LOG-9379: Fix CVE-2026-33813 in golang.org/x/image by vparfonov · Pull Request #3266 · openshift/cluster-logging-operator

vparfonov · 2026-05-04T09:35:06Z

Description

Update golang.org/x/image from v0.25.0 to v0.39.0 to fix CVE-2026-33813, which addresses a Denial of Service vulnerability via malformed WEBP image parsing on 32-bit platforms.

Also upgrades Go version to 1.25.7 and updates the Dockerfile to use golang:1.25 as the builder base image.

/cc @Clee2691 @cahartma
/assign @jcantrill

Links

Depending on PR(s): Update Go builder from 1.24 to 1.25 for cluster-logging-operator release 6.5 release#78748
GitHub issue:
JIRA: https://redhat.atlassian.net/browse/LOG-9379
Enhancement proposal:

openshift-ci-robot · 2026-05-04T09:35:11Z

@vparfonov: This pull request references LOG-9379 which is a valid jira issue.

Details

In response to this:

Description

Update golang.org/x/image from v0.25.0 to v0.39.0 to fix CVE-2026-33813, which addresses a Denial of Service vulnerability via malformed WEBP image parsing on 32-bit platforms.

Also upgrades Go version to 1.25.7 and updates the Dockerfile to use golang:1.25 as the builder base image.

/cc @Clee2691 @cahartma
/assign @jcantrill

Links

Depending on PR(s):

GitHub issue:

JIRA: https://redhat.atlassian.net/browse/LOG-9379

Enhancement proposal:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

qodo-code-review · 2026-05-04T09:35:20Z

Review Summary by Qodo

Fix CVE-2026-33813 and upgrade Go dependencies

🐞 Bug fix ✨ Enhancement

Walkthroughs

Description

• Update golang.org/x/image from v0.25.0 to v0.39.0
  - Fixes CVE-2026-33813 DoS vulnerability in WEBP parsing
  - Affects 32-bit platforms
• Upgrade Go version from 1.24 to 1.25.7
• Update multiple golang.org/x dependencies to latest versions
  - golang.org/x/net, golang.org/x/sync, golang.org/x/sys, golang.org/x/term,
  golang.org/x/text, golang.org/x/tools
• Promote github.com/pelletier/go-toml from indirect to direct dependency

Diagram

flowchart LR
  A["Go 1.24"] -->|"Upgrade to"| B["Go 1.25.7"]
  C["golang.org/x/image v0.25.0"] -->|"Update to v0.39.0"| D["CVE-2026-33813 Fixed"]
  E["Multiple x/ packages"] -->|"Update versions"| F["Latest stable versions"]
  G["go-toml indirect"] -->|"Promote to"| H["go-toml direct dependency"]
  B --> I["Dockerfile updated"]

File Changes

1. Dockerfile ⚙️ Configuration changes +1/-1

Update Go builder base image version

• Update base image from golang:1.24 to golang:1.25
• Aligns with Go version upgrade in go.mod

Dockerfile

2. go.mod Dependencies +9/-9

Upgrade Go version and dependencies

• Update Go version requirement from 1.24 to 1.25.7
• Add github.com/pelletier/go-toml v1.9.5 as direct dependency
• Update multiple golang.org/x package versions to latest

go.mod

3. go.sum Dependencies +14/-14

Update dependency checksums

• Update checksums for golang.org/x/image v0.39.0 (CVE fix)
• Update checksums for golang.org/x/net, golang.org/x/sync, golang.org/x/sys,
 golang.org/x/term, golang.org/x/text, golang.org/x/tools
• Reflect all dependency version changes from go.mod

go.sum

qodo-code-review · 2026-05-04T09:35:21Z

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

Context used

✅ Tickets: [LOG-9379](https://redhat.atlassian.net/browse/LOG-9379)

1. Patch in go directive 🐞 Bug ⚙ Maintainability

Description

The root module encodes the patch version in the go directive (go 1.25.7) instead of using a
toolchain directive, even though another module in this repo uses the go <major.minor> +
toolchain <patch> pattern. This can confuse/fragment toolchain pinning and may break tooling that
expects go to be major.minor while patch pinning lives in toolchain.

Code

go.mod[3]
+go 1.25.7

Evidence
Root go.mod uses a patch version in the go directive, while the repo’s api/observability module
separates language version (go 1.21) from toolchain patch pin (toolchain go1.21.9), indicating
the intended style/pattern within this codebase.
go.mod[1-4]
api/observability/go.mod[1-6]
Best Practice: Go Modules Reference (go.mod directives: go/toolchain)

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The root `go.mod` uses `go 1.25.7`, which mixes patch-level toolchain pinning into the language-version directive.

### Issue Context
This repo already contains another module (`api/observability`) that uses the more standard split: `go <major.minor>` plus a `toolchain go<major.minor.patch>` directive.

### Fix Focus Areas
- go.mod[1-6]
- api/observability/go.mod[1-6]

### Suggested change
- Update root `go.mod` to:
 - `go 1.25`
 - add `toolchain go1.25.7`
- (Optional) confirm the intended toolchain policy across modules (whether `api/observability` should also move forward or remain intentionally pinned).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

2. Floating Go builder tag 🐞 Bug ☼ Reliability

Description

Dockerfile uses golang:1.25 (floating patch tag), while the repo otherwise pins Go to 1.25.7
(go.mod and ART Dockerfile). This can make dev/CI builds non-reproducible and produce binaries built
with different Go patch releases than intended.

