search

jitsi / docker-jitsi-meet

Jitsi Meet on Docker
https://hub.docker.com/u/jitsi/
Apache License 2.0
3.04k stars 1.35k forks source link

Wonderful project 1 trivy scan of etherpad reveals some criticals #325

Open symgryph opened 4 years ago

symgryph commented 4 years ago

LOVE the service you people are doing, but there are several critical vulnerabilities as run by Trivy. I am attaching them. Need help in building alpine versions? Or 'more secure' debian stuff? I could help. Would love to get it working with docker ns remaps too!

Most of the images seem good in that they don't sem to have unfixed, or high criticals etc. The only image with issues is the etherpad one.


Jitsi/etherpad:latest (debian 9.9)
==================================
Total: 63 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 50, CRITICAL: 13)

+----------------------+------------------+----------+-------------------+-------------------+-------------------------------------------------------+
|       LIBRARY        | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |   FIXED VERSION   |                         TITLE                         |
+----------------------+------------------+----------+-------------------+-------------------+-------------------------------------------------------+
| curl                 | CVE-2019-5481    | HIGH     | 7.52.1-5+deb9u9   | 7.52.1-5+deb9u10  | curl: double free due to                              |
|                      |                  |          |                   |                   | subsequent call of realloc()                          |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-5482    |          |                   |                   | curl: heap buffer overflow in                         |
|                      |                  |          |                   |                   | function tftp_receive_packet()                        |
+----------------------+------------------+          +-------------------+-------------------+-------------------------------------------------------+
| file                 | CVE-2019-18218   |          | 1:5.30-1+deb9u2   | 1:5.30-1+deb9u3   | file: heap-based                                      |
|                      |                  |          |                   |                   | buffer overflow in                                    |
|                      |                  |          |                   |                   | cdf_read_property_info in                             |
|                      |                  |          |                   |                   | cdf.c                                                 |
+----------------------+------------------+----------+-------------------+-------------------+-------------------------------------------------------+
| git                  | CVE-2019-1349    | CRITICAL | 1:2.11.0-3+deb9u4 | 1:2.11.0-3+deb9u5 | git: Recursive submodule                              |
|                      |                  |          |                   |                   | cloning allows using                                  |
|                      |                  |          |                   |                   | git directory twice with                              |
|                      |                  |          |                   |                   | synonymous directory...                               |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-1352    |          |                   |                   | git: Files inside the .git                            |
|                      |                  |          |                   |                   | directory may be overwritten                          |
|                      |                  |          |                   |                   | during cloning via...                                 |
+                      +------------------+----------+                   +                   +-------------------------------------------------------+
|                      | CVE-2019-1353    | HIGH     |                   |                   | git: NTFS protections inactive                        |
|                      |                  |          |                   |                   | when running Git in the                               |
|                      |                  |          |                   |                   | Windows Subsystem for...                              |
+----------------------+------------------+----------+                   +                   +-------------------------------------------------------+
| git-man              | CVE-2019-1349    | CRITICAL |                   |                   | git: Recursive submodule                              |
|                      |                  |          |                   |                   | cloning allows using                                  |
|                      |                  |          |                   |                   | git directory twice with                              |
|                      |                  |          |                   |                   | synonymous directory...                               |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-1352    |          |                   |                   | git: Files inside the .git                            |
|                      |                  |          |                   |                   | directory may be overwritten                          |
|                      |                  |          |                   |                   | during cloning via...                                 |
+                      +------------------+----------+                   +                   +-------------------------------------------------------+
|                      | CVE-2019-1353    | HIGH     |                   |                   | git: NTFS protections inactive                        |
|                      |                  |          |                   |                   | when running Git in the                               |
|                      |                  |          |                   |                   | Windows Subsystem for...                              |
+----------------------+------------------+          +-------------------+-------------------+-------------------------------------------------------+
| libcurl3             | CVE-2019-5481    |          | 7.52.1-5+deb9u9   | 7.52.1-5+deb9u10  | curl: double free due to                              |
|                      |                  |          |                   |                   | subsequent call of realloc()                          |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-5482    |          |                   |                   | curl: heap buffer overflow in                         |
|                      |                  |          |                   |                   | function tftp_receive_packet()                        |
+----------------------+------------------+          +                   +                   +-------------------------------------------------------+
| libcurl3-gnutls      | CVE-2019-5481    |          |                   |                   | curl: double free due to                              |
|                      |                  |          |                   |                   | subsequent call of realloc()                          |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-5482    |          |                   |                   | curl: heap buffer overflow in                         |
|                      |                  |          |                   |                   | function tftp_receive_packet()                        |
+----------------------+------------------+          +                   +                   +-------------------------------------------------------+
| libcurl4-openssl-dev | CVE-2019-5481    |          |                   |                   | curl: double free due to                              |
|                      |                  |          |                   |                   | subsequent call of realloc()                          |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-5482    |          |                   |                   | curl: heap buffer overflow in                         |
|                      |                  |          |                   |                   | function tftp_receive_packet()                        |
+----------------------+------------------+          +-------------------+-------------------+-------------------------------------------------------+
| libglib2.0-0         | CVE-2019-12450   |          | 2.50.3-2          | 2.50.3-2+deb9u1   | glib2: file_copy_fallback in                          |
|                      |                  |          |                   |                   | gio/gfile.c in GNOME GLib does                        |
|                      |                  |          |                   |                   | not properly restrict file...                         |
+----------------------+                  +          +                   +                   +                                                       +
