tianon
commented
1 year ago Closed eshafaq1 closed 10 months ago
tianon
commented
1 year ago 
eshafaq1
commented
1 year ago tianon
commented
1 year ago I get the feeling you didn't read the link 🤔 can you share the source of your binary and the exact command and output of your govulncheck invocation?
eshafaq1
commented
1 year ago @tianon I did read the link you supplied and scanned the gosu binary present in the mongo:6.0.8 container, but the only vulnerability is that is present is in your exceptions list is GO-2023-1840
4d764a2d38e3 mongo:6.0.8
docker cp 4d764a2d38e3:/usr/local/bin/gosu /tmp/
govulncheck -mode=binary /tmp/gosu
GO-2023-1840
I believe this is still a valid vulnerability and from the referenced links be been reintroduced due to a regression for a fix to this CVE. and I don't think it's recorded in the Go Vuln DB yet.
Fix and reference to original CVE in this ticket - https://github.com/opencontainers/runc/issues/3751
tianon
commented
1 year ago The gosu tool does not create any mounts, though, so I'm a little confused how that vulnerability could apply (in other words, govulncheck is successfully detecting that we do not use any of the affected functionality).
tianon
commented
1 year ago See also https://github.com/search?q=repo%3Agolang%2Fvulndb%20GO-2022-0274&type=code (this vulnerability is definitely in the database)
eshafaq1
commented
1 year ago The actual vulnerability is with the runc lib (v1.1.0) used by gosu.
I noticed you have some info in the readme about runc vulns
If you believe you have found a new vulnerability in
gosu, chances are very high that it's actually a vulnerability inrunc(or at the very least,runc's code), and should be reported appropriately and responsibly
They (runc) have captured and resolved this vulnerability in version v1.1.5. -
I don't know much about Go dependancies, but it seems like gosu/go.mod require github.com/opencontainers/runc v1.1.0 ---> needs to be upgraded to v1.1.5
tianon
commented
1 year ago The vulnerable code in runc is the code that performs mounts. The gosu tool does not invoke any of that code under any circumstances.
minakolta
commented
1 year ago Hi @tianon can you please introduce this update suggested by @eshafaq1? I am pretty convinced by your point, on the other hand, if that won't impact the package it's better to upgrade the version as a lot of reported issues are marked on all images that utilize gosu including MongoDB
tianon
commented
1 year ago This project does not rebuild/release to "fix" CVEs which do not apply to actual builds of
gosu.
docgurureddy
commented
1 year ago Hi @tianon,
Your latest version on the gosu build on go 1.18.2. Any chance on building new go release like go 1.20.5 or higher?
Thanks!
tianon
commented
1 year ago This project does not rebuild/release to "fix" CVEs which do not apply to actual builds of
gosu.
There looks to be a vulnerability with a third party package (github.com/opencontainers/runc) in the latest version of gosu. (see screenshot)
This also mentioned as part of a regression here: https://github.com/opencontainers/runc/issues/2197#issuecomment-1437276049
Filing this ticket in hopes folks can get gosu patched.