-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
glib/2.80.1 package update #18752
glib/2.80.1 package update #18752
Conversation
octo-sts
bot
commented
May 7, 2024
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Package glib-dev: Click to expand/collapsePackage glib-dev: Package glib-lang: Click to expand/collapsePackage glib-lang: Package glib: Click to expand/collapsePackage glib: Package glib-static: Click to expand/collapsePackage glib-static: bincapz found differences: Click to expand/collapseDeleted: glib/usr/lib/libgio-2.0.so.0.8000.0 [
|
RISK | KEY | DESCRIPTION | EVIDENCE |
---|---|---|---|
-MEDIUM | data/embedded/pem/private_key | contains PRIVATE KEY directive | PRIVATE KEY----- |
-MEDIUM | exec/program | execute external program | subprocess.c |
-MEDIUM | fs/mounts/read | parses active mounts (/etc/fstab, /etc/mtab) | /etc/mtab |
-MEDIUM | kernel/dev/loopback | access virtual block devices (loopback) | /dev/loop |
-MEDIUM | net/download | download files | folder-download-symbolic |
-MEDIUM | net/ip/parse | parses IP address (IPv4 or IPv6) | inet_addr |
-MEDIUM | net/ip/string | converts IP address from byte to string | inet_ntop |
-MEDIUM | net/socks5 | supports SOCK5 proxies | CONNECT %s SOCKSv5 socks5 |
-MEDIUM | procfs/mounts | parses active mounts (/proc/mounts | /proc/mounts |
-MEDIUM | procfs/self/mountinfo | gets mountinfo associated to this process | /proc/self/mountinfo |
-MEDIUM | ref/path/dev | path reference within /dev | /dev/acdI9 /dev/cdrI9 /dev/cdrom /dev/diskette/ /dev/fd /dev/floI9 /dev/floppy /dev/loop /dev/rooH /dev/root /dev/vn |
-MEDIUM | ref/path/var/log | path reference within /var/log | /var/log/audit |
-MEDIUM | ref/words/intercept | references interception | intercept_handle_method_call |
-MEDIUM | secrets/ssh | accesses SSH configuration and/or keys | fuse.sshfs |
-MEDIUM | security_controls/linux/selinux | selinux | SELINUX |
-LOW | compression/gzip | works with gzip files | gzip |
-LOW | data/embedded/pem/certificate | contains embedded PEM certificate | -----BEGIN CERTIFICATE----- |
-LOW | encoding/base64 | supports base64 encoded strings | base64 |
-LOW | env/HOME | looks up the HOME directory for the current user | HOME getenv |
-LOW | env/USER | looks up the USER name of the current user | USER getenv |
-LOW | fs/directory/create | creates directories | mkdir |
-LOW | fs/directory/remove | uses libc functions to remove directories | rmdir |
-LOW | fs/file/delete | deletes files | unlink |
-LOW | fs/file/times/set | change file timestamps with nanosecond precision | utimensat |
-LOW | fs/file/truncate | truncate a file to a specified length | ftruncate64 |
-LOW | fs/link/read | read value of a symbolic link | readlink |
-LOW | fs/loopback | uses loopback pseudo-device files | /dev/loop |
-LOW | fs/mount | mounts file systems | _mount |
-LOW | fs/permission/chown | may change file ownership | fchown |
-LOW | fs/permission/modify | modifies file permissions | fchmod |
-LOW | fs/unmount | unmount file system | umount |
-LOW | fs/watch | monitors filesystem events | inotify |
-LOW | hash/sha1 | uses the SHA1 signature format | SHA1_ |
-LOW | kernel/netlink | communicate with kernel services | netlink |
-LOW | net/dns/txt | uses DNS TXT (text) records | TXT dns |
-LOW | net/hostport/parse | network address and service translation | freeaddrinfo getaddrinfo |
-LOW | net/http/request | makes HTTP requests | HTTP/1. User-Agent open-uri |
-LOW | net/http_proxy | able to use an HTTP proxy that requires authentication | Proxy-Authorization |
-LOW | net/interface/get | get network interfaces by name or index | if_nametoindex |
-LOW | net/ip/multicast/send | send data to multiple nodes simultaneously | multicast |
-LOW | net/ip/send/unicast | send data to the internet | unicast |
-LOW | net/socket/listen | listen on a socket | accept listen socket |
-LOW | net/socket/local/address | get local address of connected socket | getsockname |
-LOW | net/socket/peer/address | get peer address of connected socket | getpeername |
