Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy scan reports HIGH vulnerability in buildah binary (v1.28.2) #4529

Closed
SaurabhAhuja1983 opened this issue Jan 18, 2023 · 3 comments
Closed

Trivy scan reports HIGH vulnerability in buildah binary (v1.28.2) #4529

SaurabhAhuja1983 opened this issue Jan 18, 2023 · 3 comments
Labels
locked - please file new issue/PR

Comments

@SaurabhAhuja1983
Copy link

Description

Steps to reproduce the issue:

  1. Checkout latest buildah code v1.28.2 and build binary
  2. Run Trivy scanner for vulnerabilities (https://github.com/aquasecurity/trivy)
  3. buildah should update golang.org/x/text module to 0.3.8 that has the fix

Describe the results you received:
{
"Target": "usr/local/bin/buildah",
"Class": "lang-pkgs",
"Type": "gobinary",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2022-32149",
"PkgName": "golang.org/x/text",
"InstalledVersion": "v0.3.7",
"FixedVersion": "0.3.8",
"Layer": {
"DiffID": "sha256:7ff9a979ef4abd9a5d4bdc6e339afea0a3289c15587181d6ae97c9507ca0ea3c"
},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-32149",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags",
"Description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.",
"Severity": "HIGH",
"CweIDs": [
"CWE-772"
],
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2022-32149",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32149",
"https://github.com/advisories/GHSA-69ch-w2m2-3vjp",
"https://github.com/golang/go/issues/56152",
"https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c",
"https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c (v0.3.8)",
"https://go.dev/cl/442235",
"https://go.dev/issue/56152",
"https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ",
"https://groups.google.com/g/golang-dev/c/qfPIly0X7aU",
"https://nvd.nist.gov/vuln/detail/CVE-2022-32149",
"https://pkg.go.dev/vuln/GO-2022-1059"
],
"PublishedDate": "2022-10-14T15:15:00Z",
"LastModifiedDate": "2022-10-18T17:41:00Z"
}
]
},

Describe the results you expected:
No vuln's should be reported.

Output of rpm -q buildah or apt list buildah:

(paste your output here)

Output of buildah version:

buildah version
Version:         1.28.2
Go Version:      go1.19.4
Image Spec:      1.0.2-dev
Runtime Spec:    1.0.2-dev
CNI Spec:        1.0.0
libcni Version:  v1.1.2
image Version:   5.23.0
Git Commit:      6a35b0a
Built:           Tue Jan 17 15:28:36 2023
OS/Arch:         linux/amd64
BuildPlatform:   linux/amd64

Output of podman version if reporting a podman build issue:

(paste your output here)

Output of cat /etc/*release:

cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.1 LTS"
PRETTY_NAME="Ubuntu 22.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

Output of uname -a:

uname -a
Linux agent-5758bf767c-xv4ws 5.15.70-flatcar #1 SMP Thu Oct 27 12:53:14 -00 2022 x86_64 x86_64 x86_64 GNU/Linux```

**Output of `cat /etc/containers/storage.conf`:**

(paste your output here)
@rhatdan
Copy link
Member

rhatdan commented Jan 18, 2023

I see buildah in main using:

golang.org/x/text v0.6.0 // indirect

@rhatdan
Copy link
Member

rhatdan commented Jan 18, 2023

git diff origin
buildah (VENDOR) $ ./bin/buildah -v
buildah version 1.29.0-dev (image-spec 1.0.2-dev, runtime-spec 1.0.2-dev)

@flouthoc
Copy link
Collaborator

flouthoc commented Feb 6, 2023

This seems to be fixed in main , @SaurabhAhuja1983 I am closing this issue but please comment below if you think this needs to be backported to olderversions. ( Closing this issue but please feel free to re-open ) cc @containers/buildah-maintainers

@flouthoc flouthoc closed this as completed Feb 6, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 29, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
locked - please file new issue/PR
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rhatdan @flouthoc @SaurabhAhuja1983