| libglib2.0-bin       |                  |          |                   |                   |                                                       |
|                      |                  |          |                   |                   |                                                       |
|                      |                  |          |                   |                   |                                                       |
+----------------------+                  +          +                   +                   +                                                       +
| libglib2.0-data      |                  |          |                   |                   |                                                       |
|                      |                  |          |                   |                   |                                                       |
|                      |                  |          |                   |                   |                                                       |
+----------------------+                  +          +                   +                   +                                                       +
| libglib2.0-dev       |                  |          |                   |                   |                                                       |
|                      |                  |          |                   |                   |                                                       |
|                      |                  |          |                   |                   |                                                       |
+----------------------+------------------+          +-------------------+-------------------+-------------------------------------------------------+
| libmagic-mgc         | CVE-2019-18218   |          | 1:5.30-1+deb9u2   | 1:5.30-1+deb9u3   | file: heap-based                                      |
|                      |                  |          |                   |                   | buffer overflow in                                    |
|                      |                  |          |                   |                   | cdf_read_property_info in                             |
|                      |                  |          |                   |                   | cdf.c                                                 |
+----------------------+                  +          +                   +                   +                                                       +
| libmagic1            |                  |          |                   |                   |                                                       |
|                      |                  |          |                   |                   |                                                       |
|                      |                  |          |                   |                   |                                                       |
|                      |                  |          |                   |                   |                                                       |
+----------------------+------------------+          +-------------------+-------------------+-------------------------------------------------------+
| libnghttp2-14        | CVE-2019-9511    |          | 1.18.1-1          | 1.18.1-1+deb9u1   | HTTP/2: large amount of data                          |
|                      |                  |          |                   |                   | requests leads to denial of                           |
|                      |                  |          |                   |                   | service                                               |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-9513    |          |                   |                   | HTTP/2: flood using PRIORITY                          |
|                      |                  |          |                   |                   | frames results in excessive                           |
|                      |                  |          |                   |                   | resource consumption                                  |
+----------------------+------------------+          +-------------------+-------------------+-------------------------------------------------------+
| libxslt1-dev         | CVE-2019-11068   |          | 1.1.29-2.1        | 1.1.29-2.1+deb9u1 | libxslt: xsltCheckRead and                            |
|                      |                  |          |                   |                   | xsltCheckWrite routines                               |
|                      |                  |          |                   |                   | security bypass by crafted URL                        |
+----------------------+                  +          +                   +                   +                                                       +
| libxslt1.1           |                  |          |                   |                   |                                                       |
|                      |                  |          |                   |                   |                                                       |
|                      |                  |          |                   |                   |                                                       |
+----------------------+------------------+----------+-------------------+-------------------+-------------------------------------------------------+
| linux-libc-dev       | CVE-2018-20836   | CRITICAL | 4.9.168-1+deb9u3  | 4.9.168-1+deb9u5  | kernel: race condition                                |
|                      |                  |          |                   |                   | in smp_task_timedout()                                |
|                      |                  |          |                   |                   | and smp_task_done() in                                |
|                      |                  |          |                   |                   | drivers/scsi/libsas/sas_expander.c                    |
|                      |                  |          |                   |                   | leads to use-after-free...                            |
+                      +------------------+          +                   +-------------------+-------------------------------------------------------+
|                      | CVE-2019-10220   |          |                   | 4.9.210-1         | kernel: CIFS: Relative paths                          |
|                      |                  |          |                   |                   | injection in directory entry                          |
|                      |                  |          |                   |                   | lists                                                 |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-14896   |          |                   |                   | kernel: heap-based buffer overflow                    |
|                      |                  |          |                   |                   | in lbs_ibss_join_existing function in                 |
|                      |                  |          |                   |                   | drivers/net/wireless/marvell/libertas/cfg.c           |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-14901   |          |                   |                   | kernel: heap overflow in                              |
|                      |                  |          |                   |                   | marvell/mwifiex/tdls.c                                |
+                      +------------------+          +                   +-------------------+-------------------------------------------------------+
|                      | CVE-2019-15292   |          |                   | 4.9.184-1         | kernel: Use-after-free in                             |
|                      |                  |          |                   |                   | atalk_proc_exit function in                           |
|                      |                  |          |                   |                   | net/appletalk                                         |
+                      +------------------+          +                   +-------------------+-------------------------------------------------------+
|                      | CVE-2019-15505   |          |                   | 4.9.210-1         | kernel: out of bounds read in                         |
|                      |                  |          |                   |                   | drivers/media/usb/dvb-usb/technisat-usb2.c            |
+                      +------------------+          +                   +-------------------+-------------------------------------------------------+
|                      | CVE-2019-15926   |          |                   | 4.9.189-1         | kernel: out of bounds                                 |
|                      |                  |          |                   |                   | access in  functions                                  |
|                      |                  |          |                   |                   | ath6kl_wmi_pstream_timeout_event_rx                   |
|                      |                  |          |                   |                   | and ath6kl_wmi_cac_event_rx                           |