-LOW | net/socket/receive | receive a message from a socket | recvmsg |
-LOW | net/socket/send | send a message to a socket | sendmmsg sendmsg |
-LOW | ref/path/etc | path reference within /etc | /etc/glib- /etc/machine-id /etc/mtab /etc/resolv.conf |
-LOW | ref/path/etc/resolv.conf | accesses DNS resolver configuration | /etc/resolv.conf |
-LOW | ref/path/usr/bin | path reference within /usr/bin | /usr/bin/snapctl |
-LOW | ref/path/var | path reference within /var | /var/crash /var/lib/dbus/machine-id /var/local /var/log/audit /var/mail /var/run /var/tmp |
-LOW | ref/site/url | contains embedded HTTP URLs | http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd http://www.freedesktop.org/standards/shared-mime-info |
-LOW | ref/words/password | references a 'password' | GAskPasswordFlags GPasswordSave GTlsPasswordFlags GTlsPassword_private_offset Username or password is too long for address_get_password ask-password bad-certificate-password from_file_with_password g_ask_password_flags_get_type g_password_save_get_type g_tls_password_finalize g_tls_password_flags_get_type g_tls_password_get_description g_tls_password_get_flags g_tls_password_get_property g_tls_password_get_type_once g_tls_password_get_value g_tls_password_get_warning g_tls_password_init g_tls_password_new g_tls_password_parent_class g_tls_password_real_get_value g_tls_password_real_set_value g_tls_password_set_description g_tls_password_set_flags g_tls_password_set_property g_tls_password_set_value_full g_tls_password_set_warning gtlspassword interaction_ask_password_async interaction_ask_password_finish need-password on_ask_password_complete on_invoke_ask_password_async_as_sync on_invoke_ask_password_sync operation_get_password_save operation_set_password_save password-save username or password |
-LOW | secrets/private_key | references private keys | private_key |
Deleted: glib/usr/lib/libglib-2.0.so.0.8000.0 [⚠️ MEDIUM]
RISK | KEY | DESCRIPTION | EVIDENCE |
---|---|---|---|
-MEDIUM | exec/program | executes external programs | execvp |
-MEDIUM | fs/file/times/set | change file last access and modification times | utime |
-MEDIUM | fs/permission/modify | modifies file permissions | chmod |
-MEDIUM | kernel/uname/get | system identification (uname) | uname |
-MEDIUM | net/download | download files | XDG_DOWNLOAD_DIR |
-MEDIUM | procfs/self/cmdline | gets the command-line associated to this process | /proc/self/cmdline |
-MEDIUM | shell/exec | executes shell | /bin/sh |
-LOW | encoding/base64 | supports base64 encoded strings | base64 |
-LOW | env/HOME | looks up the HOME directory for the current user | HOME getenv |
-LOW | env/LANG | looks up language of current user | LANG getenv |
-LOW | env/TMPDIR | tMPDIR | TMPDIR getenv |
-LOW | env/USER | looks up the USER name of the current user | USER getenv |
-LOW | exec/program/background | wait for process to exit | waitpid |
-LOW | fs/directory/create | creates directories | mkdir |
-LOW | fs/directory/remove | uses libc functions to remove directories | rmdir |
-LOW | fs/file/delete | deletes files | unlink |
-LOW | fs/file/truncate | truncate a file to a specified length | ftruncate64 |
-LOW | fs/link/read | read value of a symbolic link | readlink |
-LOW | fs/tempdir | looks up location of temp directory | TMPDIR |
-LOW | fs/tempdir/create | creates temporary directory | mkdtemp |
-LOW | kernel/hostname/get | gets the hostname of the machine | gethostname |
-LOW | net/socket/peer/address | get peer address of connected socket | getpeername |
-LOW | net/socket/send | send a message to a socket | sendmsg |
-LOW | process/multithreaded | creates pthreads | pthread_create |
-LOW | process/parent_pid/get | gets parent process ID | getppid |
-LOW | process/userid/set | set real and effective user ID of current process | setuid |
-LOW | ref/path/dev/shm | path reference within /dev/shm (world writeable) | /dev/shm/journal |
-LOW | ref/path/etc | path reference within /etc | /etc/localtime /etc/os-release /etc/timezone |