Code

Dockerfile[1]
+FROM golang:1.25 AS builder

Evidence

The PR updates the builder image to a floating golang:1.25 tag, but the repo pins the toolchain at
1.25.7 elsewhere (root go.mod and Dockerfile.art), creating inconsistency in what Go patch
version is actually used to build the operator.

Dockerfile[1-2]
go.mod[1-4]
Dockerfile.art[1-4]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The builder image in `Dockerfile` is pinned only to `1.25`, which floats to the latest `1.25.x` over time.

### Issue Context
This repo already pins Go more tightly (e.g., `go.mod` is at 1.25.7 and `Dockerfile.art` uses a 1.25.7 builder), so leaving `Dockerfile` floating can lead to inconsistent builds between local/dev and release/ART.

### Fix Focus Areas
- Dockerfile[1-2]

### Suggested change
- Change:
 - `FROM golang:1.25 AS builder`
- To something patch-pinned (to match the repo’s intended Go toolchain), e.g.:
 - `FROM golang:1.25.7 AS builder`
- If you intentionally want `Dockerfile` to float, document that policy and ensure other pins (like go.mod/toolchain) match that intent.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

vparfonov · 2026-05-04T09:35:48Z

/hold

Fix CVE-2026-33813 in golang.org/x/image by upgrading from v0.25.0 to v0.39.0 and Go from 1.24 to 1.25. This addresses a Denial of Service vulnerability via malformed WEBP image parsing on 32-bit platforms. Refactor Go versioning to follow best practices: - Split go.mod directive: go 1.25 (language version) + toolchain go1.25.7 (patch pinning) - Pin Dockerfile builder image to golang:1.25.7 (matching toolchain, not floating) This ensures consistent builds across local, dev, and release/ART environments. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

coderabbitai · 2026-05-04T11:34:58Z

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7365f9c5-851e-4844-98d8-a2d4ee6e1b70

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

jcantrill · 2026-05-04T12:32:42Z

@@ -1,4 +1,4 @@
-FROM golang:1.24 AS builder
+FROM golang:1.25.7 AS builder


Please verify we do not require a similar change to the Dockerfile.art

Dockerfile.art alredy based on go 1.25.7

cluster-logging-operator/Dockerfile.art

Line 1 in 28a725b

FROM registry-proxy.engineering.redhat.com/rh-osbs/openshift-golang-builder:v1.25.7-202602171210.g5015a16.el9 AS builder

jcantrill · 2026-05-04T12:44:48Z

/approve

jcantrill · 2026-05-04T12:45:20Z

This may also require changes to the CI in /release and ART. cc @xperimental

openshift-ci · 2026-05-04T12:46:48Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jcantrill, vparfonov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [jcantrill]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

vparfonov · 2026-05-07T04:46:25Z

/retest

vparfonov · 2026-05-07T04:50:46Z

/retest

openshift-ci · 2026-05-07T09:05:20Z

@vparfonov: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 4, 2026

openshift-ci Bot requested review from Clee2691 and jcantrill May 4, 2026 09:35

openshift-ci Bot added the midstream/Dockerfile A Dockerfile.in sync is needed with midstream label May 4, 2026

openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 4, 2026

vparfonov mentioned this pull request May 4, 2026

Update Go builder from 1.24 to 1.25 for cluster-logging-operator release 6.5 openshift/release#78748

Merged

vparfonov force-pushed the log9379 branch from 2aef5c7 to 3892ffb Compare May 4, 2026 11:34

jcantrill reviewed May 4, 2026

View reviewed changes

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 4, 2026

vparfonov requested a review from jcantrill May 4, 2026 13:51

		@@ -1,4 +1,4 @@
		FROM golang:1.24 AS builder
		FROM golang:1.25.7 AS builder

Conversation

vparfonov commented May 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Links

Uh oh!

openshift-ci-robot commented May 4, 2026 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Links

Uh oh!

qodo-code-review Bot commented May 4, 2026

Review Summary by Qodo

Walkthroughs

File Changes

Uh oh!

qodo-code-review Bot commented May 4, 2026 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review by Qodo

Uh oh!

vparfonov commented May 4, 2026

Uh oh!

coderabbitai Bot commented May 4, 2026

Review skipped

Uh oh!

jcantrill May 4, 2026

Choose a reason for hiding this comment

Uh oh!

vparfonov May 4, 2026

Choose a reason for hiding this comment

Uh oh!

jcantrill commented May 4, 2026

Uh oh!

jcantrill commented May 4, 2026

Uh oh!

openshift-ci Bot commented May 4, 2026

Uh oh!

vparfonov commented May 7, 2026

Uh oh!

vparfonov commented May 7, 2026

Uh oh!

openshift-ci Bot commented May 7, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

vparfonov commented May 4, 2026 •

edited

Loading

openshift-ci-robot commented May 4, 2026 •

edited by openshift-ci Bot

Loading

qodo-code-review Bot commented May 4, 2026 •

edited by openshift-ci Bot

Loading