glib/2.80.1 package update #18752
Merged
glib/2.80.1 package update #18752
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![octo-sts[bot]](https://avatars.githubusercontent.com/in/801323?s=60&v=4){kind=small}
Contributor
octo-sts
bot
commented
May 7, 2024
octo-sts
bot
commented
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
octo-sts
bot
added
request-version-update
Package glib-dev: Click to expand/collapsePackage glib-dev: Package glib-lang: Click to expand/collapsePackage glib-lang: Package glib: Click to expand/collapsePackage glib: Package glib-static: Click to expand/collapsePackage glib-static: bincapz found differences: Click to expand/collapseDeleted: glib/usr/lib/libgio-2.0.so.0.8000.0 [
|
| RISK | KEY | DESCRIPTION | EVIDENCE |
|---|---|---|---|
| -MEDIUM | data/embedded/pem/private_key | contains PRIVATE KEY directive | PRIVATE KEY----- |
| -MEDIUM | exec/program | execute external program | subprocess.c |
| -MEDIUM | fs/mounts/read | parses active mounts (/etc/fstab, /etc/mtab) | /etc/mtab |
| -MEDIUM | kernel/dev/loopback | access virtual block devices (loopback) | /dev/loop |
| -MEDIUM | net/download | download files | folder-download-symbolic |
| -MEDIUM | net/ip/parse | parses IP address (IPv4 or IPv6) | inet_addr |
| -MEDIUM | net/ip/string | converts IP address from byte to string | inet_ntop |
| -MEDIUM | net/socks5 | supports SOCK5 proxies | CONNECT %s SOCKSv5 socks5 |
| -MEDIUM | procfs/mounts | parses active mounts (/proc/mounts | /proc/mounts |
| -MEDIUM | procfs/self/mountinfo | gets mountinfo associated to this process | /proc/self/mountinfo |
| -MEDIUM | ref/path/dev | path reference within /dev | /dev/acdI9 /dev/cdrI9 /dev/cdrom /dev/diskette/ /dev/fd /dev/floI9 /dev/floppy /dev/loop /dev/rooH /dev/root /dev/vn |
| -MEDIUM | ref/path/var/log | path reference within /var/log | /var/log/audit |
| -MEDIUM | ref/words/intercept | references interception | intercept_handle_method_call |
| -MEDIUM | secrets/ssh | accesses SSH configuration and/or keys | fuse.sshfs |
| -MEDIUM | security_controls/linux/selinux | selinux | SELINUX |
| -LOW | compression/gzip | works with gzip files | gzip |
| -LOW | data/embedded/pem/certificate | contains embedded PEM certificate | -----BEGIN CERTIFICATE----- |
| -LOW | encoding/base64 | supports base64 encoded strings | base64 |
| -LOW | env/HOME | looks up the HOME directory for the current user | HOME getenv |
| -LOW | env/USER | looks up the USER name of the current user | USER getenv |
| -LOW | fs/directory/create | creates directories | mkdir |
| -LOW | fs/directory/remove | uses libc functions to remove directories | rmdir |
| -LOW | fs/file/delete | deletes files | unlink |
| -LOW | fs/file/times/set | change file timestamps with nanosecond precision | utimensat |
| -LOW | fs/file/truncate | truncate a file to a specified length | ftruncate64 |
| -LOW | fs/link/read | read value of a symbolic link | readlink |
| -LOW | fs/loopback | uses loopback pseudo-device files | /dev/loop |
| -LOW | fs/mount | mounts file systems | _mount |
| -LOW | fs/permission/chown | may change file ownership | fchown |
| -LOW | fs/permission/modify | modifies file permissions | fchmod |
| -LOW | fs/unmount | unmount file system | umount |
| -LOW | fs/watch | monitors filesystem events | inotify |
| -LOW | hash/sha1 | uses the SHA1 signature format | SHA1_ |
| -LOW | kernel/netlink | communicate with kernel services | netlink |