+                      +------------------+----------+                   +-------------------+-------------------------------------------------------+
|                      | CVE-2017-18509   | HIGH     |                   | 4.9.168-1+deb9u5  | kernel: not checking                                  |
|                      |                  |          |                   |                   | sk_type and protocol in                               |
|                      |                  |          |                   |                   | net/ipv6/ip6mr.c leads to                             |
|                      |                  |          |                   |                   | general protection...                                 |
+                      +------------------+          +                   +-------------------+-------------------------------------------------------+
|                      | CVE-2019-0155    |          |                   | 4.9.189-3+deb9u2  | hw: Intel GPU blitter                                 |
|                      |                  |          |                   |                   | manipulation can allow for                            |
|                      |                  |          |                   |                   | arbitrary kernel memory                               |
|                      |                  |          |                   |                   | write...                                              |
+                      +------------------+          +                   +-------------------+-------------------------------------------------------+
|                      | CVE-2019-11487   |          |                   | 4.9.184-1         | kernel: Count overflow in                             |
|                      |                  |          |                   |                   | FUSE request leading to                               |
|                      |                  |          |                   |                   | use-after-free issues.                                |
+                      +------------------+          +                   +-------------------+-------------------------------------------------------+
|                      | CVE-2019-13272   |          |                   | 4.9.168-1+deb9u4  | kernel: broken permission and                         |
|                      |                  |          |                   |                   | object lifetime handling for                          |
|                      |                  |          |                   |                   | PTRACE_TRACEME                                        |
+                      +------------------+          +                   +-------------------+-------------------------------------------------------+
|                      | CVE-2019-14814   |          |                   | 4.9.210-1         | kernel: heap overflow in                              |
|                      |                  |          |                   |                   | mwifiex_set_uap_rates()                               |
|                      |                  |          |                   |                   | function of Marvell Wifi                              |
|                      |                  |          |                   |                   | Driver leading to...                                  |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-14815   |          |                   |                   | kernel: heap-overflow in                              |
|                      |                  |          |                   |                   | mwifiex_set_wmm_params()                              |
|                      |                  |          |                   |                   | function of Marvell WiFi                              |
|                      |                  |          |                   |                   | driver leading to DoS...                              |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-14816   |          |                   |                   | kernel: heap overflow in                              |
|                      |                  |          |                   |                   | mwifiex_update_vs_ie()                                |
|                      |                  |          |                   |                   | function of Marvell WiFi                              |
|                      |                  |          |                   |                   | driver                                                |
+                      +------------------+          +                   +-------------------+-------------------------------------------------------+
|                      | CVE-2019-14821   |          |                   | 4.9.189-3+deb9u1  | Kernel: KVM: OOB memory access                        |
|                      |                  |          |                   |                   | via mmio ring buffer                                  |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-14835   |          |                   |                   | kernel: vhost-net: guest to                           |
|                      |                  |          |                   |                   | host kernel escape during                             |
|                      |                  |          |                   |                   | migration                                             |
+                      +------------------+          +                   +-------------------+-------------------------------------------------------+
|                      | CVE-2019-14895   |          |                   | 4.9.210-1         | kernel: heap-based buffer overflow in                 |
|                      |                  |          |                   |                   | mwifiex_process_country_ie() function in              |
|                      |                  |          |                   |                   | drivers/net/wireless/marvell/mwifiex/sta_ioctl.c      |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-14897   |          |                   |                   | kernel: stack-based buffer overflow                   |
|                      |                  |          |                   |                   | in add_ie_rates function in                           |
|                      |                  |          |                   |                   | drivers/net/wireless/marvell/libertas/cfg.c           |
+                      +------------------+          +                   +-------------------+-------------------------------------------------------+
|                      | CVE-2019-15239   |          |                   | 4.9.168-1+deb9u5  | kernel: local attacker                                |
|                      |                  |          |                   |                   | can trigger multiple                                  |
|                      |                  |          |                   |                   | use-after-free conditions                             |
|                      |                  |          |                   |                   | results in privilege                                  |
|                      |                  |          |                   |                   | escalation...                                         |
+                      +------------------+          +                   +-------------------+-------------------------------------------------------+
|                      | CVE-2019-15538   |          |                   | 4.9.189-2         | kernel: denial of service                             |
|                      |                  |          |                   |                   | in in xfs_setattr_nonsize in                          |
|                      |                  |          |                   |                   | fs/xfs/xfs_iops.c                                     |
+                      +------------------+          +                   +-------------------+-------------------------------------------------------+
|                      | CVE-2019-15666   |          |                   | 4.9.184-1         | kernel: out-of-bounds array                           |
|                      |                  |          |                   |                   | access in __xfrm_policy_unlink                        |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-15807   |          |                   |                   | kernel: Memory leak in                                |
|                      |                  |          |                   |                   | drivers/scsi/libsas/sas_expander.c                    |
+                      +------------------+          +                   +-------------------+-------------------------------------------------------+
|                      | CVE-2019-16746   |          |                   | 4.9.210-1         | kernel: buffer-overflow                               |
|                      |                  |          |                   |                   | hardening in WiFi beacon                              |
