gosu vulnerabilities and usage of End-of-Life Version of GO

[jhawkins1]

In December there was an issue to move to newer version of gosu to address vulnerabilities, however, that move to newer gosu had minimal impact on CVE reduction.

gosu is being flagged by industry vulnerability scanners with GO vulnerabilities associated with the version of GO being used by gosu. (53 CVEs at the time of this issue) Also, security auditors flag gosu for using an EOL version of GO. Multiple issues have been logged to the gosu project over time by many dependent projects, or users of the software. The gosu maintainer refuses to update and his feedback is gosu itself is not vulnerable due to GO as gosu does not use the affected GO modules or execution paths, and he has no plans to update GO even though the version used is EOL. This leaves individuals or companies in a bad state due to vulnerability management requirements dictatating the clearance of CVEs in a timely fashion (whether potential False Positives or not) along with no usage of EOL software.

The Cassandra Docker Image is affected by the gosu issue. As to potential solutions, assuming the gosu maintainers continues the refusal position, would be Cassandra rebuild gosu with newer version of GO and include in the Image or replace gosu with alternate approach. Alternatively, the consumers of the Cassandra Image could create a derived Image and implement their alternatives on their own.

Thoughts on how to proceed? Is this something the project would address or adopt proposed PR fixes to this issue?

[yosifkit]

Basically every CVE scanner that I've seen uses inaccurate string matching and doesn't account for execution path. I.E., just because a binary uses a library, doesn't mean it uses the specific function in the library that has a defect.

Fortunately, the go project provides a tool that checks for those direct and indirect calls to help developers better focus their time instead of applying needless updates: govulncheck.

Running govulncheck in the most recent cassandra:latest image only shows one defect in gosu (which I will come back to). Any other CVEs given by other tools do not affect gosu since they are not in the execute path and,as far as I know, the defective functions are not even present in the binary. So they can all be ignored or VEXed away.

So, the one defect that does come up GO-2023-1840 (aka CVE-2023-29403) looks like it has mitigations already in place.

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits

1. the gosu binary in the cassandra image is not setuid or setgid
2. gosu also has specific code to prevent running under setuid or setgid: https://github.com/tianon/gosu/blob/b73cc93b6f5b5a045c397ff0f75190e33d853946/main.go#L53-L59

$ docker pull cassandra
Using default tag: latest
latest: Pulling from library/cassandra
31bd5f451a84: Pull complete
32b311b806c8: Pull complete
23f2664f4576: Pull complete
e028f15ee70b: Pull complete
66b307664f73: Pull complete
908bad5be6da: Pull complete
dbd0aba0896e: Pull complete
6d69b54fc45b: Pull complete
7ff89e14c6b6: Pull complete
b4e4e3cfa8e0: Pull complete
Digest: sha256:26d622115c340f0990e837a68d9159a411a4ae90017f4f786212e4732300ecaa
Status: Downloaded newer image for cassandra:latest
docker.io/library/cassandra:latest
$ docker run -it --rm cassandra bash
root@921d68994a65:/# apt update
...
Fetched 29.4 MB in 7s (4,366 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
root@921d68994a65:/# apt install golang --no-install-recommends
...
root@921d68994a65:/# go install golang.org/x/vuln/cmd/govulncheck@latest
...
root@921d68994a65:/# /root/go/bin/govulncheck --mode=binary /usr/local/bin/gosu
Scanning your binary for known vulnerabilities...

Vulnerability #1: GO-2023-1840
    Unsafe behavior in setuid/setgid binaries in runtime
  More info: https://pkg.go.dev/vuln/GO-2023-1840
  Standard library
    Found in: runtime@go1.18.2
    Fixed in: runtime@go1.19.10
    Example traces found:
      #1: runtime.Caller
      #2: runtime.CallersFrames
      #3: runtime.Frames.Next
      #4: runtime.Func.Entry
      #5: runtime.Func.Name
      #6: runtime.FuncForPC
      #7: runtime.GC
      #8: runtime.GOMAXPROCS
      #9: runtime.GOROOT
      #10: runtime.Gosched
      #11: runtime.LockOSThread
      #12: runtime.SetFinalizer
      #13: runtime.TypeAssertionError.Error
      #14: runtime.TypeAssertionError.RuntimeError
      #15: runtime.boundsError.Error
      #16: runtime.boundsError.RuntimeError
      #17: runtime.errorAddressString.Addr
      #18: runtime.errorAddressString.Error
      #19: runtime.errorAddressString.RuntimeError
      #20: runtime.errorString.Error
      #21: runtime.errorString.RuntimeError
      #22: runtime.lockRank.String
      #23: runtime.plainError.Error
      #24: runtime.plainError.RuntimeError
      #25: runtime.waitReason.String

Your code is affected by 1 vulnerability from the Go standard library.

Share feedback at https://go.dev/s/govulncheck-feedback.
root@921d68994a65:/# ls -l /usr/local/bin/gosu
-rwxr-xr-x 1 root root 2355690 Dec 20  2022 /usr/local/bin/gosu
root@921d68994a65:/# stat /usr/local/bin/gosu
  File: /usr/local/bin/gosu
  Size: 2355690         Blocks: 4608       IO Block: 4096   regular file
Device: 100002h/1048578d        Inode: 141912      Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2022-12-20 00:46:12.000000000 +0000
Modify: 2022-12-20 00:46:12.000000000 +0000
Change: 2024-02-03 00:20:10.106115573 +0000
 Birth: 2024-02-03 00:20:10.096115585 +0000

So, that's a long way of saying, "no, I don't see a need for us to rebuild gosu or seek an alternative for the cassandra images" (or in any image maintained in the docker-library namespace on GitHub).

[jhawkins1]

Thanks for the feedback, and I understand all that and agree. It comes down to folks having to spend time and effort justifying and providing evidence of false positives from industry scanners as part of vulnerability management programs to internal/external security auditors as to CVEs. That is normal practice, however, I would like to avoid doing that where possible. It comes down to spending effort on bureaucratic paperwork or effort spent to simply to get the maintainers to rebuild/maintain a component, I/we contribute changes or support to a project, or come up with alternative. If we have to keep justifying false positives due to the gosu project not wanting to perform what we consider a simple change, we will do that as I frankly don't want to spend effort forking away and maintaining a separate set of software from the mainstream projects. As to the usage of EOL version of GO, that cannot be justified -- not being accepted today -- to that the internal/external auditors say fix or replace the component. So, this comes down to convincing the projects to update/maintain or we have to fork away and maintain on our own in order to meet the requirements -- don't really want to fork.

[jumarko]

I came across this when searching for a fix for a critical CVE reported for golang stdlib: https://scout.docker.com/vulnerabilities/id/CVE-2024-24790
Docker scout reports gosu as the culprit, in our docker image.

It's unfortunate if there's not an up-to-date release of gosu that fixes this problem since it adds a great burden to maintainers of systems using gosu - by searching for the evidence, justifying and documenting exclusions.

I found this public note: https://github.com/tianon/gosu/blob/master/SECURITY.md

This project does not rebuild/release to "fix" CVEs which do not apply to actual builds of gosu. For example, this includes any CVE in Go which applies to interfaces that gosu does not ever invoke, such as net/http, archive/tar, encoding/xml, etc.

That's good to know but hardly solves my problem.

Out of curiosity, I tried to follow the steps outlined in @yosifkit 's post: #276 (comment)
(inside our docker container)

apt install golang --no-install-recommends
...

go install golang.org/x/vuln/cmd/govulncheck@latest
...

/root/go/bin/govulncheck --mode=binary /usr/sbin/gosu
=== Symbol Results ===

Vulnerability #1: GO-2024-2963
    Denial of service due to improper 100-continue handling in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2963
  Standard library
    Found in: net/http@go1.21.3
    Fixed in: net/http@go1.21.12
    Vulnerable symbols found:
      #1: http.Client.CloseIdleConnections
      #2: http.Client.CloseIdleConnections
      #3: http.Client.Do
      #4: http.Client.Do
      #5: http.Client.Do
      Use '-show traces' to see the other 30 found symbols

Vulnerability #2: GO-2024-2888
    Mishandling of corrupt central directory record in archive/zip
  More info: https://pkg.go.dev/vuln/GO-2024-2888
  Standard library
    Found in: archive/zip@go1.21.3
    Fixed in: archive/zip@go1.21.11
    Vulnerable symbols found:
      #1: zip.NewReader
      #2: zip.OpenReader

Vulnerability #3: GO-2024-2887
    Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in
    net/netip
  More info: https://pkg.go.dev/vuln/GO-2024-2887
  Standard library
    Found in: net/netip@go1.21.3
    Fixed in: net/netip@go1.21.11
    Vulnerable symbols found:
      #1: netip.Addr.IsGlobalUnicast
      #2: netip.Addr.IsInterfaceLocalMulticast
      #3: netip.Addr.IsLinkLocalMulticast
      #4: netip.Addr.IsLoopback
      #5: netip.Addr.IsMulticast
      Use '-show traces' to see the other 1 found symbols

Vulnerability #4: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Standard library
    Found in: net/http@go1.21.3
    Fixed in: net/http@go1.21.9
    Vulnerable symbols found:
      #1: http.CanonicalHeaderKey
      #2: http.Client.CloseIdleConnections
      #3: http.Client.CloseIdleConnections
      #4: http.Client.Do
      #5: http.Client.Do
      Use '-show traces' to see the other 206 found symbols

