New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
alpine:latest has CVE-2020-28928 #123
Comments
/cc @ncopa - would it be possible to bump this? Not sure if there's any mechanism to upgrade single packages since this image is basically just "extract the minirootfs into Alternatively we'd need to wait for an Alpine 3.12.2 to be released with the patched |
Also, as a workaround (in case anyone else reads this and needs to mitigate quickly for compliance reasons): Add this line to your
Note: Generally running |
Thank you for the reminder. We should bump a 3.12.2 release ASAP. Let me see what I can do. (We should probably also update the kernel while at it, which will require some work) |
Please also update |
Looks like 3.12.2 is out - https://alpinelinux.org/posts/Alpine-3.12.2-released.html Thanks @ncopa 🙇♂️ |
yes. it is fixed for CVE-2020-28928 but now there is also CVE-2020-1971 . i use a similar workaround:
|
Ouch. And this one's got a higher CVSS than before 😞.
The @ncopa is it worth releasing 3.12.3 for the As an aside, I wonder if it might make sense to add some logic to the |
CVE-2020-28928 is fixed. Lets follow up CVE-2020-1971 in #125 |
Noticed that latest 3.13 image (e.g. alpine:3.13.1) contain vulnerability - CVE-2020-28928. Noticed that 3.12 image (alpine:3.12.3) contain a fix. Is there a plan to release a fix for 3.13 track as well? |
@ncopa do you want us to raise a new issue for Alpine 3.13.1 or are you happy to re-open this one given alpine:latest is now 3.13.1 |
@sinchmarcuslind @rjpearce there may be an issue with the scanner you're using - I see it with The scanner output may indicate a bug with Snyk: $ docker scan alpine:3.13.1
Docker Scan relies upon access to Snyk, a third party provider, do you consent to proceed using Snyk? (y/N)
y
Testing alpine:3.13.1...
✗ Medium severity vulnerability found in musl/musl
Description: Out-of-bounds Write
Info: https://snyk.io/vuln/SNYK-ALPINE313-MUSL-1067865
[...]
From: musl/musl@1.2.2-r0
From: busybox/busybox@1.32.1-r2 > musl/musl@1.2.2-r0
From: alpine-baselayout/alpine-baselayout@3.2.0-r8 > musl/musl@1.2.2-r0
and 10 more...
Fixed in: 1.2.2_pre2-r0
[...] That For comparison, here's the trivy output: $ trivy image alpine:3.13.1
2021-02-10T08:28:29.745-0500 INFO Detecting Alpine vulnerabilities...
2021-02-10T08:28:29.746-0500 INFO Trivy skips scanning programming language libraries because no supported file was detected
alpine:3.13.1 (alpine 3.13.1)
=============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) |
@hairyhenderson thank you, and yes you are correct. It was a false positive from Clair when using clair-scanner -c "http://127.0.0.1:6060" --ip host.docker.internal alpine:3.13.1
2021/02/10 15:44:37 [INFO] ▶ Start clair-scanner
2021/02/10 15:44:38 [INFO] ▶ Server listening on port 9279
2021/02/10 15:44:38 [INFO] ▶ Analyzing 065271f6ba27473148a86d60e1cbb1e734bbb6adb5aae1861651558ae80a2f68
2021/02/10 15:44:38 [WARN] ▶ Image [alpine:3.13.1] contains 1 total vulnerabilities
2021/02/10 15:44:38 [ERRO] ▶ Image [alpine:3.13.1] contains 1 unapproved vulnerabilities
+------------+--------------------+--------------+-----------------+---------------------------------------------------------------+
| STATUS | CVE SEVERITY | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION |
+------------+--------------------+--------------+-----------------+---------------------------------------------------------------+
| Unapproved | Low CVE-2020-28928 | musl | 1.2.2-r0 | |
| | | | | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28928 |
+------------+--------------------+--------------+-----------------+--------------------------------------------------------------+ Updating to the latest version for the clair-db ( clair-scanner -c "http://127.0.0.1:6060" --ip host.docker.internal alpine:3.13.1
2021/02/10 15:49:09 [INFO] ▶ Start clair-scanner
2021/02/10 15:49:09 [INFO] ▶ Server listening on port 9279
2021/02/10 15:49:09 [INFO] ▶ Analyzing 065271f6ba27473148a86d60e1cbb1e734bbb6adb5aae1861651558ae80a2f68
2021/02/10 15:49:09 [INFO] ▶ Image [alpine:3.13.1] contains NO unapproved vulnerabilities Thanks again. |
Not sure if this is a bug with Snyk or not but it looks like this issue is still present in alpine3.13 - https://snyk.io/vuln/SNYK-ALPINE313-MUSL-1067865 Specifically when using the |
Maybe report this to the |
Oops! I am in the wrong place.. I will reach out there. Thanks! |
AWS ECR scan is showing this CVE for 3.14 even though Trivy does not. Snyk is also showing this in their database: |
@schematis I think maybe you should report this to AWS and Snyk. Alpine 3.14 contains $ docker run -it --rm alpine:3.14.0 apk --no-cache info musl
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz
musl-1.2.2-r3 description:
the musl c library (libc) implementation
musl-1.2.2-r3 webpage:
https://musl.libc.org/
musl-1.2.2-r3 installed size:
608 KiB As I mentioned above this is likely a version parsing issue with Snyk and AWS. It's worth noting too that these versions aren't semver-compliant - |
musl : 1.1.24-r9 -
Layer: sha256:ace0eda3e3be35a979cec764a3321b4c7d0b9e4bb3094d20d3ff6782961a8d54
CVE-2020-28928
In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).
Solution: Upgrade musl to 1.1.24-r10
References:
http://www.openwall.com/lists/oss-security/2020/11/20/4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28928
https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html
https://musl.libc.org/releases.html
The text was updated successfully, but these errors were encountered: