chore(deps): bump the dependencies group with 7 updates

[dependabot]

Bumps the dependencies group with 7 updates:

Package	From	To
golang.org/x/crypto	0.26.0	0.27.0
golang.org/x/term	0.23.0	0.24.0
golang.org/x/text	0.17.0	0.18.0
github.com/cpuguy83/go-md2man/v2	2.0.4	2.0.5
github.com/cyphar/filepath-securejoin	0.3.1	0.3.3
golang.org/x/net	0.28.0	0.29.0
golang.org/x/sys	0.23.0	0.25.0

Updates golang.org/x/crypto from 0.26.0 to 0.27.0

Commits

• c9da6b9 all: fix printf(var) mistakes detected by latest printf checker
• b35ab4f go.mod: update golang.org/x dependencies
• bcb0f91 internal/poly1305: Port sum_amd64.s to Avo
• 7eace71 chacha20poly1305: Avo port of chacha20poly1305_amd64.s
• 620dfbc salsa20/salsa: Port salsa20_amd64.s to Avo
• 82942cf blake2b: port blake2b_amd64.s to Avo
• 0484c26 blake2b: port blake2bAVX2_amd64.s to Avo
• 38ed1bc blake2s: port blake2s_amd64.s to Avo
• 38a0b5d argon2: Avo port of blamka_amd64.s
• bf5f14f x509roots/fallback: update bundle
• Additional commits viewable in compare view

Updates golang.org/x/term from 0.23.0 to 0.24.0

Commits

• 2f7b0dd go.mod: update golang.org/x dependencies
• f867b76 x/term: set missing VIRTUAL_TERMINAL_INPUT flag on Windows
• See full diff in compare view

Updates golang.org/x/text from 0.17.0 to 0.18.0

Commits

• 1e3e9fd all: rename Example test functions to prevent vet errors
• See full diff in compare view

Updates github.com/cpuguy83/go-md2man/v2 from 2.0.4 to 2.0.5

Release notes

Sourced from github.com/cpuguy83/go-md2man/v2's releases.

v2.0.5

What's Changed

• Add debugging output for renderer by @​corhere in cpuguy83/go-md2man#123
• Emit a NAME section properly formatted for whatis parsing by @​corhere in cpuguy83/go-md2man#124
• Fix rendering of lists by @​corhere in cpuguy83/go-md2man#122

New Contributors

• @​corhere made their first contribution in cpuguy83/go-md2man#123
• @​kurth4cker made their first contribution in cpuguy83/go-md2man#125

Full Changelog: cpuguy83/go-md2man@v2.0.4...v2.0.5

Commits

• b14773d Merge pull request #120 from cpuguy83/dependabot/github_actions/golangci/gola...
• 54d2e5c Merge pull request #122 from corhere/fix-multi-paragraph-lists
• 149c352 Stop over-indenting lists that are not nested
• f486e72 Support multi-paragraph definition lists
• 6350b8a Merge pull request #124 from corhere/fix-whatis
• 4d7d268 Merge pull request #121 from corhere/less-renderer-state
• 4013a69 Merge pull request #125 from kurth4cker/master
• 5e88164 Merge pull request #123 from corhere/ast-debug
• 7607604 md2man.go: rename ioutil to io
• 426206c Backslash-escape first hyphen in NAME section
• Additional commits viewable in compare view

Updates github.com/cyphar/filepath-securejoin from 0.3.1 to 0.3.3

Release notes

Sourced from github.com/cyphar/filepath-securejoin's releases.

v0.3.3

This release primarily includes fixes for spurious errors we hit when checking that directories created by MkdirAll "look right". Upon further consideration, these checks were fundamentally buggy and didn't offer any practical protection anyway.

• The mode and owner verification logic in MkdirAll has been removed. This was originally intended to protect against some theoretical attacks but upon further consideration these protections don't actually buy us anything and they were causing spurious errors with more complicated filesystem setups.
• The "is the created directory empty" logic in MkdirAll has also been removed. This was not causing us issues yet, but some pseudofilesystems (such as cgroup) create non-empty directories and so this logic would've been wrong for such cases.