| -LOW | net/dns/txt | uses DNS TXT (text) records | TXT dns |
| -LOW | net/hostport/parse | network address and service translation | freeaddrinfo getaddrinfo |
| -LOW | net/http/request | makes HTTP requests | HTTP/1. User-Agent open-uri |
| -LOW | net/http_proxy | able to use an HTTP proxy that requires authentication | Proxy-Authorization |
| -LOW | net/interface/get | get network interfaces by name or index | if_nametoindex |
| -LOW | net/ip/multicast/send | send data to multiple nodes simultaneously | multicast |
| -LOW | net/ip/send/unicast | send data to the internet | unicast |
| -LOW | net/socket/listen | listen on a socket | accept listen socket |
| -LOW | net/socket/local/address | get local address of connected socket | getsockname |
| -LOW | net/socket/peer/address | get peer address of connected socket | getpeername |
| -LOW | net/socket/receive | receive a message from a socket | recvmsg |
| -LOW | net/socket/send | send a message to a socket | sendmmsg sendmsg |
| -LOW | ref/path/etc | path reference within /etc | /etc/glib- /etc/machine-id /etc/mtab /etc/resolv.conf |
| -LOW | ref/path/etc/resolv.conf | accesses DNS resolver configuration | /etc/resolv.conf |
| -LOW | ref/path/usr/bin | path reference within /usr/bin | /usr/bin/snapctl |
| -LOW | ref/path/var | path reference within /var | /var/crash /var/lib/dbus/machine-id /var/local /var/log/audit /var/mail /var/run /var/tmp |
| -LOW | ref/site/url | contains embedded HTTP URLs | http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd http://www.freedesktop.org/standards/shared-mime-info |
| -LOW | ref/words/password | references a 'password' | GAskPasswordFlags GPasswordSave GTlsPasswordFlags GTlsPassword_private_offset Username or password is too long for address_get_password ask-password bad-certificate-password from_file_with_password g_ask_password_flags_get_type g_password_save_get_type g_tls_password_finalize g_tls_password_flags_get_type g_tls_password_get_description g_tls_password_get_flags g_tls_password_get_property g_tls_password_get_type_once g_tls_password_get_value g_tls_password_get_warning g_tls_password_init g_tls_password_new g_tls_password_parent_class g_tls_password_real_get_value g_tls_password_real_set_value g_tls_password_set_description g_tls_password_set_flags g_tls_password_set_property g_tls_password_set_value_full g_tls_password_set_warning gtlspassword interaction_ask_password_async interaction_ask_password_finish need-password on_ask_password_complete on_invoke_ask_password_async_as_sync on_invoke_ask_password_sync operation_get_password_save operation_set_password_save password-save username or password |
| -LOW | secrets/private_key | references private keys | private_key |
Deleted: glib/usr/lib/libglib-2.0.so.0.8000.0 [⚠️ MEDIUM]
| RISK | KEY | DESCRIPTION | EVIDENCE |
|---|---|---|---|
| -MEDIUM | exec/program | executes external programs | execvp |
| -MEDIUM | fs/file/times/set | change file last access and modification times | utime |
| -MEDIUM | fs/permission/modify | modifies file permissions | chmod |
| -MEDIUM | kernel/uname/get | system identification (uname) | uname |
| -MEDIUM | net/download | download files | XDG_DOWNLOAD_DIR |
| -MEDIUM | procfs/self/cmdline | gets the command-line associated to this process | /proc/self/cmdline |
| -MEDIUM | shell/exec | executes shell | /bin/sh |
| -LOW | encoding/base64 | supports base64 encoded strings | base64 |