Vulnerability #5: GO-2024-2610
    Errors returned from JSON marshaling may break template escaping in
    html/template
  More info: https://pkg.go.dev/vuln/GO-2024-2610
  Standard library
    Found in: html/template@go1.21.3
    Fixed in: html/template@go1.21.8
    Vulnerable symbols found:
      #1: template.Template.Execute
      #2: template.Template.ExecuteTemplate

Vulnerability #6: GO-2024-2609
    Comments in display names are incorrectly handled in net/mail
  More info: https://pkg.go.dev/vuln/GO-2024-2609
  Standard library
    Found in: net/mail@go1.21.3
    Fixed in: net/mail@go1.21.8
    Vulnerable symbols found:
      #1: mail.Address.String
      #2: mail.AddressParser.Parse
      #3: mail.AddressParser.ParseList
      #4: mail.Header.AddressList
      #5: mail.ParseAddress
      Use '-show traces' to see the other 1 found symbols

Vulnerability #7: GO-2024-2600
    Incorrect forwarding of sensitive headers and cookies on HTTP redirect in
    net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2600
  Standard library
    Found in: net/http@go1.21.3
    Fixed in: net/http@go1.21.8
    Vulnerable symbols found:
      #1: cookiejar.Jar.Cookies
      #2: cookiejar.Jar.SetCookies
      #3: http.Client.Do
      #4: http.Client.Do
      #5: http.Client.Do
      Use '-show traces' to see the other 24 found symbols

Vulnerability #8: GO-2024-2599
    Memory exhaustion in multipart form parsing in net/textproto and net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2599
  Standard library
    Found in: net/textproto@go1.21.3
    Fixed in: net/textproto@go1.21.8
    Vulnerable symbols found:
      #1: textproto.Reader.ReadCodeLine
      #2: textproto.Reader.ReadContinuedLine
      #3: textproto.Reader.ReadContinuedLineBytes
      #4: textproto.Reader.ReadDotLines
      #5: textproto.Reader.ReadLine
      Use '-show traces' to see the other 3 found symbols

Vulnerability #9: GO-2024-2598
    Verify panics on certificates with an unknown public key algorithm in
    crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2024-2598
  Standard library
    Found in: crypto/x509@go1.21.3
    Fixed in: crypto/x509@go1.21.8
    Vulnerable symbols found:
      #1: x509.Certificate.Verify

Vulnerability #10: GO-2023-2382
    Denial of service via chunk extensions in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2382
  Standard library
    Found in: net/http/internal@go1.21.3
    Fixed in: net/http/internal@go1.21.5
    Vulnerable symbols found:
      #1: internal.chunkedReader.Read

Vulnerability #11: GO-2023-2186
    Incorrect detection of reserved device names on Windows in path/filepath
  More info: https://pkg.go.dev/vuln/GO-2023-2186
  Standard library
    Found in: path/filepath@go1.21.3
    Fixed in: path/filepath@go1.21.4
    Vulnerable symbols found:
      #1: filepath.IsLocal

Your code is affected by 11 vulnerabilities from the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.

If gosu doesn't use interfaces like net/http which all these CVEs are reported here?

[tianon]

I'm not able to reproduce your result (I get the same as yosifkit did) -- can you please elaborate on a better reproducer?

$ docker run -it --rm --pull=always cassandra bash
latest: Pulling from library/cassandra
Digest: sha256:9194f97b286a47a537281e8ca5e1e2d90686624d28264f669bd87799c58a3e67
Status: Image is up to date for cassandra:latest
root@c81003a7f5ae:/# apt update -qq
1 package can be upgraded. Run 'apt list --upgradable' to see it.
root@c81003a7f5ae:/# apt install -yqq --no-install-recommends golang-1.21-go # "golang-go" gives us 1.18 which isn't new enough for govulncheck
The following additional packages will be installed:
  golang-1.21-src
Suggested packages:
  bzr | brz git mercurial subversion
Recommended packages:
  g++ gcc libc6-dev pkg-config
The following NEW packages will be installed:
  golang-1.21-go golang-1.21-src
0 upgraded, 2 newly installed, 0 to remove and 1 not upgraded.
Need to get 44.5 MB of archives.
After this operation, 219 MB of additional disk space will be used.
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package golang-1.21-src.
(Reading database ... 8687 files and directories currently installed.)
Preparing to unpack .../golang-1.21-src_1.21.1-1~ubuntu22.04.2_all.deb ...
Unpacking golang-1.21-src (1.21.1-1~ubuntu22.04.2) ...
Selecting previously unselected package golang-1.21-go.
Preparing to unpack .../golang-1.21-go_1.21.1-1~ubuntu22.04.2_amd64.deb ...
Unpacking golang-1.21-go (1.21.1-1~ubuntu22.04.2) ...
Setting up golang-1.21-src (1.21.1-1~ubuntu22.04.2) ...
Setting up golang-1.21-go (1.21.1-1~ubuntu22.04.2) ...
root@c81003a7f5ae:/# /usr/lib/go-1.21/bin/go install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v1.1.2
go: downloading golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7
go: downloading golang.org/x/tools v0.22.0
go: downloading golang.org/x/mod v0.18.0
go: downloading golang.org/x/sync v0.7.0
root@c81003a7f5ae:/# /root/go/bin/govulncheck -mode=binary /usr/local/bin/gosu
=== Symbol Results ===

