search

optiopay / klar

Integration of Clair and Docker Registry
MIT License
506 stars 138 forks source link

vulnerabilities in early layer get flagged even through later layer fixes them #144

Open majewsky opened 5 years ago

majewsky commented 5 years ago

The image debian:stretch-slim from Docker Hub, as of now, has a vulnerable glibc version:

$ docker images$ docker images
REPOSITORY           TAG                    IMAGE ID            CREATED             SIZE
debian               stretch-slim           9a4a82cec2d2        12 days ago         55.3MB

$ klar debian:stretch-slim
...
-----------------------------------------
CVE-2017-15670: [High]
Found in: glibc [2.24-11+deb9u3]
Fixed By: 2.24-11+deb9u4
The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.
https://security-tracker.debian.org/tracker/CVE-2017-15670
-----------------------------------------
CVE-2017-1000408: [High]
Found in: glibc [2.24-11+deb9u3]
Fixed By: 2.24-11+deb9u4
A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.
https://security-tracker.debian.org/tracker/CVE-2017-1000408
...

My own image is based on that, but I do apt update as part of the image build process, so the final image has the fixed version:

$ docker run --rm -ti $OWN_IMAGE cat /var/lib/dpkg/status | sed -n '/^Package: libc6\s*$/,/^\s*$/{/^Version/p}'
Version: 2.24-11+deb9u4

However, klar still reports glibc as being vulnerable against the same CVEs. I checked with mitmproxy: klar uploads all layers of the image, but then only asks for the vulnerabilities of the first layer and stops there (presumably because it found vulnerabilities).

I'm not entirely sure if I'm holding something wrong here, because it doesn't make sense to me that Klar looks for vulnerabilities in the base layer. I'm not running the base layer, I'm running the entire image only.

hstock commented 5 years ago

I can confirm this. Currently there is a Vulnerabilty in systemd in the debian:9 image, howerver I do an apt-get upgrade in my images which upgrades to a fixed version. Still klar reports the error in the base layer.

fgreinacher commented 5 years ago

Same problem here, for glibc and systemd