undock/0.11.0-r0: cve remediation

[octo-sts]

undock/0.11.0-r0: fix GHSA-cgrx-mc8f-2prm

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/undock.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/crazy-max/[email protected]

[octo-sts]

🛑 Build Failed: Compilation

vendor/go.podman.io/storage/userns.go:334:29: undefined: securejoin.OpenInRoot
vendor/go.podman.io/storage/userns.go:340:20: undefined: securejoin.Reopen

Build Details

Category	Details
Build System	go
Failure Point	go/build step - compilation of vendor/go.podman.io/storage/userns.go

Root Cause Analysis 🔍

Missing or incompatible securejoin package dependency - the OpenInRoot and Reopen functions are undefined, indicating either the securejoin package is not available or is an incompatible version that doesn't expose these functions

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• podman fix cve: GHSA-cgrx-mc8f-2prm #71327
• buildah/1.42.1 package update #71753
• podman fix cve: GHSA-cgrx-mc8f-2prm #71327

Suggested Changes

File: undock.yaml

• modification at line 27-30 (pipeline go/bump step)
  Original:

  - uses: go/bump
    with:
      deps: |-
        github.com/opencontainers/[email protected]

Replacement:

  - uses: go/bump
    with:
      deps: |-
        github.com/opencontainers/[email protected]
      replaces: |-
        github.com/cyphar/filepath-securejoin=github.com/cyphar/[email protected]

Content:

Add replace directive to pin filepath-securejoin to v0.5.1

Click to expand fix analysis

Analysis

Looking at the three similar fixes, there's a clear pattern: all failures involve the same undefined functions (securejoin.OpenInRoot and securejoin.Reopen) from the cyphar/filepath-securejoin package. The successful fixes consistently use one of two approaches: 1) Adding a replace directive to pin filepath-securejoin to v0.5.1 (seen in both podman fixes), or 2) Upgrading to a newer upstream version that includes compatible dependencies (seen in the buildah fix). The replace directive approach appears more reliable as it directly addresses the version incompatibility by forcing the use of a known-good version of the securejoin package.

Click to expand fix explanation

Explanation

The fix works by adding a replace directive that forces the Go module system to use a specific version (v0.5.1) of the cyphar/filepath-securejoin package, which is known to contain the OpenInRoot and Reopen functions that the code is trying to use. This approach directly addresses the root cause of the compilation error - the vendored code expects these functions to exist, but the current version of the securejoin package in the dependency tree doesn't provide them. The replace directive overrides the normal dependency resolution and ensures the compatible version is used. This is the same solution that successfully fixed the identical error in the podman package twice, making it a proven approach for this specific issue.

Click to expand alternative approaches

Alternative Approaches

• Upgrade the undock package to a newer version that might have updated its dependencies to be compatible with the newer securejoin package
• Patch the undock source code to use different functions or handle the missing functions gracefully
• Add additional dependency pins in the go/bump step to ensure all related packages are at compatible versions

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[Dentrax]

We have advisory for this and can confirm we can't able to mitigate at this point:

CVE-2025-52881 is resolved in version v1.13.0 of the dependency github.com/opencontainers/selinux. However, that version of the dependency depends on v0.6.0 of github.com/cyphar/filepath-securejoin, which introduced breaking changes (the removal of some deprecated functions). undock also depends on github.com/containers/storage, the latest version of which still relies on some of the removed functions. It's not possible to bump selinux to remediate this CVE until the storage dependency is compatible with the latest version of filepath-securejoin

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-v4gx-5w7w-pqgp has the latest event type of "pending-upstream-fix"

View with: cg advisory show CGA-v4gx-5w7w-pqgp
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/undock.advisories.yaml

ID:      CGA-v4gx-5w7w-pqgp
Package: undock
Aliases: CVE-2025-52881 GHSA-cgrx-mc8f-2prm
Events:
  - "scan/v1" at 2025-11-07 08:51:22 UTC
  - "pending-upstream-fix" at 2025-11-13 12:55:20 UTC

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-43vh-3w7c-3gxq has the latest event type of "PENDING_UPSTREAM_FIX"

View with: cg adv show CGA-43vh-3w7c-3gxq

ID:      CGA-43vh-3w7c-3gxq
Package: undock
Aliases: CVE-2025-52881 GHSA-cgrx-mc8f-2prm GO-2025-4098 CGA-6mg2-mjwq-xq6r
Events:
  - "DETECTION" at 2025-11-07 08:51:22 UTC
  - "PENDING_UPSTREAM_FIX" at 2025-11-13 12:55:20 UTC
  - "PENDING_UPSTREAM_FIX" at 2026-01-15 11:46:26 UTC