Vulnerability #1: GO-2023-1840
    Unsafe behavior in setuid/setgid binaries in runtime
  More info: https://pkg.go.dev/vuln/GO-2023-1840
  Standard library
    Found in: runtime@go1.18.2
    Fixed in: runtime@go1.19.10
    Vulnerable symbols found:
      #1: runtime.Caller
      #2: runtime.CallersFrames
      #3: runtime.Frames.Next
      #4: runtime.Func.Entry
      #5: runtime.Func.Name
      Use '-show traces' to see the other 20 found symbols

Your code is affected by 1 vulnerability from the Go standard library.
This scan also found 3 vulnerabilities in packages you import and 41
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

[jumarko]

@tianon sorry, this is problably a wrong place for my report I just found this when searching for gosu vulnerabilities.

Anyway, here's how you can reproduce it using public ubuntu:noble image (this has nothing to do with Cassandra).

docker run ubuntu:noble -it /bin/bash

# inside the container
apt update && apt install gosu
gosu --version
1.17 (go1.21.3 on linux/arm64; gc)

apt install golang --no-install-recommends
apt install ca-certificates
go install golang.org/x/vuln/cmd/govulncheck@latest
...
root@51cff351304d:/# /root/go/bin/govulncheck --mode=binary /usr/sbin/gosu
=== Symbol Results ===

Vulnerability #1: GO-2024-2963
    Denial of service due to improper 100-continue handling in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2963
  Standard library
    Found in: net/http@go1.21.3
    Fixed in: net/http@go1.21.12
    Vulnerable symbols found:
      #1: http.Client.CloseIdleConnections
      #2: http.Client.CloseIdleConnections
      #3: http.Client.Do
      #4: http.Client.Do
      #5: http.Client.Do
      Use '-show traces' to see the other 30 found symbols
... many more ...

If, after installing gosu, I export the docker image of the current version of the container and run docker scout on it, then it reports the vulnerabilities I'm concerned about

# commit and scan the new image
docker commit 51cff351304d ubuntu-noble-security
docker scout cves --locations --only-severity "critical,high" ubuntu-noble-security
...
    ✗ Detected 1 vulnerable package with 3 vulnerabilities
## Packages and Vulnerabilities

   1C     2H     0M     0L  stdlib 1.21.3
pkg:golang/stdlib@1.21.3

6: sha256:72d0bb40b06f68e2b1dbbd238d3aa6696de4df6793602d68417c2bac696c10ca
/usr/sbin/gosu (evident by)

    ✗ CRITICAL CVE-2024-24790
      https://scout.docker.com/v/CVE-2024-24790
      Affected range : <1.21.11
      Fixed version  : 1.21.11

    ✗ HIGH CVE-2024-24791
      https://scout.docker.com/v/CVE-2024-24791
      Affected range : <1.21.12
      Fixed version  : 1.21.12

    ✗ HIGH CVE-2023-45283
      https://scout.docker.com/v/CVE-2023-45283
      Affected range : >=1.21.0-0
                     : <1.21.4
      Fixed version  : 1.21.4

[yosifkit]

$ docker run ubuntu:noble -it /bin/bash
# inside the container
$ apt update && apt install gosu
$ gosu --version
1.17 (go1.21.3 on linux/arm64; gc)

@jumarko, that looks like something to bring up with Canonical since they are the ones controlling the packaging and version of Go that is building that gosu.

[jumarko]

@yosifkit thanks for the tip - I reported it here https://bugs.launchpad.net/cloud-images/+bug/2072883 (private).

[j5awry]

I'll open up the cloud-images bug. there is no need for it to be private as the CVE is already disclosed and fixed in multiple golang versions. i'll also work on directing things to the correct locations -- it's not a Docker or cloud-images bug

[nathanlaceyraft]

I opened a PR in wirmock for this problem
https://github.com/wiremock/wiremock-docker/pull/129/files
Basically gosu just needs to be build with current golang compiler image