Skip to content

envoy-gateway/1.6.2-r0: cve remediation #77885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

envoy-gateway/1.6.2-r0: cve remediation #77885

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jan 12, 2026

@octo-sts octo-sts bot added automated pr request-cve-remediation go/bump GHSA-cgrx-mc8f-2prm p:envoy-gateway P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. labels Jan 12, 2026
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jan 12, 2026

🛑 Build Failed: Compilation

undefined: securejoin.OpenInRoot
undefined: securejoin.Reopen

Build Details

Category Details
Build System Go
Failure Point go build command for egctl binary in envoy-gateway-egctl subpackage

Root Cause Analysis 🔍

The containers/storage package is referencing undefined functions from the securejoin package, indicating a version incompatibility or missing dependency between these packages. This is likely caused by a version mismatch where the storage package expects newer securejoin functions that are not available in the current version.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: envoy-gateway.yaml

  • modification (pipeline go/bump step)
    Original:
  - uses: go/bump
    with:
      deps: |-
        github.com/opencontainers/[email protected]

Replacement:

  - uses: go/bump
    with:
      deps: |-
        github.com/opencontainers/[email protected]
      replaces: |-
        github.com/cyphar/filepath-securejoin=github.com/cyphar/[email protected]

Content:

Add a replaces directive to pin the filepath-securejoin dependency to version 0.5.1, which contains the OpenInRoot and Reopen functions that containers/storage expects
Click to expand fix analysis

Analysis

Based on the three similar fixes, there are clear patterns: 1) All cases involved the same undefined functions (securejoin.OpenInRoot and securejoin.Reopen) in containers/storage package, 2) Two fixes (examples #0 and #1) resolved the issue by upgrading from version 1.5.4 to 1.6.0 and removing go/bump steps that were causing dependency conflicts, 3) One fix (example #2) resolved it by adding a specific replace directive for github.com/cyphar/[email protected] in the go/bump step. The current failure is on version 1.6.2, so the version upgrade approach won't work, making the replace directive approach most applicable.

Click to expand fix explanation

Explanation

The fix works by explicitly pinning the github.com/cyphar/filepath-securejoin dependency to version 0.5.1 using a replace directive in the go/bump step. This addresses the root cause which is a version mismatch where the containers/storage package expects newer securejoin functions (OpenInRoot and Reopen) that are not available in the default version being pulled in. The replace directive forces Go to use the specific v0.5.1 version which contains these required functions. This approach was successfully used in fix example #2 for the same exact error, and since the current package is already on version 1.6.2 (newer than the versions in examples #0 and #1), the replace directive approach is the most appropriate solution.

Click to expand alternative approaches

Alternative Approaches

  • Remove the go/bump step entirely if the selinux dependency update is not critical, similar to how examples #0 and Add binutils-2.39 configuration #1 removed their go/bump steps
  • Update the containers/storage dependency to a version that's compatible with the default securejoin version, though this may require more extensive testing
  • Pin both containers/storage and filepath-securejoin to specific compatible versions using multiple replace directives

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jan 12, 2026
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jan 12, 2026

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-96c2-q9m5-pq2m has the latest event type of "pending-upstream-fix"

View with: cg advisory show CGA-96c2-q9m5-pq2m
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/envoy-gateway.advisories.yaml

ID:      CGA-96c2-q9m5-pq2m
Package: envoy-gateway
Aliases: CVE-2025-52881 GHSA-cgrx-mc8f-2prm
Events:
  - "scan/v1" at 2025-11-07 08:01:27 UTC
  - "pending-upstream-fix" at 2025-11-12 13:47:00 UTC

@octo-sts octo-sts bot closed this Jan 12, 2026
@aborrero aborrero reopened this Jan 15, 2026
@aborrero aborrero force-pushed the cve-envoy-gateway-1.6.2-r0-c64734377bb242674cc80a1326081df2 branch from daa169e to a48a34f Compare January 15, 2026 11:34
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jan 15, 2026

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-96c2-q9m5-pq2m has the latest event type of "pending-upstream-fix"

View with: cg advisory show CGA-96c2-q9m5-pq2m
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/envoy-gateway.advisories.yaml

ID:      CGA-96c2-q9m5-pq2m
Package: envoy-gateway
Aliases: CVE-2025-52881 GHSA-cgrx-mc8f-2prm
Events:
  - "scan/v1" at 2025-11-07 08:01:27 UTC
  - "pending-upstream-fix" at 2025-11-12 13:47:00 UTC

@octo-sts octo-sts bot closed this Jan 15, 2026
@aborrero aborrero reopened this Jan 15, 2026
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jan 15, 2026

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-69c4-wjrq-f6w2 has the latest event type of "FIXED"

View with: cg adv show CGA-69c4-wjrq-f6w2

ID:      CGA-69c4-wjrq-f6w2
Package: envoy-gateway
Aliases: CVE-2025-52881 GHSA-cgrx-mc8f-2prm GO-2025-4098 CGA-6mg2-mjwq-xq6r
Events:
  - "DETECTION" at 2025-11-07 08:01:27 UTC
  - "FIXED" at 2025-11-07 09:42:00 UTC
  - "PENDING_UPSTREAM_FIX" at 2025-11-12 13:47:00 UTC
  - "FIXED" at 2025-11-16 09:38:00 UTC

@octo-sts octo-sts bot closed this Jan 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR automated pr cve-pr-closer/v2-adv-disagreement GHSA-cgrx-mc8f-2prm go/bump p:envoy-gateway P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation service:cve-pr-closer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aborrero