/stream.go +index 9b2b926b0333..f03b171e6a4c 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/json/stream.go ++++ b/vendor/github.com/go-jose/go-jose/v3/json/stream.go +@@ -240,7 +240,6 @@ var _ Unmarshaler = (*RawMessage)(nil) + // Number, for JSON numbers + // string, for JSON string literals + // nil, for JSON null +-// + type Token interface{} + + const ( +diff --git a/vendor/github.com/go-jose/go-jose/v3/jwe.go b/vendor/github.com/go-jose/go-jose/v3/jwe.go +index bce304504371..4267ac75025a 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/jwe.go ++++ b/vendor/github.com/go-jose/go-jose/v3/jwe.go +@@ -252,13 +252,13 @@ func (obj JSONWebEncryption) CompactSerialize() (string, error) { + + serializedProtected := mustSerializeJSON(obj.protected) + +- return fmt.Sprintf( +- "%s.%s.%s.%s.%s", +- base64.RawURLEncoding.EncodeToString(serializedProtected), +- base64.RawURLEncoding.EncodeToString(obj.recipients[0].encryptedKey), +- base64.RawURLEncoding.EncodeToString(obj.iv), +- base64.RawURLEncoding.EncodeToString(obj.ciphertext), +- base64.RawURLEncoding.EncodeToString(obj.tag)), nil ++ return base64JoinWithDots( ++ serializedProtected, ++ obj.recipients[0].encryptedKey, ++ obj.iv, ++ obj.ciphertext, ++ obj.tag, ++ ), nil + } + + // FullSerialize serializes an object using the full JSON serialization format. +diff --git a/vendor/github.com/go-jose/go-jose/v3/jwk.go b/vendor/github.com/go-jose/go-jose/v3/jwk.go +index 78ff5aca5b32..e4021959ab47 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/jwk.go ++++ b/vendor/github.com/go-jose/go-jose/v3/jwk.go +@@ -67,9 +67,21 @@ type rawJSONWebKey struct { + X5tSHA256 string `json:"x5t#S256,omitempty"` + } + +-// JSONWebKey represents a public or private key in JWK format. ++// JSONWebKey represents a public or private key in JWK format. It can be ++// marshaled into JSON and unmarshaled from JSON. + type JSONWebKey struct { +- // Cryptographic key, can be a symmetric or asymmetric key. ++ // Key is the Go in-memory representation of this key. It must have one ++ // of these types: ++ // - ed25519.PublicKey ++ // - ed25519.PrivateKey ++ // - *ecdsa.PublicKey ++ // - *ecdsa.PrivateKey ++ // - *rsa.PublicKey ++ // - *rsa.PrivateKey ++ // - []byte (a symmetric key) ++ // ++ // When marshaling this JSONWebKey into JSON, the "kty" header parameter ++ // will be automatically set based on the type of this field. + Key interface{} + // Key identifier, parsed from `kid` header. + KeyID string +@@ -389,6 +401,8 @@ func (k *JSONWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) { + input, err = rsaThumbprintInput(key.N, key.E) + case ed25519.PrivateKey: + input, err = edThumbprintInput(ed25519.PublicKey(key[32:])) ++ case OpaqueSigner: ++ return key.Public().Thumbprint(hash) + default: + return nil, fmt.Errorf("go-jose/go-jose: unknown key type '%s'", reflect.TypeOf(key)) + } +diff --git a/vendor/github.com/go-jose/go-jose/v3/jws.go b/vendor/github.com/go-jose/go-jose/v3/jws.go +index 865f16ad3359..e37007dbb855 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/jws.go ++++ b/vendor/github.com/go-jose/go-jose/v3/jws.go +@@ -314,15 +314,18 @@ func (obj JSONWebSignature) compactSerialize(detached bool) (string, error) { + return "", ErrNotSupported + } + +- serializedProtected := base64.RawURLEncoding.EncodeToString(mustSerializeJSON(obj.Signatures[0].protected)) +- payload := "" +- signature := base64.RawURLEncoding.EncodeToString(obj.Signatures[0].Signature) ++ serializedProtected := mustSerializeJSON(obj.Signatures[0].protected) + ++ var payload []byte + if !detached { +- payload = base64.RawURLEncoding.EncodeToString(obj.payload) ++ payload = obj.payload + } + +- return fmt.Sprintf("%s.%s.%s", serializedProtected, payload, signature), nil ++ return base64JoinWithDots( ++ serializedProtected, ++ payload, ++ obj.Signatures[0].Signature, ++ ), nil + } + + // CompactSerialize serializes an object using the compact serialization format. +diff --git a/vendor/github.com/go-jose/go-jose/v3/opaque.go b/vendor/github.com/go-jose/go-jose/v3/opaque.go +index fc3e8d2ef6ef..68db085ef6b3 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/opaque.go ++++ b/vendor/github.com/go-jose/go-jose/v3/opaque.go +@@ -121,7 +121,7 @@ func (oke *opaqueKeyEncrypter) encryptKey(cek []byte, alg KeyAlgorithm) (recipie + return oke.encrypter.encryptKey(cek, alg) + } + +-//OpaqueKeyDecrypter is an interface that supports decrypting keys with an opaque key. ++// OpaqueKeyDecrypter is an interface that supports decrypting keys with an opaque key. + type OpaqueKeyDecrypter interface { + DecryptKey(encryptedKey []byte, header Header) ([]byte, error) + } +diff --git a/vendor/github.com/go-jose/go-jose/v3/shared.go b/vendor/github.com/go-jose/go-jose/v3/shared.go +index fc2505e0eb43..489a04e32aaf 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/shared.go ++++ b/vendor/github.com/go-jose/go-jose/v3/shared.go +@@ -183,8 +183,13 @@ type Header struct { + // Unverified certificate chain parsed from x5c header. + certificates []*x509.Certificate + +- // Any headers not recognised above get unmarshalled +- // from JSON in a generic manner and placed in this map. ++ // At parse time, each header parameter with a name other than "kid", ++ // "jwk", "alg", "nonce", or "x5c" will have its value passed to ++ // [json.Unmarshal] to unmarshal it into an interface value. ++ // The resulting value will be stored in this map, with the header ++ // parameter name as the key. ++ // ++ // [json.Unmarshal]: https://pkg.go.dev/encoding/json#Unmarshal + ExtraHeaders map[HeaderKey]interface{} + } + +diff --git a/vendor/github.com/go-jose/go-jose/v3/signing.go b/vendor/github.com/go-jose/go-jose/v3/signing.go +index 81d55f587598..52f3d856040b 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/signing.go ++++ b/vendor/github.com/go-jose/go-jose/v3/signing.go +@@ -40,6 +40,15 @@ type Signer interface { + } + + // SigningKey represents an algorithm/key used to sign a message. ++// ++// Key must have one of these types: ++// - ed25519.PrivateKey ++// - *ecdsa.PrivateKey ++// - *rsa.PrivateKey ++// - *JSONWebKey ++// - JSONWebKey ++// - []byte (an HMAC key) ++// - Any type that satisfies the OpaqueSigner interface + type SigningKey struct { + Algorithm SignatureAlgorithm + Key interface{} +@@ -52,12 +61,22 @@ type SignerOptions struct { + + // Optional map of additional keys to be inserted into the protected header + // of a JWS object. Some specifications which make use of JWS like to insert +- // additional values here. All values must be JSON-serializable. ++ // additional values here. ++ // ++ // Values will be serialized by [json.Marshal] and must