| -LOW | env/HOME | looks up the HOME directory for the current user | HOME getenv |
| -LOW | env/LANG | looks up language of current user | LANG getenv |
| -LOW | env/TMPDIR | tMPDIR | TMPDIR getenv |
| -LOW | env/USER | looks up the USER name of the current user | USER getenv |
| -LOW | exec/program/background | wait for process to exit | waitpid |
| -LOW | fs/directory/create | creates directories | mkdir |
| -LOW | fs/directory/remove | uses libc functions to remove directories | rmdir |
| -LOW | fs/file/delete | deletes files | unlink |
| -LOW | fs/file/truncate | truncate a file to a specified length | ftruncate64 |
| -LOW | fs/link/read | read value of a symbolic link | readlink |
| -LOW | fs/tempdir | looks up location of temp directory | TMPDIR |
| -LOW | fs/tempdir/create | creates temporary directory | mkdtemp |
| -LOW | kernel/hostname/get | gets the hostname of the machine | gethostname |
| -LOW | net/socket/peer/address | get peer address of connected socket | getpeername |
| -LOW | net/socket/send | send a message to a socket | sendmsg |
| -LOW | process/multithreaded | creates pthreads | pthread_create |
| -LOW | process/parent_pid/get | gets parent process ID | getppid |
| -LOW | process/userid/set | set real and effective user ID of current process | setuid |
| -LOW | ref/path/dev/shm | path reference within /dev/shm (world writeable) | /dev/shm/journal |
| -LOW | ref/path/etc | path reference within /etc | /etc/localtime /etc/os-release /etc/timezone |
| -LOW | ref/path/var | path reference within /var | /var/db/zoneinfo |
| -LOW | ref/site/url | contains embedded HTTP URLs | http://freedesktop.org http://www.freedesktop.org/standards/desktop-bookmarks http://www.freedesktop.org/standards/shared-mime-info |
| -LOW | ref/words/password | references a 'password' | g_uri_get_password |
Deleted: glib/usr/lib/libgobject-2.0.so.0.8000.0 [⚠️ MEDIUM]
| RISK | KEY | DESCRIPTION | EVIDENCE |
|---|---|---|---|
| -MEDIUM | net/http/post | able to submit content via HTTP POST | POST http |
| -LOW | ref/site/url | contains embedded HTTPS URLs | https://gitlab.gnome.org/GNOME/glib/issues/new |
Deleted: glib/usr/lib/libgirepository-2.0.so.0.8000.0 [✅ LOW]
| RISK | KEY | DESCRIPTION | EVIDENCE |
|---|---|---|---|
| -LOW | ref/path/var | path reference within /var | /var/tmpH |
Deleted: glib/usr/lib/libgmodule-2.0.so.0.8000.0 [✅ LOW]
| RISK | KEY | DESCRIPTION | EVIDENCE |
|---|---|---|---|
| -LOW | dylib/symbol/address | get the address of a symbol | dlsym |
Added: glib/usr/lib/libgio-2.0.so.0.8000.1 [⚠️ MEDIUM]
| RISK | KEY | DESCRIPTION | EVIDENCE |
|---|---|---|---|
| +MEDIUM | data/embedded/pem/private_key | contains PRIVATE KEY directive | PRIVATE KEY----- |
| +MEDIUM | exec/program | execute external program | subprocess.c |
| +MEDIUM | fs/mounts/read | parses active mounts (/etc/fstab, /etc/mtab) | /etc/mtab |
| +MEDIUM | kernel/dev/loopback | access virtual block devices (loopback) | /dev/loop |
| +MEDIUM | net/download | download files | folder-download-symbolic |
| +MEDIUM | net/ip/parse | parses IP address (IPv4 or IPv6) | inet_addr |
| +MEDIUM | net/ip/string | converts IP address from byte to string | inet_ntop |
| +MEDIUM | net/socks5 | supports SOCK5 proxies | CONNECT %s SOCKSv5 socks5 |
| +MEDIUM | procfs/mounts | parses active mounts (/proc/mounts | /proc/mounts |
| +MEDIUM | procfs/self/mountinfo | gets mountinfo associated to this process | /proc/self/mountinfo |
| +MEDIUM | ref/path/dev | path reference within /dev | /dev/acdI9 /dev/cdrI9 /dev/cdrom /dev/diskette/ /dev/fd /dev/floI9 /dev/floppy /dev/loop /dev/rooH /dev/root /dev/vn |
| +MEDIUM | ref/path/var/log | path reference within /var/log | /var/log/audit |
| +MEDIUM | ref/words/intercept | references interception | intercept_handle_method_call |
| +MEDIUM | secrets/ssh | accesses SSH configuration and/or keys | fuse.sshfs |
| +MEDIUM | security_controls/linux/selinux | selinux | SELINUX |
| +LOW | compression/gzip | works with gzip files | gzip |
| +LOW | data/embedded/pem/certificate | contains embedded PEM certificate | -----BEGIN CERTIFICATE----- |
| +LOW | encoding/base64 | supports base64 encoded strings | base64 |
| +LOW | env/HOME | looks up the HOME directory for the current user | HOME getenv |
| +LOW | env/USER | looks up the USER name of the current user | USER getenv |
| +LOW | fs/directory/create | creates directories | mkdir |
| +LOW | fs/directory/remove | uses libc functions to remove directories | rmdir |
| +LOW | fs/file/delete | deletes files | unlink |
| +LOW | fs/file/times/set | change file timestamps with nanosecond precision | utimensat |
| +LOW | fs/file/truncate | truncate a file to a specified length | ftruncate64 |
| +LOW | fs/link/read | read value of a symbolic link | readlink |
| +LOW | fs/loopback | uses loopback pseudo-device files | /dev/loop |
| +LOW | fs/mount | mounts file systems | _mount |
| +LOW | fs/permission/chown | may change file ownership | fchown |
| +LOW | fs/permission/modify | modifies file permissions | fchmod |
| +LOW | fs/unmount | unmount file system | umount |
| +LOW | fs/watch | monitors filesystem events | inotify |
| +LOW | hash/sha1 | uses the SHA1 signature format | SHA1_ |
| +LOW | kernel/netlink | communicate with kernel services | netlink |
| +LOW | net/dns/txt | uses DNS TXT (text) records | TXT dns |
| +LOW | net/hostport/parse | network address and service translation | freeaddrinfo getaddrinfo |
| +LOW | net/http/request | makes HTTP requests | HTTP/1. User-Agent open-uri |
| +LOW | net/http_proxy | able to use an HTTP proxy that requires authentication | Proxy-Authorization |
| +LOW | net/interface/get | get network interfaces by name or index | if_nametoindex |
| +LOW | net/ip/multicast/send | send data to multiple nodes simultaneously | multicast |
| +LOW | net/ip/send/unicast | send data to the internet | unicast |
| +LOW | net/socket/listen | listen on a socket | accept listen socket |
| +LOW | net/socket/local/address | get local address of connected socket | getsockname |
| +LOW | net/socket/peer/address | get peer address of connected socket | getpeername |
| +LOW | net/socket/receive | receive a message from a socket | recvmsg |
| +LOW | net/socket/send | send a message to a socket | sendmmsg sendmsg |
| +LOW | ref/path/etc | path reference within /etc | /etc/glib- /etc/machine-id /etc/mtab /etc/resolv.conf |
| +LOW | ref/path/etc/resolv.conf | accesses DNS resolver configuration | /etc/resolv.conf |
| +LOW | ref/path/usr/bin | path reference within /usr/bin | /usr/bin/snapctl |
| +LOW | ref/path/var | path reference within /var | /var/crash /var/lib/dbus/machine-id /var/local /var/log/audit /var/mail /var/run /var/tmp |
| +LOW | ref/site/url | contains embedded HTTP URLs | http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd http://www.freedesktop.org/standards/shared-mime-info |