-LOW | ref/path/var | path reference within /var | /var/db/zoneinfo |
-LOW | ref/site/url | contains embedded HTTP URLs | http://freedesktop.org http://www.freedesktop.org/standards/desktop-bookmarks http://www.freedesktop.org/standards/shared-mime-info |
-LOW | ref/words/password | references a 'password' | g_uri_get_password |
Deleted: glib/usr/lib/libgobject-2.0.so.0.8000.0 [⚠️ MEDIUM]
RISK | KEY | DESCRIPTION | EVIDENCE |
---|---|---|---|
-MEDIUM | net/http/post | able to submit content via HTTP POST | POST http |
-LOW | ref/site/url | contains embedded HTTPS URLs | https://gitlab.gnome.org/GNOME/glib/issues/new |
Deleted: glib/usr/lib/libgirepository-2.0.so.0.8000.0 [✅ LOW]
RISK | KEY | DESCRIPTION | EVIDENCE |
---|---|---|---|
-LOW | ref/path/var | path reference within /var | /var/tmpH |
Deleted: glib/usr/lib/libgmodule-2.0.so.0.8000.0 [✅ LOW]
RISK | KEY | DESCRIPTION | EVIDENCE |
---|---|---|---|
-LOW | dylib/symbol/address | get the address of a symbol | dlsym |
Added: glib/usr/lib/libgio-2.0.so.0.8000.1 [⚠️ MEDIUM]
RISK | KEY | DESCRIPTION | EVIDENCE |
---|---|---|---|
+MEDIUM | data/embedded/pem/private_key | contains PRIVATE KEY directive | PRIVATE KEY----- |
+MEDIUM | exec/program | execute external program | subprocess.c |
+MEDIUM | fs/mounts/read | parses active mounts (/etc/fstab, /etc/mtab) | /etc/mtab |
+MEDIUM | kernel/dev/loopback | access virtual block devices (loopback) | /dev/loop |
+MEDIUM | net/download | download files | folder-download-symbolic |
+MEDIUM | net/ip/parse | parses IP address (IPv4 or IPv6) | inet_addr |
+MEDIUM | net/ip/string | converts IP address from byte to string | inet_ntop |
+MEDIUM | net/socks5 | supports SOCK5 proxies | CONNECT %s SOCKSv5 socks5 |
+MEDIUM | procfs/mounts | parses active mounts (/proc/mounts | /proc/mounts |
+MEDIUM | procfs/self/mountinfo | gets mountinfo associated to this process | /proc/self/mountinfo |
+MEDIUM | ref/path/dev | path reference within /dev | /dev/acdI9 /dev/cdrI9 /dev/cdrom /dev/diskette/ /dev/fd /dev/floI9 /dev/floppy /dev/loop /dev/rooH /dev/root /dev/vn |
+MEDIUM | ref/path/var/log | path reference within /var/log | /var/log/audit |
+MEDIUM | ref/words/intercept | references interception | intercept_handle_method_call |
+MEDIUM | secrets/ssh | accesses SSH configuration and/or keys | fuse.sshfs |
+MEDIUM | security_controls/linux/selinux | selinux | SELINUX |
+LOW | compression/gzip | works with gzip files | gzip |
+LOW | data/embedded/pem/certificate | contains embedded PEM certificate | -----BEGIN CERTIFICATE----- |
+LOW | encoding/base64 | supports base64 encoded strings | base64 |
+LOW | env/HOME | looks up the HOME directory for the current user | HOME getenv |
+LOW | env/USER | looks up the USER name of the current user | USER getenv |
+LOW | fs/directory/create | creates directories | mkdir |
+LOW | fs/directory/remove | uses libc functions to remove directories | rmdir |
+LOW | fs/file/delete | deletes files | unlink |
+LOW | fs/file/times/set | change file timestamps with nanosecond precision | utimensat |
+LOW | fs/file/truncate | truncate a file to a specified length | ftruncate64 |
+LOW | fs/link/read | read value of a symbolic link | readlink |
+LOW | fs/loopback | uses loopback pseudo-device files | /dev/loop |
+LOW | fs/mount | mounts file systems | _mount |
+LOW | fs/permission/chown | may change file ownership | fchown |
+LOW | fs/permission/modify | modifies file permissions | fchmod |
+LOW | fs/unmount | unmount file system | umount |
+LOW | fs/watch | monitors filesystem events | inotify |
+LOW | hash/sha1 | uses the SHA1 signature format | SHA1_ |
+LOW | kernel/netlink | communicate with kernel services | netlink |
+LOW | net/dns/txt | uses DNS TXT (text) records | TXT dns |
+LOW | net/hostport/parse | network address and service translation | freeaddrinfo getaddrinfo |
+LOW | net/http/request | makes HTTP requests | HTTP/1. User-Agent open-uri |
