search

jaegertracing / jaeger-operator

Jaeger Operator for Kubernetes simplifies deploying and running Jaeger on Kubernetes.
https://www.jaegertracing.io/docs/latest/operator/
Apache License 2.0
1.01k stars 339 forks source link

[Bug]: CVE-2023-29491 ncurses CVE lib. Need to solution a fix in quay.io/jaegertracing/jaeger-operator #2352

Closed shrikant-rajappan closed 8 months ago

shrikant-rajappan commented 8 months ago

What happened?

Please take cognisance of CVE-2023-29491 and solution a fix in quay.io/jaegertracing/jaeger-operator

Steps to reproduce

ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29491

Expected behavior

Since this issue is being opened as part of fix for ncurses library - an updated/upgraded version of the jaeger-operator is expected.

Relevant log output

No response

Screenshot

No response

Additional context

No response

Jaeger backend version

No response

SDK

No response

Pipeline

No response

Stogage backend

No response

Operating system

No response

Deployment model

No response

Deployment configs

No response

andreasgerstmayr commented 8 months ago

hi @shrikant-rajappan!

The latest jaeger-operator docker image is based on CentOS Stream and includes the following ncurses version:

$ docker run -it --entrypoint bash quay.io/jaegertracing/jaeger-operator:1.51.0
bash-5.1$ rpm -qa | grep ncurses
ncurses-base-6.2-10.20210508.el9.noarch
ncurses-libs-6.2-10.20210508.el9.x86_64

The changelog of this package describes that the CVE-2023-29491 is fixed in this release (by backporting): https://cbs.centos.org/koji/buildinfo?buildID=51542

tl;dr the jaeger-operator image is not affected by this CVE.