GOSU dependency package RUNC which a has a security issue.

[taimoorahmedrana]

Postgres image is currently using GOSU 1.1.6 which has dependencies on RUNC 1.1.0. This version of RUNC has a Security hole and a patch has been released.

Please help us update GOSU which have RUNC 1.1.5 or above.

[yosifkit]

gosu does not update just to satisfy scanner results. It is not vulnerable to that CVE. See their SECURITY.md.

Also from the Docker Official Images FAQ (https://github.com/docker-library/faq/tree/da53abbaf0ed592989e5f8b50adcbd062582033d#why-does-my-security-scanner-show-that-an-image-has-cves):

• The listed CVE is a false positive
  • [...]
  • The binary or library is not vulnerable because the vulnerable code is never executed. Security solutions make the assumption that if a dependency has a vulnerability, then the binary or library using the dependency is also vulnerable. This correctly reports vulnerabilities, but this simple approach can also lead to many false positives. It can be improved by using other tools to detect if the vulnerable functions are used. govulncheck is one such tool made for Go based binaries. e.g., CVE-2023-28642 is a vulnerability in runc less than version 1.1.5 but shows up when scanning the gosu 1.16 binary since runc 1.1.0 is a dependency. Running govulncheck against gosu shows that it does not use any vulnerable runc functions.