Bug 2375610 - inspektor-gadget: mapstructure May Leak Sensitive Information [fedora-41]
Summary: inspektor-gadget: mapstructure May Leak Sensitive Information [fedora-41]
Keywords:
Status: CLOSED COMPLETED
Alias: None
Product: Fedora
Classification: Fedora
Component: inspektor-gadget
Version: 41
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Kyle Gospodnetich
QA Contact:
URL:
Whiteboard: {"flaws": ["5f70f277-9842-4277-a0b6-f...
: 2384145 2390850 2390871 2399700 2399718 (view as bug list)
Depends On:
Blocks: GHSA-fv92-fjc5-jj9h GHSA-2464-8j7c-4cjm CVE-2025-11065, GO-2025-3900 GO-2025-3787
TreeView+ depends on / blocked
 
Reported: 2025-06-30 17:22 UTC by Jon Moroney
Modified: 2025-10-06 12:12 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2025-07-04 04:16:56 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jon Moroney 2025-06-30 17:22:22 UTC 
More information about this security flaw is available in the following bug:

https://bugzilla.redhat.com/show_bug.cgi?id=2375247

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Comment 1 flaniel+fedora 2025-07-01 08:04:04 UTC 
I fixed this upstream:
https://github.com/inspektor-gadget/inspektor-gadget/commit/a1c63e607b9a20b621bdb9741aa042a83d90ca45
And I have the following patch ready for rawhide, f42 and f41:

```
commit c620647ad9bee27398e7fe704ff7bb08b07f1b2a (HEAD -> f41)
Author: Francis Laniel <flaniel.com>
Date:   Tue Jul 1 14:46:39 2025 +0700

    inspektor-gadget: Bump github.com/go-viper/mapstructure/v2 to v2.3.0.
    
    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2375610
    Signed-off-by: Francis Laniel <flaniel.com>

diff --git a/README.md b/README.md
index 795913d..9d43dfa 100644
--- a/README.md
+++ b/README.md
@@ -155,3 +155,37 @@ $ fedpkg update --type enhancement --notes "Update to v0.38.0"
 
 Congratulations! You successfully bumped Inspektor Gadget Fedora package!
+
+## Handling CVE in dependencies
+
+In case there is a CVE in dependency which was fixed upstream, we need to update the vendor archive.
+Hopefully, [`go_vendor_archive`](https://fedora.gitlab.io/sigs/go/go-vendor-tools/scenarios/#security-updates) already handles this.
+Let's take the real example of `github.com/go-viper/mapstructure/v2`:
+
+```bash
+$ go_vendor_archive override --config go-vendor-tools.toml github.com/go-viper/mapstructure/v2 v2.3.0
+# go-vendor-tools was updated to use v2.3.0 instead:
+$ git diff
+diff --git a/go-vendor-tools.toml b/go-vendor-tools.toml
+index bc94737..05214fb 100644
+--- a/go-vendor-tools.toml
++++ b/go-vendor-tools.toml
+@@ -1,5 +1,7 @@
+ [archive]
+
++[archive.dependency_overrides]
++"github.com/go-viper/mapstructure/v2" = "v2.3.0"
+ [[licensing.licenses]]
+ path = "LICENSE-bpf.txt"
+ sha256sum = "7a83d7bd42c0c13bb77d9b4e76a08d3aa8b0ca71189573ddc8bb1d06d094abf0"
+# Now, let's create the archive with this version of the dependency:
+$ go_vendor_archive create --config go-vendor-tools.toml inspektor-gadget.spec
+...
+$ go get github.com/go-viper/mapstructure/v2.0
+go: upgraded github.com/go-viper/mapstructure/v2 v2.2.1 => v2.3.0
+$ go mod tidy
+$ go mod vendor
+Creating archive...
+```
+
+The archive was updated, you can now continue by uploading it with `fedpkg new-sources` and continue as usual.
diff --git a/go-vendor-tools.toml b/go-vendor-tools.toml
index bc94737..05214fb 100644
--- a/go-vendor-tools.toml
+++ b/go-vendor-tools.toml
@@ -1,5 +1,7 @@
 [archive]
 
+[archive.dependency_overrides]
+"github.com/go-viper/mapstructure/v2" = "v2.3.0"
 [[licensing.licenses]]
 path = "LICENSE-bpf.txt"
 sha256sum = "7a83d7bd42c0c13bb77d9b4e76a08d3aa8b0ca71189573ddc8bb1d06d094abf0"
diff --git a/sources b/sources
index 345b33c..0cc0436 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (inspektor-gadget-0.39.0.tar.gz) = 6979fe327fb1de2cc0aa973424cfbf9bfc9169ee52e59f95560eba0ffc1b2d7c2a3013a9a7cf9cedd1e95ea14a60c74240c501ac95b32deeba565a73b7c680c4
-SHA512 (inspektor-gadget-0.39.0-vendor.tar.xz) = bb559834f09793e5fb40fb76fc29fcb80146385f76c2bac50ad0425c06f3631a47317dc7951bc6090bb3a43b7455f05d49c691d32c71c43aa2fda5eb993b994d
+SHA512 (inspektor-gadget-0.39.0-vendor.tar.xz) = b4bcb68e7efb0d98db1f2766dca7ec4cf4464ecbea312c154bcb3f455460a45863c92b69193f106d822bd8356f2b19aebe9bf6000a35140b59082748fe0646d9
```

For now, I cannot push the changes because I get a 500 due to the following outage:
https://status.fedoraproject.org/
But I will continue proceeding once everything is resolved there.
Comment 2 flaniel+fedora 2025-07-04 04:16:56 UTC 
Closing now, as the infrastructure move finished, I was able to push the commit and triggered the build:
https://src.fedoraproject.org/rpms/inspektor-gadget/c/c620647ad9bee27398e7fe704ff7bb08b07f1b2a?branch=f41
https://koji.fedoraproject.org/koji/buildinfo?buildID=2740973
Comment 3 flaniel+fedora 2025-10-06 12:09:58 UTC 
*** Bug 2399718 has been marked as a duplicate of this bug. ***
Comment 4 flaniel+fedora 2025-10-06 12:10:28 UTC 
*** Bug 2399700 has been marked as a duplicate of this bug. ***
Comment 5 flaniel+fedora 2025-10-06 12:11:35 UTC 
*** Bug 2390850 has been marked as a duplicate of this bug. ***
Comment 6 flaniel+fedora 2025-10-06 12:12:19 UTC 
*** Bug 2384145 has been marked as a duplicate of this bug. ***
Comment 7 flaniel+fedora 2025-10-06 12:12:34 UTC 
*** Bug 2390871 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.