be valid inputs to ++ // that function. ++ // ++ // [json.Marshal]: https://pkg.go.dev/encoding/json#Marshal + ExtraHeaders map[HeaderKey]interface{} + } + + // WithHeader adds an arbitrary value to the ExtraHeaders map, initializing it +-// if necessary. It returns itself and so can be used in a fluent style. ++// if necessary, and returns the updated SignerOptions. ++// ++// The v argument will be serialized by [json.Marshal] and must be a valid ++// input to that function. ++// ++// [json.Marshal]: https://pkg.go.dev/encoding/json#Marshal + func (so *SignerOptions) WithHeader(k HeaderKey, v interface{}) *SignerOptions { + if so.ExtraHeaders == nil { + so.ExtraHeaders = map[HeaderKey]interface{}{} +@@ -173,11 +192,11 @@ func newVerifier(verificationKey interface{}) (payloadVerifier, error) { + return newVerifier(verificationKey.Key) + case *JSONWebKey: + return newVerifier(verificationKey.Key) ++ case OpaqueVerifier: ++ return &opaqueVerifier{verifier: verificationKey}, nil ++ default: ++ return nil, ErrUnsupportedKeyType + } +- if ov, ok := verificationKey.(OpaqueVerifier); ok { +- return &opaqueVerifier{verifier: ov}, nil +- } +- return nil, ErrUnsupportedKeyType + } + + func (ctx *genericSigner) addRecipient(alg SignatureAlgorithm, signingKey interface{}) error { +@@ -204,11 +223,11 @@ func makeJWSRecipient(alg SignatureAlgorithm, signingKey interface{}) (recipient + return newJWKSigner(alg, signingKey) + case *JSONWebKey: + return newJWKSigner(alg, *signingKey) ++ case OpaqueSigner: ++ return newOpaqueSigner(alg, signingKey) ++ default: ++ return recipientSigInfo{}, ErrUnsupportedKeyType + } +- if signer, ok := signingKey.(OpaqueSigner); ok { +- return newOpaqueSigner(alg, signer) +- } +- return recipientSigInfo{}, ErrUnsupportedKeyType + } + + func newJWKSigner(alg SignatureAlgorithm, signingKey JSONWebKey) (recipientSigInfo, error) { +@@ -321,12 +340,21 @@ func (ctx *genericSigner) Options() SignerOptions { + } + + // Verify validates the signature on the object and returns the payload. +-// This function does not support multi-signature, if you desire multi-sig ++// This function does not support multi-signature. If you desire multi-signature + // verification use VerifyMulti instead. + // + // Be careful when verifying signatures based on embedded JWKs inside the + // payload header. You cannot assume that the key received in a payload is + // trusted. ++// ++// The verificationKey argument must have one of these types: ++// - ed25519.PublicKey ++// - *ecdsa.PublicKey ++// - *rsa.PublicKey ++// - *JSONWebKey ++// - JSONWebKey ++// - []byte (an HMAC key) ++// - Any type that implements the OpaqueVerifier interface. + func (obj JSONWebSignature) Verify(verificationKey interface{}) ([]byte, error) { + err := obj.DetachedVerify(obj.payload, verificationKey) + if err != nil { +@@ -346,6 +374,9 @@ func (obj JSONWebSignature) UnsafePayloadWithoutVerification() []byte { + // most cases, you will probably want to use Verify instead. DetachedVerify + // is only useful if you have a payload and signature that are separated from + // each other. ++// ++// The verificationKey argument must have one of the types allowed for the ++// verificationKey argument of JSONWebSignature.Verify(). + func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey interface{}) error { + key := tryJWKS(verificationKey, obj.headers()...) + verifier, err := newVerifier(key) +@@ -388,6 +419,9 @@ func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey inter + // returns the index of the signature that was verified, along with the signature + // object and the payload. We return the signature and index to guarantee that + // callers are getting the verified value. ++// ++// The verificationKey argument must have one of the types allowed for the ++// verificationKey argument of JSONWebSignature.Verify(). + func (obj JSONWebSignature) VerifyMulti(verificationKey interface{}) (int, Signature, []byte, error) { + idx, sig, err := obj.DetachedVerifyMulti(obj.payload, verificationKey) + if err != nil { +@@ -405,6 +439,9 @@ func (obj JSONWebSignature) VerifyMulti(verificationKey interface{}) (int, Signa + // DetachedVerifyMulti is only useful if you have a payload and signature that are + // separated from each other, and the signature can have multiple signers at the + // same time. ++// ++// The verificationKey argument must have one of the types allowed for the ++// verificationKey argument of JSONWebSignature.Verify(). + func (obj JSONWebSignature) DetachedVerifyMulti(payload []byte, verificationKey interface{}) (int, Signature, error) { + key := tryJWKS(verificationKey, obj.headers()...) + verifier, err := newVerifier(key) +diff --git a/vendor/github.com/go-jose/go-jose/v3/symmetric.go b/vendor/github.com/go-jose/go-jose/v3/symmetric.go +index 1ffd2708b219..10d8e19fd10e 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/symmetric.go ++++ b/vendor/github.com/go-jose/go-jose/v3/symmetric.go +@@ -40,12 +40,17 @@ var RandReader = rand.Reader + + const ( + // RFC7518 recommends a minimum of 1,000 iterations: +- // https://tools.ietf.org/html/rfc7518#section-4.8.1.2 ++ // - https://tools.ietf.org/html/rfc7518#section-4.8.1.2 ++ // + // NIST recommends a minimum of 10,000: +- // https://pages.nist.gov/800-63-3/sp800-63b.html +- // 1Password uses 100,000: +- // https://support.1password.com/pbkdf2/ +- defaultP2C = 100000 ++ // - https://pages.nist.gov/800-63-3/sp800-63b.html ++ // ++ // 1Password increased in 2023 from 100,000 to 650,000: ++ // - https://support.1password.com/pbkdf2/ ++ // ++ // OWASP recommended 600,000 in Dec 2022: ++ // - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 ++ defaultP2C = 600000 + // Default salt size: 128 bits + defaultP2SSize = 16 + ) +diff --git a/vendor/golang.org/x/sys/unix/mkerrors.sh b/vendor/golang.org/x/sys/unix/mkerrors.sh +index c6492020ec79..fdcaa974d23b 100644 +--- a/vendor/golang.org/x/sys/unix/mkerrors.sh ++++ b/vendor/golang.org/x/sys/unix/mkerrors.sh +@@ -584,7 +584,7 @@ ccflags="$@" + $2 ~ /^KEY_(SPEC|REQKEY_DEFL)_/ || + $2 ~ /^KEYCTL_/ || + $2 ~ /^PERF_/ || +- $2 ~ /^SECCOMP_MODE_/ || ++ $2 ~ /^SECCOMP_/ || + $2 ~ /^SEEK_/ || + $2 ~ /^SCHED_/ || + $2 ~ /^SPLICE_/ || +diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux.go b/vendor/golang.org/x/sys/unix/zerrors_linux.go +index a5d3ff8df95e..36bf8399f4fa 100644 +--- a/vendor/golang.org/x/sys/unix/zerrors_linux.go ++++ b/vendor/golang.org/x/sys/unix/zerrors_linux.go +@@ -1785,6 +1785,8 @@ const ( + LANDLOCK_ACCESS_FS_REMOVE_FILE = 0x20 + LANDLOCK_ACCESS_FS_TRUNCATE = 0x4000 + LANDLOCK_ACCESS_FS_WRITE_FILE = 0x2 ++ LANDLOCK_ACCESS_NET_BIND_TCP = 0x1 ++ LANDLOCK_ACCESS_NET_CONNECT_TCP = 0x2 + LANDLOCK_CREATE_RULESET_VERSION = 0x1 + LINUX_REBOOT_CMD_CAD_OFF = 0x0 + LINUX_REBOOT_CMD_CAD_ON = 0x89abcdef +@@ -2465,6 +2467,7 @@ const ( + PR_MCE_KILL_GET = 0x22 + PR_MCE_KILL_LATE = 0x0 + PR_MCE_KILL_SET = 0x1 ++ PR_MDWE_NO_INHERIT = 0x2 + PR_MDWE_REFUSE_EXEC_GAIN = 0x1 + PR_MPX_DISABLE_MANAGEMENT = 0x2c + PR_MPX_ENABLE_MANAGEMENT = 0x2b +@@ -2669,8 +2672,9 @@ const ( + RTAX_FEATURES = 0xc + RTAX_FEATURE_ALLFRAG = 0x8 + RTAX_FEATURE_ECN = 0x1 +- RTAX_FEATURE_MASK = 0xf ++ RTAX_FEATURE_MASK = 0x1f + RTAX_FEATURE_SACK = 0x2 ++ RTAX_FEATURE_TCP_USEC_TS = 0x10 + RTAX_FEATURE_TIMESTAMP = 0x4 + RTAX_HOPLIMIT = 0xa + RTAX_INITCWND = 0xb +@@ -2913,9 +2917,38 @@ const ( + SCM_RIGHTS = 0x1 + SCM_TIMESTAMP = 0x1d + SC_LOG_FLUSH = 0x100000 ++ SECCOMP_ADDFD_FLAG_SEND = 0x2 ++ SECCOMP_ADDFD_FLAG_SETFD = 0x1 ++ SECCOMP_FILTER_FLAG_LOG = 0x2 ++ SECCOMP_FILTER_FLAG_NEW_LISTENER = 0x8 ++ SECCOMP_FILTER_FLAG_SPEC_ALLOW = 0x4 ++ SECCOMP_FILTER_FLAG_TSYNC = 0x1 ++ SECCOMP_FILTER_FLAG_TSYNC_ESRCH = 0x10 ++ SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV = 0x20 ++ SECCOMP_GET_ACTION_AVAIL = 0x2 ++ SECCOMP_GET_NOTIF_SIZES = 0x3 ++ SECCOMP_IOCTL_NOTIF_RECV = 0xc0502100 ++ SECCOMP_IOCTL_NOTIF_SEND = 0xc0182101 ++ SECCOMP_IOC_MAGIC = '!' + SECCOMP_MODE_DISABLED = 0x0 + SECCOMP_MODE_FILTER = 0x2 + SECCOMP_MODE_STRICT = 0x1 ++ SECCOMP_RET_ACTION = 0x7fff0000 ++ SECCOMP_RET_ACTION_FULL = 0xffff0000 ++ SECCOMP_RET_ALLOW = 0x7fff0000 ++ SECCOMP_RET_DATA = 0xffff ++ SECCOMP_RET_ERRNO = 0x50000 ++ SECCOMP_RET_KILL = 0x0 ++ SECCOMP_RET_KILL_PROCESS = 0x80000000 ++ SECCOMP_RET_KILL_THREAD = 0x0 ++ SECCOMP_RET_LOG = 0x7ffc0000 ++ SECCOMP_RET_TRACE = 0x7ff00000 ++ SECCOMP_RET_TRAP = 0x30000 ++ SECCOMP_RET_USER_NOTIF = 0x7fc00000 ++ SECCOMP_SET_MODE_FILTER = 0x1 ++ SECCOMP_SET_MODE_STRICT = 0x0 ++ SECCOMP_USER_NOTIF_FD_SYNC_WAKE_UP = 0x1 ++ SECCOMP_USER_NOTIF_FLAG_CONTINUE = 0x1 + SECRETMEM_MAGIC = 0x5345434d + SECURITYFS_MAGIC = 0x73636673 + SEEK_CUR = 0x1 +@@ -3075,6 +3108,7 @@ const ( + SOL_TIPC = 0x10f + SOL_TLS = 0x11a + SOL_UDP = 0x11 ++ SOL_VSOCK = 0x11f + SOL_X25 = 0x106 + SOL_XDP = 0x11b + SOMAXCONN = 0x1000 +diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_386.go b/vendor/golang.org/x/sys/unix/zerrors_linux_386.go +index 4920821cf3b2..42ff8c3c1b06 100644 +--- a/vendor/golang.org/x/sys/unix/zerrors_linux_386.go ++++ b/vendor/golang.org/x/sys/unix/zerrors_linux_386.go +@@ -281,6 +281,9 @@ const ( + SCM_TIMESTAMPNS = 0x23 + SCM_TXTIME = 0x3d + SCM_WIFI_STATUS = 0x29 ++ SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 ++ SECCOMP_IOCTL_NOTIF_ID_VALID = 0x40082102 ++ SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x40082104 + SFD_CLOEXEC = 0x80000 + SFD_NONBLOCK = 0x800 + SIOCATMARK = 0x8905 +diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go +index a0c1e411275c..dca436004fa4 100644 +--- a/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go ++++ b/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go +@@ -282,6 +282,9 @@ const ( + SCM_TIMESTAMPNS = 0x23 + SCM_TXTIME = 0x3d + SCM_WIFI_STATUS = 0x29 ++ SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 ++ SECCOMP_IOCTL_NOTIF_ID_VALID = 0x40082102 ++ SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x40082104 + SFD_CLOEXEC = 0x80000 + SFD_NONBLOCK = 0x800 + SIOCATMARK = 0x8905 +diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go b/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go +index c63985560f61..5cca668ac302 100644 +--- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go ++++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go +@@ -288,6 +288,9 @@ const ( + SCM_TIMESTAMPNS = 0x23 + SCM_TXTIME = 0x3d + SCM_WIFI_STATUS = 0x29 ++ SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 ++ SECCOMP_IOCTL_NOTIF_ID_VALID = 0x40082102 ++ SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x40082104 + SFD_CLOEXEC = 0x80000 + SFD_NONBLOCK = 0x800 + SIOCATMARK = 0x8905 +diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go +index 47cc62e25c14..d8cae6d15340 100644 +--- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go ++++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go +@@ -278,6 +278,9 @@ const ( + SCM_TIMESTAMPNS = 0x23 + SCM_TXTIME = 0x3d + SCM_WIFI_STATUS = 0x29 ++ SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 ++ SECCOMP_IOCTL_NOTIF_ID_VALID = 0x40082102 ++ SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x40082104 + SFD_CLOEXEC = 0x80000 + SFD_NONBLOCK = 0x800 + SIOCATMARK = 0x8905 +diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go +index 27ac4a09e22a..28e39afdcb4a 100644 +--- a/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go ++++ b/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go +@@ -275,6 +275,9 @@ const ( + SCM_TIMESTAMPNS = 0x23 + SCM_TXTIME = 0x3d + SCM_WIFI_STATUS = 0x29 ++ SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 ++ SECCOMP_IOCTL_NOTIF_ID_VALID = 0x40082102 ++ SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x40082104 + SFD_CLOEXEC = 0x80000 + SFD_NONBLOCK = 0x800 + SIOCATMARK = 0x8905 +diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go +index 54694642a5de..cd66e92cb426 100644 +--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go ++++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go +@@ -281,6 +281,9 @@ const ( + SCM_TIMESTAMPNS = 0x23 + SCM_TXTIME = 0x3d + SCM_WIFI_STATUS = 0x29 ++ SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 ++ SECCOMP_IOCTL_NOTIF_ID_VALID = 0x80082102 ++ SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x80082104 + SFD_CLOEXEC = 0x80000 + SFD_NONBLOCK = 0x80 + SIOCATMARK = 0x40047307 +diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go +index 3adb81d75822..c1595eba78e3 100644 +--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go ++++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go +@@ -281,6 +281,9 @@ const ( + SCM_TIMESTAMPNS = 0x23 + SCM_TXTIME = 0x3d + SCM_WIFI_STATUS = 0x29 ++ SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 ++ SECCOMP_IOCTL_NOTIF_ID_VALID = 0x80082102 ++ SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x80082104 + SFD_CLOEXEC = 0x80000 + SFD_NONBLOCK = 0x80 + SIOCATMARK = 0x40047307 +diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go +index 2dfe98f0d1b1..ee9456b0da74 100644 +--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go ++++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go +@@ -281,6 +281,9 @@ const ( + SCM_TIMESTAMPNS = 0x23 + SCM_TXTIME = 0x3d + SCM_WIFI_STATUS = 0x29 ++ SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 ++ SECCOMP_IOCTL_NOTIF_ID_VALID = 0x80082102 ++ SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x80082104 + SFD_CLOEXEC = 0x80000 + SFD_NONBLOCK = 0x80 + SIOCATMARK = 0x40047307 +diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go +index f5398f84f041..8cfca81e1b56 100644 +--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go ++++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go +@@ -281,6 +281,9 @@ const ( + SCM_TIMESTAMPNS = 0x23 + SCM_TXTIME = 0x3d + SCM_WIFI_STATUS = 0x29 ++ SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 ++ SECCOMP_IOCTL_NOTIF_ID_VALID = 0x80082102 ++ SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x80082104 + SFD_CLOEXEC = 0x80000 + SFD_NONBLOCK = 0x80 + SIOCATMARK = 0x40047307 +diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go +index c54f152d68fd..60b0deb3af77 100644 +--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go ++++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go +@@ -336,6 +336,9 @@ const ( + SCM_TIMESTAMPNS = 0x23 + SCM_TXTIME = 0x3d + SCM_WIFI_STATUS = 0x29 ++ SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 ++ SECCOMP_IOCTL_NOTIF_ID_VALID = 0x80082102 ++ SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x80082104 + SFD_CLOEXEC = 0x80000 + SFD_NONBLOCK = 0x800 + SIOCATMARK = 0x8905 +diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go +index 76057dc72fb5..f90aa7281bfb 100644 +--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go ++++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go +@@ -340,6 +340,9 @@ const ( + SCM_TIMESTAMPNS = 0x23 + SCM_TXTIME = 0x3d + SCM_WIFI_STATUS = 0x29 ++ SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 ++ SECCOMP_IOCTL_NOTIF_ID_VALID = 0x80082102 ++ SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x80082104 + SFD_CLOEXEC = 0x80000 + SFD_NONBLOCK = 0x800 + SIOCATMARK = 0x8905 +diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go +index e0c3725e2b89..ba9e01503383 100644 +--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go ++++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go +@@ -340,6 +340,9 @@ const ( + SCM_TIMESTAMPNS = 0x23 + SCM_TXTIME = 0x3d + SCM_WIFI_STATUS = 0x29 ++ SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 ++ SECCOMP_IOCTL_NOTIF_ID_VALID = 0x80082102 ++ SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x80082104 + SFD_CLOEXEC = 0x80000 + SFD_NONBLOCK = 0x800 + SIOCATMARK = 0x8905 +diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go +index 18f2813ed54b..07cdfd6e9fd3 100644 +--- a/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go ++++ b/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go +@@ -272,6 +272,9 @@ const ( + SCM_TIMESTAMPNS = 0x23 + SCM_TXTIME = 0x3d + SCM_WIFI_STATUS = 0x29 ++ SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 ++ SECCOMP_IOCTL_NOTIF_ID_VALID = 0x40082102 ++ SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x40082104 + SFD_CLOEXEC = 0x80000 + SFD_NONBLOCK = 0x800 + SIOCATMARK = 0x8905 +diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go b/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go +index 11619d4ec88f..2f1dd214a74e 100644 +--- a/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go ++++ b/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go +@@ -344,6 +344,9 @@ const ( + SCM_TIMESTAMPNS = 0x23 + SCM_TXTIME = 0x3d + SCM_WIFI_STATUS = 0x29 ++ SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 ++ SECCOMP_IOCTL_NOTIF_ID_VALID = 0x40082102 ++ SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x40082104 + SFD_CLOEXEC = 0x80000 + SFD_NONBLOCK = 0x800 + SIOCATMARK = 0x8905 +diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go +index 396d994da79c..f40519d90180 100644 +--- a/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go ++++ b/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go +@@ -335,6 +335,9 @@ const ( + SCM_TIMESTAMPNS = 0x21 + SCM_TXTIME = 0x3f + SCM_WIFI_STATUS = 0x25 ++ SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 ++ SECCOMP_IOCTL_NOTIF_ID_VALID = 0x80082102 ++ SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x80082104 + SFD_CLOEXEC = 0x400000 + SFD_NONBLOCK = 0x4000 + SF_FP = 0x38 +diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go +index fcf3ecbddee1..0cc3ce496e22 100644 +--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go ++++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go +@@ -448,4 +448,8 @@ const ( + SYS_SET_MEMPOLICY_HOME_NODE = 450 + SYS_CACHESTAT = 451 + SYS_FCHMODAT2 = 452 ++ SYS_MAP_SHADOW_STACK = 453 ++ SYS_FUTEX_WAKE = 454 ++ SYS_FUTEX_WAIT = 455 ++ SYS_FUTEX_REQUEUE = 456 + ) +diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go +index f56dc2504ae1..856d92d69ef9 100644 +--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go ++++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go +@@ -371,4 +371,7 @@ const ( + SYS_CACHESTAT = 451 + SYS_FCHMODAT2 = 452 + SYS_MAP_SHADOW_STACK = 453 ++ SYS_FUTEX_WAKE = 454 ++ SYS_FUTEX_WAIT = 455 ++ SYS_FUTEX_REQUEUE = 456 + ) +diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go +index 974bf246767e..8d467094cf57 100644 +--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go ++++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go +@@ -412,4 +412,8 @@ const ( + SYS_SET_MEMPOLICY_HOME_NODE = 450 + SYS_CACHESTAT = 451 + SYS_FCHMODAT2 = 452 ++ SYS_MAP_SHADOW_STACK = 453 ++ SYS_FUTEX_WAKE = 454 ++ SYS_FUTEX_WAIT = 455 ++ SYS_FUTEX_REQUEUE = 456 + ) +diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go +index 39a2739e2310..edc173244d0d 100644 +--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go ++++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go +@@ -315,4 +315,8 @@ const ( + SYS_SET_MEMPOLICY_HOME_NODE = 450 + SYS_CACHESTAT = 451 + SYS_FCHMODAT2 = 452 ++ SYS_MAP_SHADOW_STACK = 453 ++ SYS_FUTEX_WAKE = 454 ++ SYS_FUTEX_WAIT = 455 ++ SYS_FUTEX_REQUEUE = 456 + ) +diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go +index cf9c9d77e10f..445eba206155 100644 +--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go ++++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go +@@ -309,4 +309,8 @@ const ( + SYS_SET_MEMPOLICY_HOME_NODE = 450 + SYS_CACHESTAT = 451 + SYS_FCHMODAT2 = 452 ++ SYS_MAP_SHADOW_STACK = 453 ++ SYS_FUTEX_WAKE = 454 ++ SYS_FUTEX_WAIT = 455 ++ SYS_FUTEX_REQUEUE = 456 + ) +diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go +index 10b7362ef442..adba01bca701 100644 +--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go ++++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go +@@ -432,4 +432,8 @@ const ( + SYS_SET_MEMPOLICY_HOME_NODE = 4450 + SYS_CACHESTAT = 4451 + SYS_FCHMODAT2 = 4452 ++ SYS_MAP_SHADOW_STACK = 4453 ++ SYS_FUTEX_WAKE = 4454 ++ SYS_FUTEX_WAIT = 4455 ++ SYS_FUTEX_REQUEUE = 4456 + ) +diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go +index cd4d8b4fd35e..014c4e9c7a75 100644 +--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go ++++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go +@@ -362,4 +362,8 @@ const ( + SYS_SET_MEMPOLICY_HOME_NODE = 5450 + SYS_CACHESTAT = 5451 + SYS_FCHMODAT2 = 5452 ++ SYS_MAP_SHADOW_STACK = 5453 ++ SYS_FUTEX_WAKE = 5454 ++ SYS_FUTEX_WAIT = 5455 ++ SYS_FUTEX_REQUEUE = 5456 + ) +diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go +index 2c0efca818b3..ccc97d74d05d 100644 +--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go ++++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go +@@ -362,4 +362,8 @@ const ( + SYS_SET_MEMPOLICY_HOME_NODE = 5450 + SYS_CACHESTAT = 5451 + SYS_FCHMODAT2 = 5452 ++ SYS_MAP_SHADOW_STACK = 5453 ++ SYS_FUTEX_WAKE = 5454 ++ SYS_FUTEX_WAIT = 5455 ++ SYS_FUTEX_REQUEUE = 5456 + ) +diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go +index a72e31d391d5..ec2b64a95d74 100644 +--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go ++++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go +@@ -432,4 +432,8 @@ const ( + SYS_SET_MEMPOLICY_HOME_NODE = 4450 + SYS_CACHESTAT = 4451 + SYS_FCHMODAT2 = 4452 ++ SYS_MAP_SHADOW_STACK = 4453 ++ SYS_FUTEX_WAKE = 4454 ++ SYS_FUTEX_WAIT = 4455 ++ SYS_FUTEX_REQUEUE = 4456 + ) +diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go +index c7d1e374713c..21a839e338b3 100644 +--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go ++++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go +@@ -439,4 +439,8 @@ const ( + SYS_SET_MEMPOLICY_HOME_NODE = 450 + SYS_CACHESTAT = 451 + SYS_FCHMODAT2 = 452 ++ SYS_MAP_SHADOW_STACK = 453 ++ SYS_FUTEX_WAKE = 454 ++ SYS_FUTEX_WAIT = 455 ++ SYS_FUTEX_REQUEUE = 456 + ) +diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go +index f4d4838c870d..c11121ec3b4d 100644 +--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go ++++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go +@@ -411,4 +411,8 @@ const ( + SYS_SET_MEMPOLICY_HOME_NODE = 450 + SYS_CACHESTAT = 451 + SYS_FCHMODAT2 = 452 ++ SYS_MAP_SHADOW_STACK = 453 ++ SYS_FUTEX_WAKE = 454 ++ SYS_FUTEX_WAIT = 455 ++ SYS_FUTEX_REQUEUE = 456 + ) +diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go +index b64f0e59114d..909b631fcb45 100644 +--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go ++++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go +@@ -411,4 +411,8 @@ const ( + SYS_SET_MEMPOLICY_HOME_NODE = 450 + SYS_CACHESTAT = 451 + SYS_FCHMODAT2 = 452 ++ SYS_MAP_SHADOW_STACK = 453 ++ SYS_FUTEX_WAKE = 454 ++ SYS_FUTEX_WAIT = 455 ++ SYS_FUTEX_REQUEUE = 456 + ) +diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go +index 95711195a064..e49bed16ea6b 100644 +--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go ++++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go +@@ -316,4 +316,8 @@ const ( + SYS_SET_MEMPOLICY_HOME_NODE = 450 + SYS_CACHESTAT = 451 + SYS_FCHMODAT2 = 452 ++ SYS_MAP_SHADOW_STACK = 453 ++ SYS_FUTEX_WAKE = 454 ++ SYS_FUTEX_WAIT = 455 ++ SYS_FUTEX_REQUEUE = 456 + ) +diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go +index f94e943bc4f5..66017d2d32b3 100644 +--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go ++++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go +@@ -377,4 +377,8 @@ const ( + SYS_SET_MEMPOLICY_HOME_NODE = 450 + SYS_CACHESTAT = 451 + SYS_FCHMODAT2 = 452 ++ SYS_MAP_SHADOW_STACK = 453 ++ SYS_FUTEX_WAKE = 454 ++ SYS_FUTEX_WAIT = 455 ++ SYS_FUTEX_REQUEUE = 456 + ) +diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go +index ba0c2bc5154a..47bab18dcedb 100644 +--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go ++++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go +@@ -390,4 +390,8 @@ const ( + SYS_SET_MEMPOLICY_HOME_NODE = 450 + SYS_CACHESTAT = 451 + SYS_FCHMODAT2 = 452 ++ SYS_MAP_SHADOW_STACK = 453 ++ SYS_FUTEX_WAKE = 454 ++ SYS_FUTEX_WAIT = 455 ++ SYS_FUTEX_REQUEUE = 456 + ) +diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux.go b/vendor/golang.org/x/sys/unix/ztypes_linux.go +index bbf8399ff586..dc0c955eecdf 100644 +--- a/vendor/golang.org/x/sys/unix/ztypes_linux.go ++++ b/vendor/golang.org/x/sys/unix/ztypes_linux.go +@@ -174,7 +174,8 @@ type FscryptPolicyV2 struct { + Contents_encryption_mode uint8 + Filenames_encryption_mode uint8 + Flags uint8 +- _ [4]uint8 ++ Log2_data_unit_size uint8 ++ _ [3]uint8 + Master_key_identifier [16]uint8 + } + +@@ -455,60 +456,63 @@ type Ucred struct { + } + + type TCPInfo struct { +- State uint8 +- Ca_state uint8 +- Retransmits uint8 +- Probes uint8 +- Backoff uint8 +- Options uint8 +- Rto uint32 +- Ato uint32 +- Snd_mss uint32 +- Rcv_mss uint32 +- Unacked uint32 +- Sacked uint32 +- Lost uint32 +- Retrans uint32 +- Fackets uint32 +- Last_data_sent uint32 +- Last_ack_sent uint32 +- Last_data_recv uint32 +- Last_ack_recv uint32 +- Pmtu uint32 +- Rcv_ssthresh uint32 +- Rtt uint32 +- Rttvar uint32 +- Snd_ssthresh uint32 +- Snd_cwnd uint32 +- Advmss uint32 +- Reordering uint32 +- Rcv_rtt uint32 +- Rcv_space uint32 +- Total_retrans uint32 +- Pacing_rate uint64 +- Max_pacing_rate uint64 +- Bytes_acked uint64 +- Bytes_received uint64 +- Segs_out uint32 +- Segs_in uint32 +- Notsent_bytes uint32 +- Min_rtt uint32 +- Data_segs_in uint32 +- Data_segs_out uint32 +- Delivery_rate uint64 +- Busy_time uint64 +- Rwnd_limited uint64 +- Sndbuf_limited uint64 +- Delivered uint32 +- Delivered_ce uint32 +- Bytes_sent uint64 +- Bytes_retrans uint64 +- Dsack_dups uint32 +- Reord_seen uint32 +- Rcv_ooopack uint32 +- Snd_wnd uint32 +- Rcv_wnd uint32 +- Rehash uint32 ++ State uint8 ++ Ca_state uint8 ++ Retransmits uint8 ++ Probes uint8 ++ Backoff uint8 ++ Options uint8 ++ Rto uint32 ++ Ato uint32 ++ Snd_mss uint32 ++ Rcv_mss uint32 ++ Unacked uint32 ++ Sacked uint32 ++ Lost uint32 ++ Retrans uint32 ++ Fackets uint32 ++ Last_data_sent uint32 ++ Last_ack_sent uint32 ++ Last_data_recv uint32 ++ Last_ack_recv uint32 ++ Pmtu uint32 ++ Rcv_ssthresh uint32 ++ Rtt uint32 ++ Rttvar uint32 ++ Snd_ssthresh uint32 ++ Snd_cwnd uint32 ++ Advmss uint32 ++ Reordering uint32 ++ Rcv_rtt uint32 ++ Rcv_space uint32 ++ Total_retrans uint32 ++ Pacing_rate uint64 ++ Max_pacing_rate uint64 ++ Bytes_acked uint64 ++ Bytes_received uint64 ++ Segs_out uint32 ++ Segs_in uint32 ++ Notsent_bytes uint32 ++ Min_rtt uint32 ++ Data_segs_in uint32 ++ Data_segs_out uint32 ++ Delivery_rate uint64 ++ Busy_time uint64 ++ Rwnd_limited uint64 ++ Sndbuf_limited uint64 ++ Delivered uint32 ++ Delivered_ce uint32 ++ Bytes_sent uint64 ++ Bytes_retrans uint64 ++ Dsack_dups uint32 ++ Reord_seen uint32 ++ Rcv_ooopack uint32 ++ Snd_wnd uint32 ++ Rcv_wnd uint32 ++ Rehash uint32 ++ Total_rto uint16 ++ Total_rto_recoveries uint16 ++ Total_rto_time uint32 + } + + type CanFilter struct { +@@ -551,7 +555,7 @@ const ( + SizeofIPv6MTUInfo = 0x20 + SizeofICMPv6Filter = 0x20 + SizeofUcred = 0xc +- SizeofTCPInfo = 0xf0 ++ SizeofTCPInfo = 0xf8 + SizeofCanFilter = 0x8 + SizeofTCPRepairOpt = 0x8 + ) +@@ -3399,7 +3403,7 @@ const ( + DEVLINK_PORT_FN_ATTR_STATE = 0x2 + DEVLINK_PORT_FN_ATTR_OPSTATE = 0x3 + DEVLINK_PORT_FN_ATTR_CAPS = 0x4 +- DEVLINK_PORT_FUNCTION_ATTR_MAX = 0x4 ++ DEVLINK_PORT_FUNCTION_ATTR_MAX = 0x5 + ) + + type FsverityDigest struct { +@@ -4183,7 +4187,8 @@ const ( + ) + + type LandlockRulesetAttr struct { +- Access_fs uint64 ++ Access_fs uint64 ++ Access_net uint64 + } + + type LandlockPathBeneathAttr struct { +@@ -5134,7 +5139,7 @@ const ( + NL80211_FREQUENCY_ATTR_GO_CONCURRENT = 0xf + NL80211_FREQUENCY_ATTR_INDOOR_ONLY = 0xe + NL80211_FREQUENCY_ATTR_IR_CONCURRENT = 0xf +- NL80211_FREQUENCY_ATTR_MAX = 0x1b ++ NL80211_FREQUENCY_ATTR_MAX = 0x1c + NL80211_FREQUENCY_ATTR_MAX_TX_POWER = 0x6 + NL80211_FREQUENCY_ATTR_NO_10MHZ = 0x11 + NL80211_FREQUENCY_ATTR_NO_160MHZ = 0xc +@@ -5547,7 +5552,7 @@ const ( + NL80211_REGDOM_TYPE_CUSTOM_WORLD = 0x2 + NL80211_REGDOM_TYPE_INTERSECTION = 0x3 + NL80211_REGDOM_TYPE_WORLD = 0x1 +- NL80211_REG_RULE_ATTR_MAX = 0x7 ++ NL80211_REG_RULE_ATTR_MAX = 0x8 + NL80211_REKEY_DATA_AKM = 0x4 + NL80211_REKEY_DATA_KCK = 0x2 + NL80211_REKEY_DATA_KEK = 0x1 +diff --git a/vendor/golang.org/x/sys/windows/env_windows.go b/vendor/golang.org/x/sys/windows/env_windows.go +index b8ad19250689..d4577a423887 100644 +--- a/vendor/golang.org/x/sys/windows/env_windows.go ++++ b/vendor/golang.org/x/sys/windows/env_windows.go +@@ -37,14 +37,17 @@ func (token Token) Environ(inheritExisting bool) (env []string, err error) { + return nil, err + } + defer DestroyEnvironmentBlock(block) +- blockp := unsafe.Pointer(block) +- for { +- entry := UTF16PtrToString((*uint16)(blockp)) +- if len(entry) == 0 { +- break ++ size := unsafe.Sizeof(*block) ++ for *block != 0 { ++ // find NUL terminator ++ end := unsafe.Pointer(block) ++ for *(*uint16)(end) != 0 { ++ end = unsafe.Add(end, size) + } +- env = append(env, entry) +- blockp = unsafe.Add(blockp, 2*(len(entry)+1)) ++ ++ entry := unsafe.Slice(block, (uintptr(end)-uintptr(unsafe.Pointer(block)))/size) ++ env = append(env, UTF16ToString(entry)) ++ block = (*uint16)(unsafe.Add(end, size)) + } + return env, nil + } +diff --git a/vendor/golang.org/x/sys/windows/syscall_windows.go b/vendor/golang.org/x/sys/windows/syscall_windows.go +index ffb8708ccf8a..6395a031d45d 100644 +--- a/vendor/golang.org/x/sys/windows/syscall_windows.go ++++ b/vendor/golang.org/x/sys/windows/syscall_windows.go +@@ -125,8 +125,7 @@ func UTF16PtrToString(p *uint16) string { + for ptr := unsafe.Pointer(p); *(*uint16)(ptr) != 0; n++ { + ptr = unsafe.Pointer(uintptr(ptr) + unsafe.Sizeof(*p)) + } +- +- return string(utf16.Decode(unsafe.Slice(p, n))) ++ return UTF16ToString(unsafe.Slice(p, n)) + } + + func Getpagesize() int { return 4096 } +diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md b/vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md +new file mode 100644 +index 000000000000..8e6e9132395d +--- /dev/null ++++ b/vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md +@@ -0,0 +1,84 @@ ++# v4.0.1 ++ ++## Fixed ++ ++ - An attacker could send a JWE containing compressed data that used large ++ amounts of memory and CPU when decompressed by `Decrypt` or `DecryptMulti`. ++ Those functions now return an error if the decompressed data would exceed ++ 250kB or 10x the compressed size (whichever is larger). Thanks to ++ Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) ++ for reporting. ++ ++# v4.0.0 ++ ++This release makes some breaking changes in order to more thoroughly ++address the vulnerabilities discussed in [Three New Attacks Against JSON Web ++Tokens][1], "Sign/encrypt confusion", "Billion hash attack", and "Polyglot ++token". ++ ++## Changed ++ ++ - Limit JWT encryption types (exclude password or public key types) (#78) ++ - Enforce minimum length for HMAC keys (#85) ++ - jwt: match any audience in a list, rather than requiring all audiences (#81) ++ - jwt: accept only Compact Serialization (#75) ++ - jws: Add expected algorithms for signatures (#74) ++ - Require specifying expected algorithms for ParseEncrypted, ++ ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned, ++ jwt.ParseSignedAndEncrypted (#69, #74) ++ - Usually there is a small, known set of appropriate algorithms for a program ++ to use and it's a mistake to allow unexpected algorithms. For instance the ++ "billion hash attack" relies in part on programs accepting the PBES2 ++ encryption algorithm and doing the necessary work even if they weren't ++ specifically configured to allow PBES2. ++ - Revert "Strip padding off base64 strings" (#82) ++ - The specs require base64url encoding without padding. ++ - Minimum supported Go version is now 1.21 ++ ++## Added ++ ++ - ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON. ++ - These allow parsing a specific serialization, as opposed to ParseSigned and ++ ParseEncrypted, which try to automatically detect which serialization was ++ provided. It's common to require a specific serialization for a specific ++ protocol - for instance JWT requires Compact serialization. ++ ++[1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf ++ ++# v3.0.3 ++ ++## Fixed ++ ++ - Limit decompression output size to prevent a DoS. Backport from v4.0.1. ++ ++# v3.0.2 ++ ++## Fixed ++ ++ - DecryptMulti: handle decompression error (#19) ++ ++## Changed ++ ++ - jwe/CompactSerialize: improve performance (#67) ++ - Increase the default number of PBKDF2 iterations to 600k (#48) ++ - Return the proper algorithm for ECDSA keys (#45) ++ ++## Added ++ ++ - Add Thumbprint support for opaque signers (#38) ++ ++# v3.0.1 ++ ++## Fixed ++ ++ - Security issue: an attacker specifying a large "p2c" value can cause ++ JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large ++ amounts of CPU, causing a DoS. Thanks to Matt Schwager (@mschwager) for the ++ disclosure and to Tom Tervoort for originally publishing the category of attack. ++ https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf ++ ++# v2.6.3 ++ ++## Fixed ++ ++ - Limit decompression output size to prevent a DoS. Backport from v4.0.1. +diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/README.md b/vendor/gopkg.in/go-jose/go-jose.v2/README.md +index 46b02d61d8a9..b877f412c41c 100644 +--- a/vendor/gopkg.in/go-jose/go-jose.v2/README.md ++++ b/vendor/gopkg.in/go-jose/go-jose.v2/README.md +@@ -1,118 +1,4 @@ +-# Go JOSE ++# go-jose v2 + +-[![godoc](http://img.shields.io/badge/godoc-version_1-blue.svg?style=flat)](https://godoc.org/gopkg.in/go-jose/go-jose.v1) +-[![godoc](http://img.shields.io/badge/godoc-version_2-blue.svg?style=flat)](https://godoc.org/gopkg.in/go-jose/go-jose.v2) +-[![license](http://img.shields.io/badge/license-apache_2.0-blue.svg?style=flat)](https://raw.githubusercontent.com/go-jose/go-jose/master/LICENSE) +-[![build](https://travis-ci.org/go-jose/go-jose.svg?branch=v2)](https://travis-ci.org/go-jose/go-jose) +-[![coverage](https://coveralls.io/repos/github/go-jose/go-jose/badge.svg?branch=v2)](https://coveralls.io/r/go-jose/go-jose) +- +-Package jose aims to provide an implementation of the Javascript Object Signing +-and Encryption set of standards. This includes support for JSON Web Encryption, +-JSON Web Signature, and JSON Web Token standards. +- +-**Disclaimer**: This library contains encryption software that is subject to +-the U.S. Export Administration Regulations. You may not export, re-export, +-transfer or download this code or any part of it in violation of any United +-States law, directive or regulation. In particular this software may not be +-exported or re-exported in any form or on any media to Iran, North Sudan, +-Syria, Cuba, or North Korea, or to denied persons or entities mentioned on any +-US maintained blocked list. +- +-## Overview +- +-The implementation follows the +-[JSON Web Encryption](http://dx.doi.org/10.17487/RFC7516) (RFC 7516), +-[JSON Web Signature](http://dx.doi.org/10.17487/RFC7515) (RFC 7515), and +-[JSON Web Token](http://dx.doi.org/10.17487/RFC7519) (RFC 7519). +-Tables of supported algorithms are shown below. The library supports both +-the compact and full serialization formats, and has optional support for +-multiple recipients. It also comes with a small command-line utility +-([`jose-util`](https://github.com/go-jose/go-jose/tree/v2/jose-util)) +-for dealing with JOSE messages in a shell. +- +-**Note**: We use a forked version of the `encoding/json` package from the Go +-standard library which uses case-sensitive matching for member names (instead +-of [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/current/msg03763.html)). +-This is to avoid differences in interpretation of messages between go-jose and +-libraries in other languages. +- +-### Versions +- +-We use [gopkg.in](https://gopkg.in) for versioning. +- +-[Version 2](https://gopkg.in/go-jose/go-jose.v2) +-([branch](https://github.com/go-jose/go-jose/tree/v2), +-[doc](https://godoc.org/gopkg.in/go-jose/go-jose.v2)) is the current version: +- +- import "gopkg.in/go-jose/go-jose.v2" +- +-The old `v1` branch ([go-jose.v1](https://gopkg.in/go-jose/go-jose.v1)) will +-still receive backported bug fixes and security fixes, but otherwise +-development is frozen. All new feature development takes place on the `v2` +-branch. Version 2 also contains additional sub-packages such as the +-[jwt](https://godoc.org/gopkg.in/go-jose/go-jose.v2/jwt) implementation +-contributed by [@shaxbee](https://github.com/shaxbee). +- +-### Supported algorithms +- +-See below for a table of supported algorithms. Algorithm identifiers match +-the names in the [JSON Web Algorithms](http://dx.doi.org/10.17487/RFC7518) +-standard where possible. The Godoc reference has a list of constants. +- +- Key encryption | Algorithm identifier(s) +- :------------------------- | :------------------------------ +- RSA-PKCS#1v1.5 | RSA1_5 +- RSA-OAEP | RSA-OAEP, RSA-OAEP-256 +- AES key wrap | A128KW, A192KW, A256KW +- AES-GCM key wrap | A128GCMKW, A192GCMKW, A256GCMKW +- ECDH-ES + AES key wrap | ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW +- ECDH-ES (direct) | ECDH-ES1 +- Direct encryption | dir1 +- +-1. Not supported in multi-recipient mode +- +- Signing / MAC | Algorithm identifier(s) +- :------------------------- | :------------------------------ +- RSASSA-PKCS#1v1.5 | RS256, RS384, RS512 +- RSASSA-PSS | PS256, PS384, PS512 +- HMAC | HS256, HS384, HS512 +- ECDSA | ES256, ES384, ES512 +- Ed25519 | EdDSA2 +- +-2. Only available in version 2 of the package +- +- Content encryption | Algorithm identifier(s) +- :------------------------- | :------------------------------ +- AES-CBC+HMAC | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 +- AES-GCM | A128GCM, A192GCM, A256GCM +- +- Compression | Algorithm identifiers(s) +- :------------------------- | ------------------------------- +- DEFLATE (RFC 1951) | DEF +- +-### Supported key types +- +-See below for a table of supported key types. These are understood by the +-library, and can be passed to corresponding functions such as `NewEncrypter` or +-`NewSigner`. Each of these keys can also be wrapped in a JWK if desired, which +-allows attaching a key id. +- +- Algorithm(s) | Corresponding types +- :------------------------- | ------------------------------- +- RSA | *[rsa.PublicKey](http://golang.org/pkg/crypto/rsa/#PublicKey), *[rsa.PrivateKey](http://golang.org/pkg/crypto/rsa/#PrivateKey) +- ECDH, ECDSA | *[ecdsa.PublicKey](http://golang.org/pkg/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](http://golang.org/pkg/crypto/ecdsa/#PrivateKey) +- EdDSA1 | [ed25519.PublicKey](https://godoc.org/golang.org/x/crypto/ed25519#PublicKey), [ed25519.PrivateKey](https://godoc.org/golang.org/x/crypto/ed25519#PrivateKey) +- AES, HMAC | []byte +- +-1. Only available in version 2 of the package +- +-## Examples +- +-[![godoc](http://img.shields.io/badge/godoc-version_1-blue.svg?style=flat)](https://godoc.org/gopkg.in/go-jose/go-jose.v1) +-[![godoc](http://img.shields.io/badge/godoc-version_2-blue.svg?style=flat)](https://godoc.org/gopkg.in/go-jose/go-jose.v2) +- +-Examples can be found in the Godoc +-reference for this package. The +-[`jose-util`](https://github.com/go-jose/go-jose/tree/v2/jose-util) +-subdirectory also contains a small command-line utility which might be useful +-as an example. ++Version 2 of this library is no longer supported. [Please use v4 ++instead](https://pkg.go.dev/github.com/go-jose/go-jose/v4). +diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/asymmetric.go b/vendor/gopkg.in/go-jose/go-jose.v2/asymmetric.go +index 3ca79cc26825..43f9ce2fc703 100644 +--- a/vendor/gopkg.in/go-jose/go-jose.v2/asymmetric.go ++++ b/vendor/gopkg.in/go-jose/go-jose.v2/asymmetric.go +@@ -285,6 +285,9 @@ func (ctx rsaDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm + + switch alg { + case RS256, RS384, RS512: ++ // TODO(https://github.com/go-jose/go-jose/issues/40): As of go1.20, the ++ // random parameter is legacy and ignored, and it can be nil. ++ // https://cs.opensource.google/go/go/+/refs/tags/go1.20:src/crypto/rsa/pkcs1v15.go;l=263;bpv=0;bpt=1 + out, err = rsa.SignPKCS1v15(RandReader, ctx.privateKey, hash, hashed) + case PS256, PS384, PS512: + out, err = rsa.SignPSS(RandReader, ctx.privateKey, hash, hashed, &rsa.PSSOptions{ +diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/crypter.go b/vendor/gopkg.in/go-jose/go-jose.v2/crypter.go +index 73aab0fabb16..0ae2e5ebaa74 100644 +--- a/vendor/gopkg.in/go-jose/go-jose.v2/crypter.go ++++ b/vendor/gopkg.in/go-jose/go-jose.v2/crypter.go +@@ -406,6 +406,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions { + // Decrypt and validate the object and return the plaintext. Note that this + // function does not support multi-recipient, if you desire multi-recipient + // decryption use DecryptMulti instead. ++// ++// Automatically decompresses plaintext, but returns an error if the decompressed ++// data would be >250kB or >10x the size of the compressed data, whichever is larger. + func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) { + headers := obj.mergedHeaders(nil) + +@@ -470,6 +473,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) + // with support for multiple recipients. It returns the index of the recipient + // for which the decryption was successful, the merged headers for that recipient, + // and the plaintext. ++// ++// Automatically decompresses plaintext, but returns an error if the decompressed ++// data would be >250kB or >3x the size of the compressed data, whichever is larger. + func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) { + globalHeaders := obj.mergedHeaders(nil) + + +diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/symmetric.go b/vendor/gopkg.in/go-jose/go-jose.v2/symmetric.go +index 2b8076f5f39d..52c8b62bf4bd 100644 +--- a/vendor/gopkg.in/go-jose/go-jose.v2/symmetric.go ++++ b/vendor/gopkg.in/go-jose/go-jose.v2/symmetric.go +@@ -402,6 +402,11 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien + if p2c <= 0 { + return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: must be a positive integer") + } ++ if p2c > 1000000 { ++ // An unauthenticated attacker can set a high P2C value. Set an upper limit to avoid ++ // DoS attacks. ++ return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: too high") ++ } + + // salt is UTF8(Alg) || 0x00 || Salt Input + alg := headers.getAlgorithm() +diff --git a/vendor/modules.txt b/vendor/modules.txt +index c261d9787ff6..d99eb4f52102 100644 +--- a/vendor/modules.txt ++++ b/vendor/modules.txt +@@ -147,7 +147,7 @@ github.com/containernetworking/cni/pkg/version + # github.com/containernetworking/plugins v1.3.0 + ## explicit; go 1.20 + github.com/containernetworking/plugins/pkg/ns +-# github.com/containers/buildah v1.33.7 ++# github.com/containers/buildah v1.33.8 + ## explicit; go 1.20 + github.com/containers/buildah + github.com/containers/buildah/bind +@@ -176,7 +176,7 @@ github.com/containers/buildah/pkg/sshagent + github.com/containers/buildah/pkg/util + github.com/containers/buildah/pkg/volumes + github.com/containers/buildah/util +-# github.com/containers/common v0.57.4 ++# github.com/containers/common v0.57.5 + ## explicit; go 1.18 + github.com/containers/common/internal/attributedstring + github.com/containers/common/libimage +@@ -243,7 +243,7 @@ github.com/containers/conmon/runner/config + # github.com/containers/gvisor-tap-vsock v0.7.2 + ## explicit; go 1.20 + github.com/containers/gvisor-tap-vsock/pkg/types +-# github.com/containers/image/v5 v5.29.2 ++# github.com/containers/image/v5 v5.29.3 + ## explicit; go 1.19 + github.com/containers/image/v5/copy + github.com/containers/image/v5/directory +@@ -326,7 +326,7 @@ github.com/containers/libtrust + # github.com/containers/luksy v0.0.0-20231030195837-b5a7f79da98b + ## explicit; go 1.20 + github.com/containers/luksy +-# github.com/containers/ocicrypt v1.1.9 ++# github.com/containers/ocicrypt v1.1.10 + ## explicit; go 1.20 + github.com/containers/ocicrypt + github.com/containers/ocicrypt/blockcipher +@@ -537,7 +537,7 @@ github.com/gin-gonic/gin/binding + github.com/gin-gonic/gin/internal/bytesconv + github.com/gin-gonic/gin/internal/json + github.com/gin-gonic/gin/render +-# github.com/go-jose/go-jose/v3 v3.0.1 ++# github.com/go-jose/go-jose/v3 v3.0.3 + ## explicit; go 1.12 + github.com/go-jose/go-jose/v3 + github.com/go-jose/go-jose/v3/cipher +@@ -1128,7 +1128,7 @@ go.opentelemetry.io/otel/trace + # golang.org/x/arch v0.5.0 + ## explicit; go 1.17 + golang.org/x/arch/x86/x86asm +-# golang.org/x/crypto v0.18.0 ++# golang.org/x/crypto v0.19.0 + ## explicit; go 1.18 + golang.org/x/crypto/argon2 + golang.org/x/crypto/blake2b +@@ -1192,7 +1192,7 @@ golang.org/x/oauth2/internal + ## explicit; go 1.18 + golang.org/x/sync/errgroup + golang.org/x/sync/semaphore +-# golang.org/x/sys v0.16.0 ++# golang.org/x/sys v0.17.0 + ## explicit; go 1.18 + golang.org/x/sys/cpu + golang.org/x/sys/execabs +@@ -1201,7 +1201,7 @@ golang.org/x/sys/unix + golang.org/x/sys/windows + golang.org/x/sys/windows/registry + golang.org/x/sys/windows/svc/eventlog +-# golang.org/x/term v0.16.0 ++# golang.org/x/term v0.17.0 + ## explicit; go 1.18 + golang.org/x/term + # golang.org/x/text v0.14.0 +@@ -1345,7 +1345,7 @@ google.golang.org/protobuf/types/gofeaturespb + google.golang.org/protobuf/types/known/anypb + google.golang.org/protobuf/types/known/durationpb + google.golang.org/protobuf/types/known/timestamppb +-# gopkg.in/go-jose/go-jose.v2 v2.6.1 ++# gopkg.in/go-jose/go-jose.v2 v2.6.3 + ## explicit + gopkg.in/go-jose/go-jose.v2 + gopkg.in/go-jose/go-jose.v2/cipher diff --git a/podman.spec b/podman.spec index 4eb1d3e..11e4b1c 100644 --- a/podman.spec +++ b/podman.spec @@ -2,7 +2,7 @@ Name: podman Version: 4.9.4 -Release: 8 +Release: 9 Summary: A tool for managing OCI containers and pods. Epoch: 1 License: Apache-2.0 and MIT @@ -17,6 +17,8 @@ Patch0001: 0001-fix-CVE-2024-28180.patch Patch0002: 0002-fix-CVE-2023-3978.patch Patch0003: 0003-fix-CVE-2023-48795.patch Patch0004: 0004-fix-CVE-2022-3064.patch +Patch0005: 0005-CI-Maintenance-Disable-machine-tests.patch +Patch0006: 0006-Fix-for-CVE-2024-3727.patch BuildRequires: gcc golang btrfs-progs-devel glib2-devel glibc-devel glibc-static BuildRequires: gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel libselinux-devel @@ -137,7 +139,8 @@ go mod vendor cd - %patch0 -p1 %endif - +%patch0005 -p1 +%patch0006 -p1 %build GO_MD2MAN_PATH="$(pwd)%{_bindir}" @@ -299,6 +302,12 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/ %{_bindir}/%{name}sh %changelog +* Fri Jul 5 2024 zhangxingrong - 1:4.9.4-9 +- Type:Add upstream patches +- ID:NA +- SUG:NA +- DESC: CI-Maintenance-Disable-machine-tests and Fix-for-CVE-2024-3727 + * Tue Apr 30 2024 zhangbowei - 1:4.9.4-8 - Type:bugfix - CVE:NA -- Gitee