From c1eea91a01ac16cfc6ba96024fea08f8606882ce Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 30 Nov 2023 14:48:27 +0000
Subject: fix(deps): update common, image, and storage deps

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .../github.com/containers/storage/pkg/archive/archive.go |  4 ++++
 .../containers/storage/pkg/chunked/cache_linux.go        | 16 ++++++++++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)

(limited to 'vendor/github.com/containers/storage/pkg')

diff --git a/vendor/github.com/containers/storage/pkg/archive/archive.go b/vendor/github.com/containers/storage/pkg/archive/archive.go
index 05d257118..85c91690d 100644
--- a/vendor/github.com/containers/storage/pkg/archive/archive.go
+++ b/vendor/github.com/containers/storage/pkg/archive/archive.go
@@ -534,6 +534,10 @@ func (ta *tarAppender) addTarFile(path, name string) error {
 	if ta.ChownOpts != nil {
 		hdr.Uid = ta.ChownOpts.UID
 		hdr.Gid = ta.ChownOpts.GID
+		// Don’t expose the user names from the local system; they probably don’t match the ta.ChownOpts value anyway,
+		// and they unnecessarily give recipients of the tar file potentially private data.
+		hdr.Uname = ""
+		hdr.Gname = ""
 	}
 
 	maybeTruncateHeaderModTime(hdr)
diff --git a/vendor/github.com/containers/storage/pkg/chunked/cache_linux.go b/vendor/github.com/containers/storage/pkg/chunked/cache_linux.go
index 5d4befc23..aa4f57e6f 100644
--- a/vendor/github.com/containers/storage/pkg/chunked/cache_linux.go
+++ b/vendor/github.com/containers/storage/pkg/chunked/cache_linux.go
@@ -578,7 +578,10 @@ func unmarshalToc(manifest []byte) (*internal.TOC, error) {
 		return byteSliceAsString(buf.Bytes()[from:to])
 	}
 
-	iter = jsoniter.ParseBytes(jsoniter.ConfigFastest, manifest)
+	pool := iter.Pool()
+	pool.ReturnIterator(iter)
+	iter = pool.BorrowIterator(manifest)
+
 	for field := iter.ReadObject(); field != ""; field = iter.ReadObject() {
 		if strings.ToLower(field) == "version" {
 			toc.Version = iter.ReadInt()
@@ -657,8 +660,17 @@ func unmarshalToc(manifest []byte) (*internal.TOC, error) {
 			}
 			toc.Entries = append(toc.Entries, m)
 		}
-		break
 	}
+
+	// validate there is no extra data in the provided input.  This is a security measure to avoid
+	// that the digest we calculate for the TOC refers to the entire document.
+	if iter.Error != nil && iter.Error != io.EOF {
+		return nil, iter.Error
+	}
+	if iter.WhatIsNext() != jsoniter.InvalidValue || !errors.Is(iter.Error, io.EOF) {
+		return nil, fmt.Errorf("unexpected data after manifest")
+	}
+
 	toc.StringsBuf = buf
 	return &toc, nil
 }
-- 
cgit v1.2.3-70-g09d2