Closed trinishanmukha closed 7 months ago
+1
How do we mitigate against this vulnerability? On AWS inspector and Github's Advisory Database there doesn't seem to be any patched version releases.
This is fixed in libexpat v2.6.0, see https://github.com/libexpat/libexpat/pull/789 although I don't think this impacts alpine.
@trinishanmukha @rogaha what tools are you using to detect this vulnerability in alpine:3.19.1? I cannot find libexpat anywhere in the alpine 3.19.1 filesystem
$ docker run -it alpine:3.19.1 sh
/ # find . -name libexpat.* -print
If I use an image like eclipse-temurin:21.0.2_13-jdk-alpine that is built on alpine 3.19 (see https://github.com/adoptium/containers/blob/main/21/jdk/alpine/Dockerfile), then libexpat does show up, which means libexpat is being brought in by eclipse-temurin, not alpine.
$ docker run -it eclipse-temurin:21.0.2_13-jdk-alpine sh
/ # find . -name libexpat.* -print
./usr/lib/libexpat.so.1.8.10
./usr/lib/libexpat.so.1
If I use an image like eclipse-temurin:21.0.2_13-jdk-alpine that is built on alpine 3.19 (see https://github.com/adoptium/containers/blob/main/21/jdk/alpine/Dockerfile), then libexpat does show up, which means libexpat is being brought in by eclipse-temurin, not alpine.
As you correctly mention, it is brought in by eclipse-temurin, they install a package that depends on libexpat See here for the layer responsible on dockerhub, here is the command:
/bin/sh -c set -eux; apk add --no-cache fontconfig ttf-dejavu ca-certificates p11-kit-trust musl-locales musl-locales-lang binutils tzdata ; rm -rf /var/cache/apk/*
Correct me if i'm wrong, but the responsible package for eclipse-temurin seems to be fontconfig as it depends on expat. On alpine linux side, they already have the new version of expat, so I don't think there is much they can do. If people are getting security warnings because they use eclipse-temurin, they probably need to wait for them to release a newer image that use the new expat version you mentioned.
closing it as I opened at wrong place
In latest alpine:3.19.1 new vulnerability CVE-2023-52425 is found
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.