search

alpinelinux / docker-alpine

Official Alpine Linux Docker image. Win at minimalism!
MIT License
1.08k stars 262 forks source link

CVE-2023-52425 libexpat through 2.5.0 allows a denial of service #377

Closed trinishanmukha closed 7 months ago

trinishanmukha commented 7 months ago

In latest alpine:3.19.1 new vulnerability CVE-2023-52425 is found

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

rogaha commented 7 months ago

+1

manglide commented 7 months ago

How do we mitigate against this vulnerability? On AWS inspector and Github's Advisory Database there doesn't seem to be any patched version releases.

hexagon-ecosys commented 7 months ago

This is fixed in libexpat v2.6.0, see https://github.com/libexpat/libexpat/pull/789 although I don't think this impacts alpine.

@trinishanmukha @rogaha what tools are you using to detect this vulnerability in alpine:3.19.1? I cannot find libexpat anywhere in the alpine 3.19.1 filesystem

$ docker run -it alpine:3.19.1 sh
/ # find . -name libexpat.* -print

If I use an image like eclipse-temurin:21.0.2_13-jdk-alpine that is built on alpine 3.19 (see https://github.com/adoptium/containers/blob/main/21/jdk/alpine/Dockerfile), then libexpat does show up, which means libexpat is being brought in by eclipse-temurin, not alpine.

$ docker run -it eclipse-temurin:21.0.2_13-jdk-alpine sh
/ # find . -name libexpat.* -print
./usr/lib/libexpat.so.1.8.10
./usr/lib/libexpat.so.1
mrtnhwttktc commented 7 months ago

If I use an image like eclipse-temurin:21.0.2_13-jdk-alpine that is built on alpine 3.19 (see https://github.com/adoptium/containers/blob/main/21/jdk/alpine/Dockerfile), then libexpat does show up, which means libexpat is being brought in by eclipse-temurin, not alpine.

As you correctly mention, it is brought in by eclipse-temurin, they install a package that depends on libexpat See here for the layer responsible on dockerhub, here is the command:

/bin/sh -c set -eux; apk add --no-cache fontconfig ttf-dejavu ca-certificates p11-kit-trust musl-locales musl-locales-lang binutils tzdata ; rm -rf /var/cache/apk/*

Correct me if i'm wrong, but the responsible package for eclipse-temurin seems to be fontconfig as it depends on expat. On alpine linux side, they already have the new version of expat, so I don't think there is much they can do. If people are getting security warnings because they use eclipse-temurin, they probably need to wait for them to release a newer image that use the new expat version you mentioned.

trinishanmukha commented 7 months ago

closing it as I opened at wrong place