Bump the container toolkit dependency to fix a high severity CVE in opencontainers/runc module #807
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
shivamerla
commented
Jan 8, 2026
shivamerla
commented
- The nvidia-cdi-hook binary copied from the toolkit image have a high CVE: GHSA-qw9x-cqr3-wc7r
- Import from the latest commit which fixes this issue. This commit is used as a reference to obtain the toolkit image from ghcr
- Fix the script to parse module version with the rc releases
github-project-automation
bot
moved this to Backlog
in Planning Board: k8s-dra-driver-gpu
klueska
reviewed
Jan 9, 2026
hack/toolkit-container-image.sh
Outdated
Comment on lines
50
to
58
| if [[ "${TOOLKIT_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+-[0-9]{14}-([a-f0-9]{12})$ ]]; then | ||
| TOOLKIT_VERSION_SHA="${BASH_REMATCH[1]}" | ||
| SHORT_SHA="${TOOLKIT_VERSION_SHA:0:8}" | ||
| IMAGE_URL="ghcr.io/nvidia/container-toolkit:${SHORT_SHA}" | ||
| # Handle format vX.Y.Z-rc.A.B.time-commit | ||
| elif [[ "${TOOLKIT_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+-rc\.[0-9]+\.[0-9]+\.[0-9]{14}-([a-f0-9]{12,40})$ ]]; then | ||
| TOOLKIT_VERSION_SHA="${BASH_REMATCH[1]}" | ||
| SHORT_SHA="${TOOLKIT_VERSION_SHA:0:8}" | ||
| IMAGE_URL="ghcr.io/nvidia/container-toolkit:${SHORT_SHA}" |
Collaborator
There was a problem hiding this comment.
Can these not be combined into a single regex?
Contributor
Author
There was a problem hiding this comment.
Looks like the fix made it into v1.18.x branch, so i am going to bump to that instead which makes this change unnecessary. Will update the PR shortly.
Contributor
Author
There was a problem hiding this comment.
@klueska updated this to be a single regex. PTAL.
shivamerla
force-pushed
the
update_toolkit_deps
branch
from
522fcd4 to
bc1acbe
Compare
Collaborator
|
@elezar has said that 1.18.2 will go out a soon as Monday. Let's wait for that to get the official tag in, rather than a 1-off sha. |
Member
|
v1.18.2 has been released. I have updated the PR. |
elezar
force-pushed
the
update_toolkit_deps
branch
2 times, most recently
from
eaaf162 to
a28cab2
Compare
Contributor
Author
thanks @elezar |
…ty CVE in opencontainers/runc module * The nvidia-cdi-hook binary copied from the toolkit image have a high CVE: GHSA-qw9x-cqr3-wc7r * Import from the latest commit which fixes this issue. This commit is used as a reference to obtain the toolkit image from ghcr * Fix the script to parse module version with the rc releases Signed-off-by: Shiva Krishna, Merla <smerla@nvidia.com> Signed-off-by: Evan Lezar <elezar@nvidia.com>
shivamerla
force-pushed
the
update_toolkit_deps
branch
from
a28cab2 to
8db6b40
Compare
Collaborator
|
#825 landed in the meantime :). I think we can maybe close this one for now. If we ever need to regex proposed here, we can dig it up again. |
Collaborator
|
Yes. |
github-project-automation
bot
moved this from Backlog
to Closed
in Planning Board: k8s-dra-driver-gpu
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.