+LOW | net/http_proxy | able to use an HTTP proxy that requires authentication | Proxy-Authorization |
+LOW | net/interface/get | get network interfaces by name or index | if_nametoindex |
+LOW | net/ip/multicast/send | send data to multiple nodes simultaneously | multicast |
+LOW | net/ip/send/unicast | send data to the internet | unicast |
+LOW | net/socket/listen | listen on a socket | accept listen socket |
+LOW | net/socket/local/address | get local address of connected socket | getsockname |
+LOW | net/socket/peer/address | get peer address of connected socket | getpeername |
+LOW | net/socket/receive | receive a message from a socket | recvmsg |
+LOW | net/socket/send | send a message to a socket | sendmmsg sendmsg |
+LOW | ref/path/etc | path reference within /etc | /etc/glib- /etc/machine-id /etc/mtab /etc/resolv.conf |
+LOW | ref/path/etc/resolv.conf | accesses DNS resolver configuration | /etc/resolv.conf |
+LOW | ref/path/usr/bin | path reference within /usr/bin | /usr/bin/snapctl |
+LOW | ref/path/var | path reference within /var | /var/crash /var/lib/dbus/machine-id /var/local /var/log/audit /var/mail /var/run /var/tmp |
+LOW | ref/site/url | contains embedded HTTP URLs | http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd http://www.freedesktop.org/standards/shared-mime-info |
+LOW | ref/words/password | references a 'password' | GAskPasswordFlags GPasswordSave GTlsPasswordFlags GTlsPassword_private_offset Username or password is too long for address_get_password ask-password bad-certificate-password from_file_with_password g_ask_password_flags_get_type g_password_save_get_type g_tls_password_finalize g_tls_password_flags_get_type g_tls_password_get_description g_tls_password_get_flags g_tls_password_get_property g_tls_password_get_type_once g_tls_password_get_value g_tls_password_get_warning g_tls_password_init g_tls_password_new g_tls_password_parent_class g_tls_password_real_get_value g_tls_password_real_set_value g_tls_password_set_description g_tls_password_set_flags g_tls_password_set_property g_tls_password_set_value_full g_tls_password_set_warning gtlspassword interaction_ask_password_async interaction_ask_password_finish need-password on_ask_password_complete on_invoke_ask_password_async_as_sync on_invoke_ask_password_sync operation_get_password_save operation_set_password_save password-save username or password |
+LOW | secrets/private_key | references private keys | private_key |
Added: glib/usr/lib/libgobject-2.0.so.0.8000.1 [⚠️ MEDIUM]
RISK | KEY | DESCRIPTION | EVIDENCE |
---|---|---|---|
+MEDIUM | net/http/post | able to submit content via HTTP POST | POST http |
+LOW | ref/site/url | contains embedded HTTPS URLs | https://gitlab.gnome.org/GNOME/glib/issues/new |
Added: glib/usr/lib/libglib-2.0.so.0.8000.1 [⚠️ MEDIUM]
RISK | KEY | DESCRIPTION | EVIDENCE |
---|---|---|---|
+MEDIUM | exec/program | executes external programs | execvp |
+MEDIUM | fs/file/times/set | change file last access and modification times | utime |
+MEDIUM | fs/permission/modify | modifies file permissions | chmod |
+MEDIUM | kernel/uname/get | system identification (uname) | uname |
+MEDIUM | net/download | download files | XDG_DOWNLOAD_DIR |
+MEDIUM | procfs/self/cmdline | gets the command-line associated to this process | /proc/self/cmdline |
+MEDIUM | shell/exec | executes shell | /bin/sh |
+LOW | encoding/base64 | supports base64 encoded strings | base64 |
+LOW | env/HOME | looks up the HOME directory for the current user | HOME getenv |
+LOW | env/LANG | looks up language of current user | LANG getenv |
+LOW | env/TMPDIR | tMPDIR | TMPDIR getenv |
+LOW | env/USER | looks up the USER name of the current user | USER getenv |
+LOW | exec/program/background | wait for process to exit | waitpid |
+LOW | fs/directory/create | creates directories | mkdir |
+LOW | fs/directory/remove | uses libc functions to remove directories | rmdir |
+LOW | fs/file/delete | deletes files | unlink |
+LOW | fs/file/truncate | truncate a file to a specified length | ftruncate64 |