| +LOW | ref/words/password | references a 'password' | GAskPasswordFlags GPasswordSave GTlsPasswordFlags GTlsPassword_private_offset Username or password is too long for address_get_password ask-password bad-certificate-password from_file_with_password g_ask_password_flags_get_type g_password_save_get_type g_tls_password_finalize g_tls_password_flags_get_type g_tls_password_get_description g_tls_password_get_flags g_tls_password_get_property g_tls_password_get_type_once g_tls_password_get_value g_tls_password_get_warning g_tls_password_init g_tls_password_new g_tls_password_parent_class g_tls_password_real_get_value g_tls_password_real_set_value g_tls_password_set_description g_tls_password_set_flags g_tls_password_set_property g_tls_password_set_value_full g_tls_password_set_warning gtlspassword interaction_ask_password_async interaction_ask_password_finish need-password on_ask_password_complete on_invoke_ask_password_async_as_sync on_invoke_ask_password_sync operation_get_password_save operation_set_password_save password-save username or password |
| +LOW | secrets/private_key | references private keys | private_key |
Added: glib/usr/lib/libgobject-2.0.so.0.8000.1 [⚠️ MEDIUM]
| RISK | KEY | DESCRIPTION | EVIDENCE |
|---|---|---|---|
| +MEDIUM | net/http/post | able to submit content via HTTP POST | POST http |
| +LOW | ref/site/url | contains embedded HTTPS URLs | https://gitlab.gnome.org/GNOME/glib/issues/new |
Added: glib/usr/lib/libglib-2.0.so.0.8000.1 [⚠️ MEDIUM]
| RISK | KEY | DESCRIPTION | EVIDENCE |
|---|---|---|---|
| +MEDIUM | exec/program | executes external programs | execvp |
| +MEDIUM | fs/file/times/set | change file last access and modification times | utime |
| +MEDIUM | fs/permission/modify | modifies file permissions | chmod |
| +MEDIUM | kernel/uname/get | system identification (uname) | uname |
| +MEDIUM | net/download | download files | XDG_DOWNLOAD_DIR |
| +MEDIUM | procfs/self/cmdline | gets the command-line associated to this process | /proc/self/cmdline |
| +MEDIUM | shell/exec | executes shell | /bin/sh |
| +LOW | encoding/base64 | supports base64 encoded strings | base64 |
| +LOW | env/HOME | looks up the HOME directory for the current user | HOME getenv |
| +LOW | env/LANG | looks up language of current user | LANG getenv |
| +LOW | env/TMPDIR | tMPDIR | TMPDIR getenv |
| +LOW | env/USER | looks up the USER name of the current user | USER getenv |
| +LOW | exec/program/background | wait for process to exit | waitpid |
| +LOW | fs/directory/create | creates directories | mkdir |
| +LOW | fs/directory/remove | uses libc functions to remove directories | rmdir |
| +LOW | fs/file/delete | deletes files | unlink |
| +LOW | fs/file/truncate | truncate a file to a specified length | ftruncate64 |
| +LOW | fs/link/read | read value of a symbolic link | readlink |
| +LOW | fs/tempdir | looks up location of temp directory | TMPDIR |
| +LOW | fs/tempdir/create | creates temporary directory | mkdtemp |
| +LOW | kernel/hostname/get | gets the hostname of the machine | gethostname |
| +LOW | net/socket/peer/address | get peer address of connected socket | getpeername |
| +LOW | net/socket/send | send a message to a socket | sendmsg |
| +LOW | process/multithreaded | creates pthreads | pthread_create |
| +LOW | process/parent_pid/get | gets parent process ID | getppid |
| +LOW | process/userid/set | set real and effective user ID of current process | setuid |