|                      |                  |          |                   |                   | validation code.                                      |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-17075   |          |                   |                   | kernel: denial of service                             |
|                      |                  |          |                   |                   | in write_tpt_entry in                                 |
|                      |                  |          |                   |                   | drivers/infiniband/hw/cxgb4/mem.c                     |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-17133   |          |                   |                   | kernel: buffer overflow in                            |
|                      |                  |          |                   |                   | cfg80211_mgd_wext_giwessid in                         |
|                      |                  |          |                   |                   | net/wireless/wext-sme.c                               |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-17666   |          |                   |                   | kernel: rtl_p2p_noa_ie in                             |
|                      |                  |          |                   |                   | drivers/net/wireless/realtek/rtlwifi/ps.c             |
|                      |                  |          |                   |                   | in the Linux kernel lacks a certain                   |
|                      |                  |          |                   |                   | upper-bound...                                        |
+                      +------------------+          +                   +-------------------+-------------------------------------------------------+
|                      | CVE-2019-18805   |          |                   | 4.9.184-1         | kernel: integer overflow                              |
|                      |                  |          |                   |                   | in tcp_ack_update_rtt in                              |
|                      |                  |          |                   |                   | net/ipv4/tcp_input.c                                  |
+                      +------------------+          +                   +-------------------+-------------------------------------------------------+
|                      | CVE-2019-18809   |          |                   | 4.9.210-1         | kernel: memory leak in                                |
|                      |                  |          |                   |                   | af9005_identify_state()                               |
|                      |                  |          |                   |                   | function in                                           |
|                      |                  |          |                   |                   | drivers/media/usb/dvb-usb/af9005.c                    |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-19049   |          |                   |                   | kernel: dos in                                        |
|                      |                  |          |                   |                   | unittest_data_add() function                          |
|                      |                  |          |                   |                   | in drivers/of/unittest.c                              |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-19052   |          |                   |                   | kernel: dos in                                        |
|                      |                  |          |                   |                   | gs_can_open() function in                             |
|                      |                  |          |                   |                   | drivers/net/can/usb/gs_usb.c                          |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-19056   |          |                   |                   | kernel: A memory leak in the                          |
|                      |                  |          |                   |                   | mwifiex_pcie_alloc_cmdrsp_buf() function in           |
|                      |                  |          |                   |                   | drivers/net/wireless/marvell/mwifiex/pcie.c           |
|                      |                  |          |                   |                   | allows to...                                          |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-19062   |          |                   |                   | kernel: A memory leak in the                          |
|                      |                  |          |                   |                   | crypto_report() function in                           |
|                      |                  |          |                   |                   | crypto/crypto_user_base.c                             |
|                      |                  |          |                   |                   | allows for...                                         |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-19063   |          |                   |                   | kernel: Two memory leaks in                           |
|                      |                  |          |                   |                   | the rtl_usb_probe() function in                       |
|                      |                  |          |                   |                   | drivers/net/wireless/realtek/rtlwifi/usb.c            |
|                      |                  |          |                   |                   | allow for...                                          |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-19066   |          |                   |                   | kernel: A memory leak in                              |
|                      |                  |          |                   |                   | the bfad_im_get_stats()                               |
|                      |                  |          |                   |                   | function in                                           |
|                      |                  |          |                   |                   | drivers/scsi/bfa/bfad_attr.c                          |
|                      |                  |          |                   |                   | allows for...                                         |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-19068   |          |                   |                   | kernel: A memory leak in the                          |
|                      |                  |          |                   |                   | rtl8xxxu_submit_int_urb() function in                 |
|                      |                  |          |                   |                   | drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c |
|                      |                  |          |                   |                   | allows for...                                         |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-19527   |          |                   |                   | kernel: use-after-free                                |
|                      |                  |          |                   |                   | caused by a malicious                                 |
|                      |                  |          |                   |                   | USB device in the                                     |
|                      |                  |          |                   |                   | drivers/hid/usbhid/hiddev.c                           |
|                      |                  |          |                   |                   | driver...                                             |
+----------------------+------------------+----------+-------------------+-------------------+-------------------------------------------------------+
| patch                | CVE-2018-20969   | CRITICAL | 2.7.5-1+deb9u1    | 2.7.5-1+deb9u2    | patch: do_ed_script in                                |
|                      |                  |          |                   |                   | pch.c does not block strings                          |
|                      |                  |          |                   |                   | beginning with a !...                                 |
+                      +------------------+          +                   +                   +-------------------------------------------------------+
|                      | CVE-2019-13638   |          |                   |                   | patch: OS shell command                               |
|                      |                  |          |                   |                   | injection when processing                             |
|                      |                  |          |                   |                   | crafted patch files                                   |
+----------------------+------------------+----------+-------------------+-------------------+-------------------------------------------------------+
`
symgryph commented 4 years ago

I will be happy to help in any way that I can. This project is a great alternative to the horrible zoom privacy invading monster!

symgryph commented 4 years ago

There is also a nice utility, called 'docker-slim' which will remove unnecessary kruft from images, making them WAY smaller and less likely to have security issues. I could help with that too if there is interest. Its positively amazing that this think works with as little work as I put into it! docker-compose up -d with a few tweaks and excellent directions. I especially like the auto make certs work thing with lets-encrypt.

saghul commented 4 years ago

Thank you so the kind words and the analysis!

Coincidentally, the etherpad container is the only one we didn’t build so it doesn’t share our base. Our base uses debian-slim as a starting point and updates all dependencies on every build. We should probably have our own etherpad image for consistency and in order to be able to guarantee the same level of security updates.

I’d suggest you also report these to the Etherpad project, since are currently using their image.

Thanks por the tip on the slim tool, I’ll give it a try!

sapkra commented 4 years ago

I would prefer to use the official etherpad image because if you really need a change of the official repository you have the jitsi image as a dependency and have to wait until jitsi will update the image. So it will add an additional dependency to the deployments.

It think this has to be fixed in the official image. The best approach would be to just inform them about these problems so that it will be fixed for as many users as possible.

sapkra commented 4 years ago

@saghul The jitsi/etherpad image also seems to be really outdated. Etherpad is using debian 10 since 5 month maybe it's outdated on the machine you are building the images on?

symgryph commented 4 years ago

It was pulled directly from the sources that evening. Aka it pulled the image from the docker-compose config.

Thomas J Munn

On Mar 29, 2020, at 08:27, Paul Tiedtke notifications@github.com wrote:

 @saghul The jitsi/etherpad image also seems to be really outdated. Etherpad is using debian 10 since 5 month maybe it's outdated on the machine you are building the images on?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

sapkra commented 4 years ago

@symgryph I'm not talking about that the jitsi/etherpad is outdated on your machine but I'm thinking that the base image etherpad/etherpad is outdated on the machine @saghul is building the images on.

This means that jitsi/etherpad is based on an older version of etherpad/etherpad which includes more vulnerabilities.

saghul commented 4 years ago

Aha! That would explain indeed! My bad. I'll make sure I update. It's probably high time I do some release.sh script too...