Thanks to all of the contributors who made this release possible:

• Aleksa Sarai [email protected]
• Kir Kolyshkin [email protected]

Signed-off-by: Aleksa Sarai [email protected]

v0.3.2

This release includes a few fixes for MkdirAll when dealing with S_ISUID and S_ISGID, to solve a regression runc hit when switching to MkdirAll.

• Passing the S_ISUID or S_ISGID modes to MkdirAllInRoot will now return an explicit error saying that those bits are ignored by mkdirat(2). In the past a different error was returned, but since the silent ignoring behaviour is codified in the man pages a more explicit error seems apt. While silently ignoring these bits would be the most compatible option, it could lead to users thinking their code sets these bits when it doesn't. Programs that need to deal with compatibility can mask the bits themselves. (#23, #25)

• If a directory has S_ISGID set, then all child directories will have S_ISGID set when created and a different gid will be used for any inode created under the directory. Previously, the "expected owner and mode" validation in securejoin.MkdirAll did not correctly handle this. We now correctly handle this case. (#24, #25)

Signed-off-by: Aleksa Sarai [email protected]

Changelog

Sourced from github.com/cyphar/filepath-securejoin's changelog.

[0.3.3] - 2024-09-30

Fixed

• The mode and owner verification logic in MkdirAll has been removed. This was originally intended to protect against some theoretical attacks but upon further consideration these protections don't actually buy us anything and they were causing spurious errors with more complicated filesystem setups.
• The "is the created directory empty" logic in MkdirAll has also been removed. This was not causing us issues yet, but some pseudofilesystems (such as cgroup) create non-empty directories and so this logic would've been wrong for such cases.

[0.3.2] - 2024-09-13

Changed

• Passing the S_ISUID or S_ISGID modes to MkdirAllInRoot will now return an explicit error saying that those bits are ignored by mkdirat(2). In the past a different error was returned, but since the silent ignoring behaviour is codified in the man pages a more explicit error seems apt. While silently ignoring these bits would be the most compatible option, it could lead to users thinking their code sets these bits when it doesn't. Programs that need to deal with compatibility can mask the bits themselves. (#23, #25)

Fixed

• If a directory has S_ISGID set, then all child directories will have S_ISGID set when created and a different gid will be used for any inode created under the directory. Previously, the "expected owner and mode" validation in securejoin.MkdirAll did not correctly handle this. We now correctly handle this case. (#24, #25)

Commits

• 93cff46 VERSION: release v0.3.3
• 2b3d97d merge #26 into cyphar/filepath-securejoin:main
• 09afcf2 OpenInRoot: add CVE link to godoc
• 5b5a7a4 Add cross-links to godoc
• daead99 Remove osVFS methods documentation
• 208ded3 tests: don't panic if the fd is closed
• 626b5a5 merge #29 into cyphar/filepath-securejoin:main
• 92b699d mkdir: don't check that the directory is empty
• 90adf5c mkdir: do not return errors for incorrect directory modes or owners
• 3bf6419 merge #30 into cyphar/filepath-securejoin:main
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.28.0 to 0.29.0

Commits

• 35b4aba go.mod: update golang.org/x dependencies
• 9bf379f websocket: fix printf(var) mistake detected by latest printf checker
• See full diff in compare view

Updates golang.org/x/sys from 0.23.0 to 0.25.0

Commits

• a43b625 windows: add SIO_UDP_NETRESET constant
• ed67b15 windows: add console codepage api
• 9cb830b unix: add missing import to syscall_hurd.go
• 71132f5 unix: add POLLRDHUP to FreeBSD
• 3283fc3 cpu: add support for detecting RISC-V extensions
• 29e55b2 unix: use os.Executable rather than os.Args[0] in tests
• a8c5219 unix: rename XDPUmemReg field back to Size
• 59665e5 unix: add Connectx for darwin
• a0c72ef unix: add f_flag member flags on z/OS
• c64c51d unix: update riscv64 hwprobe to Linux kernel 6.10
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions