skopeo/1.21.0-r1: cve remediation

[octo-sts]

skopeo/1.21.0-r1: fix GHSA-cgrx-mc8f-2prm

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/skopeo.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/containers/[email protected]

[octo-sts]

🛑 Build Failed: Compilation

vendor/go.podman.io/storage/userns.go:334:29: undefined: securejoin.OpenInRoot
vendor/go.podman.io/storage/userns.go:340:20: undefined: securejoin.Reopen

Build Details

Category	Details
Build System	go
Failure Point	go/build step during compilation of vendor/go.podman.io/storage/userns.go

Root Cause Analysis 🔍

The compilation failed because the securejoin package is missing the OpenInRoot and Reopen functions that are being referenced in the userns.go file. This appears to be a dependency version mismatch where the vendored storage library expects newer functions from securejoin that are not available in the current version, likely caused by the go/bump step updating dependencies to incompatible versions.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• buildah/1.42.1 package update #71753
• podman fix cve: GHSA-cgrx-mc8f-2prm #71327
• podman fix cve: GHSA-cgrx-mc8f-2prm #71327

Suggested Changes

File: skopeo.yaml

• modification at line 20-24 (pipeline go/bump step)
  Original:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
        github.com/sigstore/[email protected]
        github.com/opencontainers/[email protected]

Replacement:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
        github.com/sigstore/[email protected]
        github.com/opencontainers/[email protected]
      replaces: |-
        github.com/cyphar/filepath-securejoin=github.com/cyphar/[email protected]

Content:

Add replaces directive to pin filepath-securejoin to version 0.5.1 which contains the required OpenInRoot and Reopen functions

Click to expand fix analysis

Analysis

Looking at the three similar fixes, there's a clear pattern: all failures involve the same undefined functions (securejoin.OpenInRoot and securejoin.Reopen) in container storage libraries. The consistent solution across fixes #1 and #2 is to add a specific replace directive for github.com/cyphar/[email protected] in the go/bump step. Fix #0 took a different approach by updating to a newer version and removing the go/bump step entirely, but the replace directive approach appears more targeted and safer.

Click to expand fix explanation

Explanation

The fix works by explicitly pinning the github.com/cyphar/filepath-securejoin dependency to version 0.5.1, which contains the OpenInRoot and Reopen functions that the vendored storage code expects. When go/bump updates dependencies, it can sometimes pull in incompatible versions where newer storage libraries expect functions that don't exist in older securejoin versions, or vice versa. The replace directive forces Go to use the specific compatible version (0.5.1) regardless of what version the dependency resolution would normally select. This approach has been proven effective in the similar podman fixes and directly addresses the root cause of the undefined function compilation errors.

Click to expand alternative approaches

Alternative Approaches

• Update to a newer skopeo version that has compatible vendored dependencies (similar to fix #0 with buildah)
• Remove the go/bump step entirely and rely on the vendored dependencies from the upstream release
• Add github.com/cyphar/[email protected] as an explicit dependency instead of using replace directive

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-whvh-xw6j-cp2v has the latest event type of "pending-upstream-fix"

View with: cg advisory show CGA-whvh-xw6j-cp2v
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/skopeo.advisories.yaml

ID:      CGA-whvh-xw6j-cp2v
Package: skopeo
Aliases: CVE-2025-52881 GHSA-cgrx-mc8f-2prm
Events:
  - "scan/v1" at 2025-11-07 12:24:57 UTC
  - "pending-upstream-fix" at 2025-11-07 16:13:12 UTC

🔀 v2 advisory logic would not have closed this PR: Found 4 advisories, but 2 of them are not resolved (CGA-xgf8-j9pr-8gh6, CGA-8v8q-7q24-2w5h).

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-whvh-xw6j-cp2v has the latest event type of "pending-upstream-fix"

View with: cg advisory show CGA-whvh-xw6j-cp2v
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/skopeo.advisories.yaml

ID:      CGA-whvh-xw6j-cp2v
Package: skopeo
Aliases: CVE-2025-52881 GHSA-cgrx-mc8f-2prm
Events:
  - "scan/v1" at 2025-11-07 12:24:57 UTC
  - "pending-upstream-fix" at 2025-11-07 16:13:12 UTC

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-g33r-9mh5-g9jh has the latest event type of "PENDING_UPSTREAM_FIX"

View with: cg adv show CGA-g33r-9mh5-g9jh

ID:      CGA-g33r-9mh5-g9jh
Package: skopeo
Aliases: CVE-2025-52881 GHSA-cgrx-mc8f-2prm GO-2025-4098 CGA-6mg2-mjwq-xq6r
Events:
  - "DETECTION" at 2025-11-07 09:46:34 UTC
  - "PENDING_UPSTREAM_FIX" at 2025-11-07 16:13:12 UTC