+LOW | fs/link/read | read value of a symbolic link | readlink |
+LOW | fs/tempdir | looks up location of temp directory | TMPDIR |
+LOW | fs/tempdir/create | creates temporary directory | mkdtemp |
+LOW | kernel/hostname/get | gets the hostname of the machine | gethostname |
+LOW | net/socket/peer/address | get peer address of connected socket | getpeername |
+LOW | net/socket/send | send a message to a socket | sendmsg |
+LOW | process/multithreaded | creates pthreads | pthread_create |
+LOW | process/parent_pid/get | gets parent process ID | getppid |
+LOW | process/userid/set | set real and effective user ID of current process | setuid |
+LOW | ref/path/dev/shm | path reference within /dev/shm (world writeable) | /dev/shm/journal |
+LOW | ref/path/etc | path reference within /etc | /etc/localtime /etc/os-release /etc/timezone |
+LOW | ref/path/var | path reference within /var | /var/db/zoneinfo |
+LOW | ref/site/url | contains embedded HTTP URLs | http://freedesktop.org http://www.freedesktop.org/standards/desktop-bookmarks http://www.freedesktop.org/standards/shared-mime-info |
+LOW | ref/words/password | references a 'password' | g_uri_get_password |
Added: glib/usr/lib/libgmodule-2.0.so.0.8000.1 [✅ LOW]
RISK | KEY | DESCRIPTION | EVIDENCE |
---|---|---|---|
+LOW | dylib/symbol/address | get the address of a symbol | dlsym |
Added: glib/usr/lib/libgirepository-2.0.so.0.8000.1 [✅ LOW]
RISK | KEY | DESCRIPTION | EVIDENCE |
---|---|---|---|
+LOW | ref/path/var | path reference within /var | /var/tmpH |
saw that bincapz is reporting an embedded private key, needs to be checked to removing original review
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need to check the embedded private key report from bincapz
@rawlingsj is the "evidence" the literal "stub" prefix string without a key? $ git grep 'PRIVATE KEY'
gio/gtlscertificate.c: * ("`BEGIN RSA PRIVATE KEY`") or unencrypted
gio/gtlscertificate.c: * ("`BEGIN PRIVATE KEY`"). PKCS \#8 format is supported since 2.32;
gio/gtlscertificate.c:#define PEM_PRIVKEY_HEADER_END "PRIVATE KEY-----"
gio/gtlscertificate.c:#define PEM_PRIVKEY_FOOTER_END "PRIVATE KEY-----"
gio/gtlscertificate.c:#define PEM_PKCS8_ENCRYPTED_HEADER "-----BEGIN ENCRYPTED PRIVATE KEY-----"
gio/tests/cert-tests/cert-key.pem:-----BEGIN RSA PRIVATE KEY-----
gio/tests/cert-tests/cert-key.pem:-----END RSA PRIVATE KEY-----
gio/tests/cert-tests/cert-list.pem:-----BEGIN RSA PRIVATE KEY-----
gio/tests/cert-tests/cert-list.pem:-----END RSA PRIVATE KEY-----
gio/tests/cert-tests/key-cert.pem:-----BEGIN RSA PRIVATE KEY-----
gio/tests/cert-tests/key-cert.pem:-----END RSA PRIVATE KEY-----
gio/tests/cert-tests/key-crlf.pem:-----BEGIN RSA PRIVATE KEY-----
gio/tests/cert-tests/key-crlf.pem:-----END RSA PRIVATE KEY-----
gio/tests/cert-tests/key.pem:-----BEGIN RSA PRIVATE KEY-----
gio/tests/cert-tests/key.pem:-----END RSA PRIVATE KEY-----
gio/tests/cert-tests/key8.pem:-----BEGIN PRIVATE KEY-----
gio/tests/cert-tests/key8.pem:-----END PRIVATE KEY-----
gio/tests/cert-tests/key8enc.pem:-----BEGIN ENCRYPTED PRIVATE KEY-----
gio/tests/cert-tests/key8enc.pem:-----END ENCRYPTED PRIVATE KEY-----
gio/tests/cert-tests/key_missing-footer.pem:-----BEGIN RSA PRIVATE KEY-----
gio/tests/cert-tests/key_missing-header.pem:-----END RSA PRIVATE KEY----- Because the code has always had that. Or like has there been an update to bincapz? Or can we scan older glib tarballs and git repo with bincapz to locate the same evidence? glib has code to parse private keys... and yes it has a literal string for the "PRIVATE KEY" header. |
Thanks for looking and confirming @xnox |
Agreed, this looks like expected behavior for glibc. The other reason for the false positive is that file rename detection didn't work, so it had no context to go against. Had the filenames stayed static, or the rename detection worked, the diff would have likely been zero. I've opened chainguard-dev/bincapz#206 to investigate why the rename heuristics didn't work in this case. |