Skip to content

Run apk upgrade in final image to patch musl and xz CVEs#70

Merged
loks0n merged 1 commit intomainfrom
fix/cve-musl-xz-apk-upgrade
May 3, 2026
Merged

Run apk upgrade in final image to patch musl and xz CVEs#70
loks0n merged 1 commit intomainfrom
fix/cve-musl-xz-apk-upgrade

Conversation

@loks0n
Copy link
Copy Markdown
Member

@loks0n loks0n commented May 3, 2026

Summary

  • Add apk update && apk upgrade --no-cache to the final stage so the runtime image picks up patched Alpine packages. The compile stage already does this, but the final stage didn't, so the published image shipped unpatched musl/xz-libs from the base.
  • Resolves Trivy findings: CVE-2025-26519 (musl qsort stack corruption, High), musl iconv GB18030 DoS, and CVE-2026-34743 (xz-libs index-decoding buffer overflow, fixed in 5.8.3-r0).
  • Back-fill the missing 1.3.0 changelog entry and add 1.3.1 for this fix.

Verification

Built --target final locally and verified package versions:

musl-1.2.5-r23
musl-utils-1.2.5-r23
xz-5.8.3-r0
xz-libs-5.8.3-r0

All target CVEs now have fixed versions installed.

Test plan

🤖 Generated with Claude Code

@loks0n @claude
Run apk upgrade in final image to patch musl and xz CVEs
3e9d3c2 
Resolves CVE-2025-26519 (musl qsort stack corruption), the musl iconv
GB18030 DoS, and the xz index-decoding buffer overflow (CVE-2026-34743,
fixed in xz-libs 5.8.3-r0).

The compile stage already ran apk upgrade, but the runtime stage didn't,
so the published image was shipping unpatched libs from the base.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented May 3, 2026

Greptile Summary

This PR adds apk update && apk upgrade --no-cache to the final stage of the Dockerfile so the published runtime image ships with patched Alpine packages, addressing CVE-2025-26519 (musl qsort stack corruption), the musl iconv GB18030 DoS, and CVE-2026-34743 (xz-libs buffer overflow). The compile stage already ran apk upgrade; this change closes the gap for the final/runtime stage and back-fills the missing 1.3.0 changelog entry.

Confidence Score: 5/5

Safe to merge — minimal, targeted security patch with no logic changes and no new dependencies.

The change is a two-line addition that mirrors the already-proven upgrade pattern in the compile stage. No logic is altered, no new packages are introduced, and the fix directly addresses the stated CVEs. No issues were identified.

No files require special attention.

Important Files Changed

Filename Overview
Dockerfile Adds apk update && apk upgrade --no-cache to the final stage before apk add, mirroring the existing upgrade pattern in the compile stage to patch musl/xz CVEs.
CHANGES.md Adds missing 1.3.0 changelog entry and a new 1.3.1 entry describing the CVE fixes.

Reviews (1): Last reviewed commit: "Run apk upgrade in final image to patch ..." | Re-trigger Greptile

@loks0n loks0n merged commit 19fb537 into main May 3, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@loks0n