Update git-lfs version in images

[maxres-ch]

Our scanning tools are showing that git-lfs is built with a Go Version 1.18.1 has several vulnerabilities that might impact the binary. CVEs are as follows:

CVE	Description
CVE-2023-45287	Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.
CVE-2022-30631	Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.
CVE-2022-32189	A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.
CVE-2022-30630	Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
CVE-2022-30635	Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to sta.

Checklist:

• [x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [x] I've included steps to reproduce the bug.
• [x] I've pasted the output of argocd version.

Describe the bug

The git-lfs version in jammy was compiled with go 1.18.1 which contains the cve's listed above.

Unfortunately it looks like ubuntu jammy, jammy-updates, and backports are still using the same version of git-lfs compiled with 1.18.1.

To Reproduce

# this is the bin with the issue
❮ docker run --entrypoint '' --user 0:0 -it --rm quay.io/argoproj/argocd:v2.11.3 git-lfs --version
git-lfs/3.0.2 (GitHub; linux arm64; go 1.18.1)

Expected behavior

root@f3eacf466e6e:/# git-lfs --version
git-lfs/3.4.0 (GitHub; linux arm64; go 1.21.1) # or something newer that 1.18.1

Screenshots

N/A

Version

# for prosperity
❮ docker run --entrypoint '' --user 0:0 -it --rm quay.io/argoproj/argocd:v2.11.3 argocd version
argocd: v2.11.3+3f344d5
  BuildDate: 2024-06-06T08:42:00Z
  GitCommit: 3f344d54a4e0bbbb4313e1c19cfe1e544b162598
  GitTreeState: clean
  GoVersion: go1.21.9
  Compiler: gc
  Platform: linux/arm64

Logs

N/A

Additional Comment

Solutions:

• update to self compiled? seems the project is still using 1.17 to build the binary
• A way to remove git-lfs for those of use who don't need it?
• I've checked mantic has git-lfs compiled with go 1.21. Doesn't look like they've backported a newer version to jammy.

  ❯ docker run --entrypoint '' --user 0:0 -it --rm ubuntu:mantic bash
  root@f3eacf466e6e:/# apt update && apt install --yes git-lfs
  Get:1 http://ports.ubuntu.com/ubuntu-ports mantic InRelease [256 kB]
  Get:2 http://ports.ubuntu.com/ubuntu-ports mantic-updates InRelease [127 kB]
  # ...truncated...
  Processing triggers for libc-bin (2.38-1ubuntu6.3) ...
  Processing triggers for ca-certificates (20230311ubuntu1) ...
  Updating certificates in /etc/ssl/certs...
  0 added, 0 removed; done.
  Running hooks in /etc/ca-certificates/update.d...
  done.
  root@f3eacf466e6e:/# git-lfs --version
  git-lfs/3.4.0 (GitHub; linux arm64; go 1.21.1)

[crenshaw-dev]

Is there a way to install git-lfs from the mantic source while not impacting other packages?

[maxres-ch]

Interestingly, it does seem to be ok with not adding dependencies

docker run --entrypoint '' --user 0:0 -it --rm quay.io/argoproj/argocd:v2.11.3 bash
# installed editor and run apt-update after adding source.list
root@bb35a6461be2:/home/argocd# cat /etc/apt/preferences.d/99mantic
Package: *
Pin: release a=mantic
Pin-Priority: 1
root@bb35a6461be2:/home/argocd# grep mantic /etc/apt/sources.list
deb http://ports.ubuntu.com/ubuntu-ports/ mantic multiverse universe
root@bb35a6461be2:/home/argocd# apt install --no-install-recommends -t mantic git-lfs
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be upgraded:
  git-lfs
1 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
Need to get 3500 kB of archives.
After this operation, 968 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports mantic/universe arm64 git-lfs arm64 3.4.0-1build1 [3500 kB]
Fetched 3500 kB in 3s (1093 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 13223 files and directories currently installed.)
Preparing to unpack .../git-lfs_3.4.0-1build1_arm64.deb ...
Unpacking git-lfs (3.4.0-1build1) over (3.0.2-1ubuntu0.2) ...
Setting up git-lfs (3.4.0-1build1) ...
root@bb35a6461be2:/home/argocd# git-lfs --version
git-lfs/3.4.0 (GitHub; linux arm64; go 1.21.0)

Is there any form of integration tests using the container/git-lfs?

[34fathombelow]

May I suggest we upgrade our base image to ubuntu:24.04@sha256:2e863c44b718727c860746568e1d54afd13b2fa71b160f5cd9058fc436217b30 which will include a newer version of git-lfs (3.4.1) and other packages which will also lower the number or LOW/MEDIUM CVE's . This is Ubuntu's latest LTS release @crenshaw-dev WDYT?

[maxres-ch]

May I suggest we upgrade our base image to ubuntu:24.04@sha256:2e863c44b718727c860746568e1d54afd13b2fa71b160f5cd9058fc436217b30 which will include a newer version of git-lfs (3.4.1) and other packages which will also lower the number or LOW/MEDIUM CVE's . This is Ubuntu's latest LTS release @crenshaw-dev WDYT?

a release update seems more ideal than a backport, which feels risky.

I'd be happy to open a PR for a base image update.

[34fathombelow]

Actually we just need to bump the Ubuntu image toubuntu:22.04@sha256:19478ce7fc2ffbce89df29fea5725a8d12e57de52eb9ea570890dc5852aac1ac and publish a new release to resolve these CVE's. v2.12.0-rc2 Uses a slightly older version but contains the fixes.

> docker run -it quay.io/argoproj/argocd:v2.12.0-rc2 git-lfs version
git-lfs/3.4.1 (GitHub; linux arm64; go 1.21.5)

I do think we should bump the Ubuntu image to ubuntu:24.04 for the master branch and the release-2.12 branch since its still an RC.

[maxres-ch]

@34fathombelow @crenshaw-dev I see this now: https://github.com/argoproj/argo-cd/commit/414be63696a1c0e414488bc1fb33b6f66f19b026

Seems like this issue could be closed when 2.12 is released.

[thecooldrop]

@maxres-ch If I am not mistaken the versions 2.9, 2.10 and 2.11 are still "supported", and this issue thus needs backporting to those versions.

@34fathombelow The 2.12 version of ArgoCD relies on Ubuntu 24.04, while releases 2.9-2.11 are built on 22.04. The latest hash of 22.04 does not contain newest git-lfs version as can be seen by running following command:

docker run --rm ubuntu:22.04@sha256:19478ce7fc2ffbce89df29fea5725a8d12e57de52eb9ea570890dc5852aac1ac /bin/bash -c "apt update && apt install -y git-lfs && git-lfs version"

This will produce the output: git-lfs/3.0.2 (GitHub; linux amd64; go 1.18.1), thus we need to include the mantic repos