search

tianon / gosu

Simple Go-based setuid+setgid+setgroups+exec
Apache License 2.0
4.68k stars 312 forks source link

New release to include runc v1.0.3 #100

Closed anouarchattouna closed 2 years ago

anouarchattouna commented 2 years ago

Could you please make a new release to include runc v1.0.3 (done here https://github.com/tianon/gosu/pull/96 but not released)?

usr/local/bin/gosu (gobinary)
=============================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+--------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|            LIBRARY             | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| github.com/opencontainers/runc | CVE-2021-43784   | MEDIUM   | v1.0.1            | v1.0.3        | runc: integer overflow in             |
|                                |                  |          |                   |               | netlink bytemsg length field          |
|                                |                  |          |                   |               | allows attacker to override...        |
|                                |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-43784 |
+--------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
tianon commented 2 years ago

The only part of runc's code we actually use is github.com/opencontainers/runc/libcontainer/user (and by extension, github.com/opencontainers/runc/libcontainer/system), and neither of those actually had any changes between v1.0.1 and v1.0.3 (so this is an overzealous scan result, similar to #98):

$ git diff v1.0.1..v1.0.3 -- libcontainer/user libcontainer/system
$
anouarchattouna commented 2 years ago

Should we skip this CVE or there is a chance that a new gosu release will come out soon?

tianon commented 2 years ago

Yes, I don't see a strong reason to to make a new release to "fix" CVEs which already don't apply to the existing release, so I'd suggest reporting it to your scanning vendor so they can flag it appropriately. :sweat_smile: