vcunat
commented
1 year ago Knot Resolver is unable to use Lua. It's only compatible with LuaJIT.
Closed barry-fitzgerald closed 11 months ago
vcunat
commented
1 year ago Knot Resolver is unable to use Lua. It's only compatible with LuaJIT.
barry-fitzgerald
commented
1 year ago Knot Resolver is unable to use Lua. It's only compatible with LuaJIT.
As part of the build Lua5.1 gets installed... see output from docker build logs
Step 2/23 : RUN apk add --no-cache knot-resolver=5.7.0-r1 knot-resolver-mod-http=5.7.0-r1
---> [Warning] The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
---> Running in b503aaeb882a
fetch https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
(1/34) Installing dnssec-root (20190225-r2)
(2/34) Installing lua5.1-libs (5.1.5-r13)
(3/34) Installing lua5.1 (5.1.5-r13)
(4/34) Installing lua5.1-cqueues (20200726-r5)
(5/34) Installing lua-binaryheap (0.4-r0)
(6/34) Installing lua5.1-basexx (0.4.1-r2)
(7/34) Installing lua5.1-fifo (0.2-r2)
(8/34) Installing lua5.1-lpeg (1.0.2-r3)
(9/34) Installing lua5.1-lpeg_patterns (0.5-r2)
(10/34) Installing lua5.1-ossl (20220711-r1)
(11/34) Installing lua5.1-compat53 (0.10-r1)
(12/34) Installing lua5.1-bit32 (5.3.0-r5)
(13/34) Installing lua5.1-http (0.4-r1)
(14/34) Installing libcap-ng (0.8.3-r4)
Such spurious dependencies would be bugs in Alpine packaging. We do not maintain packages for Alpine.
vcunat
commented
1 year ago /cc @jirutka I guess.
barry-fitzgerald
commented
1 year ago Such spurious dependencies would be bugs in Alpine packaging. We do not maintain packages for Alpine.
OK what would the recommandation be for installing knot-resolver 5.X on an alpine base image to counteract the flagged vulnerabilities?
vcunat
commented
1 year ago I can't help much with Alpine stuff, but perhaps Jirutka will. Looking at your screenshot, what might be more relevant, if you use the http module in resolver:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4540
EDIT: though using that module for DoH has been deprecated for years and webmgmt has always been meant just for trusted users.
Generally I'd expect that distros want to resolve those CVEs anyway (e.g. by patching them), so the question of spurious dependencies will be secondary. Though I thought that Alpine in particular is trying hard for small size...
barry-fitzgerald
commented
1 year ago @vcunat thank you for your inputs,
I will wait to see what @jirutka has to say RE: alpine đź‘Ť
barry-fitzgerald
commented
1 year ago Hi @jirutka any opinion on this?
jirutka
commented
1 year ago In knot-resolver 4.x, lua5.1-http was an optional dependency required only by the http module, which I split into a subpackage knot-resolver-mod-http. This changed in 5.x, where lua-http is (was?) also required for the core (I don’t remember the details), so I added the lua-http dependency to the main package as well. How is it now, which modules require lua-http?
lua5.1 is installed as a transitive dependency of lua5.1-* packages. This is because LuaJIT has an ABI compatible with Lua 5.1, so we treat them as interchangeable, but there’s no lua5.1 provider (meta-package), so all lua5.1-* packages depend directly on lua5.1. And there’s also lua5.2, lua5.3 and lua5.4 (they are not fully compatible)… It’s not optimal. I’ll think about how to improve it.
Anyway, knot-resolver doesn’t use lua5.1 (PUC Lua 5.1) at all, i.e. it won’t be executed in the container.
vcunat
commented
1 year ago lua-http is not really required to use Knot Resolver in any version, but it often became a default packaging dependency. prefill module might be the most popular user, or prometheus stats.
jirutka
commented
1 year ago I’ve backported an upstream patch for CVE-2023-4540 into lua-http in Edge, v3.18 and v3.17.
vcunat
commented
11 months ago I see nothing actionable on Knot Resolver side at least.
When carrying out a blackduck scan using knot resolver 5.7. Our Image was flagged with High Security
Docker image below....
The issue seems to be removed in Lua5.4 but this has compatibility issues with knot-resolver 5.7. Wondering what is the recommendation here?
Will knot 5.X versions will incorporate the latest Lua5.4 changes soon?
Description from the Scan
CVE-2022-28805 Lua is vulnerable to denial-of-service (DoS) and information disclosure issues due to a missing
luaK_exp2anyregup()call.An attacker could supply crafted input to a system that compiles untrusted Lua code in order to negatively impact stability or potentially read information from memory.