| +LOW | ref/path/dev/shm | path reference within /dev/shm (world writeable) | /dev/shm/journal |
| +LOW | ref/path/etc | path reference within /etc | /etc/localtime /etc/os-release /etc/timezone |
| +LOW | ref/path/var | path reference within /var | /var/db/zoneinfo |
| +LOW | ref/site/url | contains embedded HTTP URLs | http://freedesktop.org http://www.freedesktop.org/standards/desktop-bookmarks http://www.freedesktop.org/standards/shared-mime-info |
| +LOW | ref/words/password | references a 'password' | g_uri_get_password |
Added: glib/usr/lib/libgmodule-2.0.so.0.8000.1 [✅ LOW]
| RISK | KEY | DESCRIPTION | EVIDENCE |
|---|---|---|---|
| +LOW | dylib/symbol/address | get the address of a symbol | dlsym |
Added: glib/usr/lib/libgirepository-2.0.so.0.8000.1 [✅ LOW]
| RISK | KEY | DESCRIPTION | EVIDENCE |
|---|---|---|---|
| +LOW | ref/path/var | path reference within /var | /var/tmpH |
rawlingsj
previously approved these changes
May 7, 2024
rawlingsj
dismissed
their stale review
saw that bincapz is reporting an embedded private key, needs to be checked to removing original review
rawlingsj
requested changes
May 7, 2024
|
@rawlingsj is the "evidence" the literal "stub" prefix string without a key? $ git grep 'PRIVATE KEY'
gio/gtlscertificate.c: * ("`BEGIN RSA PRIVATE KEY`") or unencrypted
gio/gtlscertificate.c: * ("`BEGIN PRIVATE KEY`"). PKCS \#8 format is supported since 2.32;
gio/gtlscertificate.c:#define PEM_PRIVKEY_HEADER_END "PRIVATE KEY-----"
gio/gtlscertificate.c:#define PEM_PRIVKEY_FOOTER_END "PRIVATE KEY-----"
gio/gtlscertificate.c:#define PEM_PKCS8_ENCRYPTED_HEADER "-----BEGIN ENCRYPTED PRIVATE KEY-----"
gio/tests/cert-tests/cert-key.pem:-----BEGIN RSA PRIVATE KEY-----
gio/tests/cert-tests/cert-key.pem:-----END RSA PRIVATE KEY-----
gio/tests/cert-tests/cert-list.pem:-----BEGIN RSA PRIVATE KEY-----
gio/tests/cert-tests/cert-list.pem:-----END RSA PRIVATE KEY-----
gio/tests/cert-tests/key-cert.pem:-----BEGIN RSA PRIVATE KEY-----
gio/tests/cert-tests/key-cert.pem:-----END RSA PRIVATE KEY-----
gio/tests/cert-tests/key-crlf.pem:-----BEGIN RSA PRIVATE KEY-----
gio/tests/cert-tests/key-crlf.pem:-----END RSA PRIVATE KEY-----
gio/tests/cert-tests/key.pem:-----BEGIN RSA PRIVATE KEY-----
gio/tests/cert-tests/key.pem:-----END RSA PRIVATE KEY-----
gio/tests/cert-tests/key8.pem:-----BEGIN PRIVATE KEY-----
gio/tests/cert-tests/key8.pem:-----END PRIVATE KEY-----
gio/tests/cert-tests/key8enc.pem:-----BEGIN ENCRYPTED PRIVATE KEY-----
gio/tests/cert-tests/key8enc.pem:-----END ENCRYPTED PRIVATE KEY-----
gio/tests/cert-tests/key_missing-footer.pem:-----BEGIN RSA PRIVATE KEY-----
gio/tests/cert-tests/key_missing-header.pem:-----END RSA PRIVATE KEY-----Because the code has always had that. Or like has there been an update to bincapz? Or can we scan older glib tarballs and git repo with bincapz to locate the same evidence? glib has code to parse private keys... and yes it has a literal string for the "PRIVATE KEY" header. |
|
Thanks for looking and confirming @xnox |
rawlingsj
approved these changes
May 8, 2024
|
Agreed, this looks like expected behavior for glibc. The other reason for the false positive is that file rename detection didn't work, so it had no context to go against. Had the filenames stayed static, or the rename detection worked, the diff would have likely been zero. I've opened chainguard-dev/bincapz#206 to investigate why the rename heuristics didn't work in this case. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.