Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2023-47108] Compatibility with go.opentelemetry.io/otel v1.20.0 #16926

Closed
roger2hk opened this issue Nov 12, 2023 · 13 comments
Closed

[CVE-2023-47108] Compatibility with go.opentelemetry.io/otel v1.20.0 #16926

roger2hk opened this issue Nov 12, 2023 · 13 comments
Labels
area/security dependencies Pull requests that update a dependency file

Comments

@roger2hk
Copy link

roger2hk commented Nov 12, 2023
edited
Loading

What happened?

To fix CVE-2023-47108, go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc needs to be bumped to 0.46.0. However, changes in etcd are required to upgrade to go.opentelemetry.io/otel v1.20.0.

Error: /home/runner/go/pkg/mod/go.opentelemetry.io/otel/[email protected]/trace/provider.go:90:30: cannot use &TracerProvider{} (value of type *TracerProvider) as "go.opentelemetry.io/otel/trace".TracerProvider value in variable declaration: *TracerProvider does not implement "go.opentelemetry.io/otel/trace".TracerProvider (missing method tracerProvider)
Error: /home/runner/go/pkg/mod/go.opentelemetry.io/otel/[email protected]/trace/span.go:161:23: cannot use (*recordingSpan)(nil) (value of type *recordingSpan) as ReadWriteSpan value in variable declaration: *recordingSpan does not implement ReadWriteSpan (missing method span)
Error: /home/runner/go/pkg/mod/go.opentelemetry.io/otel/[email protected]/trace/span.go:780:20: cannot use nonRecordingSpan{} (value of type nonRecordingSpan) as "go.opentelemetry.io/otel/trace".Span value in variable declaration: nonRecordingSpan does not implement "go.opentelemetry.io/otel/trace".Span (missing method span)
Error: /home/runner/go/pkg/mod/go.opentelemetry.io/otel/[email protected]/trace/tracer.go:30:22: cannot use &tracer{} (value of type *tracer) as "go.opentelemetry.io/otel/trace".Tracer value in variable declaration: *tracer does not implement "go.opentelemetry.io/otel/trace".Tracer (missing method tracer)
Error: /home/runner/go/pkg/mod/go.opentelemetry.io/otel/[email protected]/trace/provider.go:170:10: cannot use t (variable of type *tracer) as "go.opentelemetry.io/otel/trace".Tracer value in return statement: *tracer does not implement "go.opentelemetry.io/otel/trace".Tracer (missing method tracer)
Error: /home/runner/go/pkg/mod/go.opentelemetry.io/otel/[email protected]/trace/span.go:692:9: cannot use s.tracer.provider (variable of type *TracerProvider) as "go.opentelemetry.io/otel/trace".TracerProvider value in return statement: *TracerProvider does not implement "go.opentelemetry.io/otel/trace".TracerProvider (missing method tracerProvider)
Error: /home/runner/go/pkg/mod/go.opentelemetry.io/otel/[email protected]/trace/span.go:811:74: cannot use s.tracer.provider (variable of type *TracerProvider) as "go.opentelemetry.io/otel/trace".TracerProvider value in return statement: *TracerProvider does not implement "go.opentelemetry.io/otel/trace".TracerProvider (missing method tracerProvider)
Error: /home/runner/go/pkg/mod/go.opentelemetry.io/otel/[email protected]/trace/tracer.go:47:21: impossible type assertion: p.(*recordingSpan)
	*recordingSpan does not implement "go.opentelemetry.io/otel/trace".Span (missing method span)
Error: /home/runner/go/pkg/mod/go.opentelemetry.io/otel/[email protected]/trace/tracer.go:117:10: cannot use tr.newNonRecordingSpan(sc) (value of type nonRecordingSpan) as "go.opentelemetry.io/otel/trace".Span value in return statement: nonRecordingSpan does not implement "go.opentelemetry.io/otel/trace".Span (missing method span)
Error: /home/runner/go/pkg/mod/go.opentelemetry.io/otel/[email protected]/trace/tracer.go:119:9: cannot use tr.newRecordingSpan(psc, sc, name, samplingResult, config) (value of type *recordingSpan) as "go.opentelemetry.io/otel/trace".Span value in return statement: *recordingSpan does not implement "go.opentelemetry.io/otel/trace".Span (missing method span)
Error: /home/runner/go/pkg/mod/go.etcd.io/etcd/server/[email protected]/embed/config_tracing.go:64:4: cannot use tracesdk.NewTracerProvider(tracesdk.WithBatcher(exporter), tracesdk.WithResource(res), tracesdk.WithSampler(tracesdk.ParentBased(tracesdk.NeverSample()))) (value of type *"go.opentelemetry.io/otel/sdk/trace".TracerProvider) as "go.opentelemetry.io/otel/trace".TracerProvider value in argument to otelgrpc.WithTracerProvider: *"go.opentelemetry.io/otel/sdk/trace".TracerProvider does not implement "go.opentelemetry.io/otel/trace".TracerProvider (missing method tracerProvider)

