Release new images/install package update to mitigate CVE-2022-3515

AB-xdev commented 1 year ago

Since a few days our codescanner is finding the following vulnerability inside the mariadb Image:

mariadb:10.8 (ubuntu 22.04)
===========================
Total: 1 (UNKNOWN: 0, HIGH: 1, CRITICAL: 0)

┌──────────┬───────────────┬──────────┬───────────────────┬──────────────────┬─────────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability │ Severity │ Installed Version │  Fixed Version   │                            Title                            │
├──────────┼───────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ libksba8 │ CVE-2022-3515 │ HIGH     │ 1.6.0-2build1     │ 1.6.0-2ubuntu0.1 │ libksba: integer overflow may lead to remote code execution │
│          │               │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-3515                   │
└──────────┴───────────────┴──────────┴───────────────────┴──────────────────┴─────────────────────────────────────────────────────────────┘

The problem was already fixed inside ubuntu: https://ubuntu.com/security/CVE-2022-3515

If mariadb is affected by the CVE I recommend that you re-releases the existing images (with an updated ubuntu-base Image). If it's not affected I recommend that you remove the library.

grooverdan commented 1 year ago

libksba8 is pulled in by the install of gnupg during the build of mariadb container. It isn't actually used by mariadb directly and mariadb doesn't call to the executables kbxutil, dirmngt or gpgsm from the gnupg package and they aren't used during the build either as nothing is x509/cms based.

I think I can get away with a gpg only package and avoid the wider gnupg. I'll test this early next week.

Ubuntu updates occur as part of the official images period like this pr and after those are build, every dependant container image, like mariadb will automaticity get rebuilt.

grooverdan commented 1 year ago

Seems I was wrong, dirmngr is used (only) in the build:

diff --git a/10.10/Dockerfile b/10.10/Dockerfile
index 407b7be..72f4a05 100644
--- a/10.10/Dockerfile
+++ b/10.10/Dockerfile
@@ -8,7 +8,7 @@ RUN groupadd -r mysql && useradd -r -g mysql mysql
 RUN set -ex; \
        apt-get update; \
        if ! which gpg; then \
-               apt-get install -y --no-install-recommends gnupg; \
+               apt-get install -y --no-install-recommends gpgv gpg; \
        fi; \
        rm -rf /var/lib/apt/lists/*

build:

...
+ wget -q -O /usr/local/bin/gosu.asc https://github.com/tianon/gosu/releases/download/1.14/gosu-amd64.asc
+ mktemp -d
+ GNUPGHOME=/tmp/tmp.RcAauxCkdZ
+ export GNUPGHOME
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4
gpg: keybox '/tmp/tmp.RcAauxCkdZ/pubring.kbx' created
gpg: error running '/usr/bin/dirmngr': probably not installed
gpg: failed to start the dirmngr '/usr/bin/dirmngr': Configuration error
gpg: connecting dirmngr at '/tmp/tmp.RcAauxCkdZ/S.dirmngr' failed: Configuration error
gpg: keyserver receive failed: No dirmngr

So dirmngr is used for accessing opengpg key servers.

grooverdan commented 1 year ago

The images have been rebuilt due to the change of ubuntu base:

$ podman run -ti mariadb:latest bash
root@47b848fe6ecf:/# apt-cache show libksba8
Package: libksba8
Status: install ok installed
Priority: optional
Section: libs
Installed-Size: 302
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Multi-Arch: same
Source: libksba
Version: 1.6.0-2ubuntu0.1

Ref: #475

New releases are also coming out very soon.

MariaDB / mariadb-docker

Release new images/install package update to mitigate CVE-2022-3515 #469