What did you expect to happen?

I expected to bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.45.0 to 0.46.0 in other repositories, which has a dependency on etcd, without any issue.

How can we reproduce it (as minimally and precisely as possible)?

Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.45.0 to 0.46.0

Anything else we need to know?

There are breaking changes for TracerProvider.
https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.20.0

Etcd version (please run commands below)

etcd/server/go.mod

Lines 32 to 35 in 4d8eefb

go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0
go.opentelemetry.io/otel v1.19.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0
go.opentelemetry.io/otel/sdk v1.19.0

This was referenced Nov 12, 2023
Closed
Closed
@ahrtr
Copy link
Member

ahrtr commented Nov 13, 2023

Thanks for reporting this issue.

@sharathsivakumar, I noticed you are handling dependency management for this week. Could you take this as a high priority task? Thank you!

@ahrtr ahrtr added area/security dependencies Pull requests that update a dependency file and removed type/bug labels Nov 13, 2023
@sharathsivakumar
Copy link
Contributor

@ahrtr Definetly. looking into this now!

@sharathsivakumar sharathsivakumar mentioned this issue Nov 13, 2023
Merged
@ahrtr
Copy link
Member

ahrtr commented Nov 13, 2023

The fix needs to be backported to 3.5 and 3.4. Please update the changelog for 3.4 and 3.5 as well afterwards, thanks.

@ahrtr
Copy link
Member

ahrtr commented Nov 15, 2023

@sharathsivakumar any update on this? Please let me know if you need any assistance or you need someone else to take over? We always need to take any CVE as high priority task. Thanks.

@sharathsivakumar
Copy link
Contributor

@ahrtr On it. I was testing a few things if it broke anything in 3.5. I will be creating the PRs for the backports within the next 2 hours. Hope that's fine.

@ahrtr
Copy link
Member

ahrtr commented Nov 15, 2023

@sharathsivakumar Thanks.

@sharathsivakumar sharathsivakumar mentioned this issue Nov 15, 2023
Merged
@sharathsivakumar
Copy link
Contributor

@ahrtr Here is the PR for backporting to 3.5 #16946
I think some tests will fail, I am keeping a tab on it and will get it fixed!

@sharathsivakumar
Copy link
Contributor

@ahrtr I checked with the release-3.4 source code and looks like it does not use the go packages go.opentelemetry.io/otel v1.20.0 and go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0 packages. So I think 3.4 will not need a back fix. Is this correct?

@ahrtr
Copy link
Member

ahrtr commented Nov 15, 2023

So I think 3.4 will not need a back fix. Is this correct?

YES, the opentelemetry was only introduced in 3.5 (included) onwards. Thanks.

@ahrtr ahrtr mentioned this issue Nov 16, 2023
Merged
@ahrtr
Copy link
Member

ahrtr commented Nov 16, 2023

All done

@ahrtr ahrtr closed this as completed Nov 16, 2023
@ahrtr
Copy link
Member

ahrtr commented Nov 16, 2023

thx both @roger2hk and @sharathsivakumar

@Includeoyasi
Copy link

Hello, I got same errors with version 1.20.0 today
Снимок экрана 2023-12-06 в 15 49 35

@roger2hk
Copy link
Author

roger2hk commented Dec 6, 2023

Hello, I got same errors with version 1.20.0 today
Снимок экрана 2023-12-06 в 15 49 35

The problem will go away when the v3.5.11 is released.

#16960

@jimmy03190 jimmy03190 mentioned this issue Jan 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security dependencies Pull requests that update a dependency file
Milestone
No milestone
Development

No branches or pull requests
4 participants
@roger2hk @Includeoyasi @ahrtr @sharathsivakumar