CVE-2015-4042

[tooptoop4]

in Aqua security scan on golang:1.18.3-bullseye

it says Installed Resource: coreutils 1.8 is affected by this CVE.

It says this is the command bringing it in:

/bin/sh -c set -eux; 	arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; 	url=; 	case "$arch" in 		'amd64') 			url='https://dl.google.com/go/go1.18.3.linux-amd64.tar.gz'; 			sha256='956f8507b302ab0bb747613695cdae10af99bbd39a90cae522b7c0302cc27245'; 			;; 		'armel') 			export GOARCH='arm' GOARM='5' GOOS='linux'; 			;; 		'armhf') 			url='https://dl.google.com/go/go1.18.3.linux-armv6l.tar.gz'; 			sha256='b8f0b5db24114388d5dcba7ca0698510ea05228b0402fcbeb0881f74ae9cb83b'; 			;; 		'arm64') 			url='https://dl.google.com/go/go1.18.3.linux-arm64.tar.gz'; 			sha256='beacbe1441bee4d7978b900136d1d6a71d150f0a9bb77e9d50c822065623a35a'; 			;; 		'i386') 			url='https://dl.google.com/go/go1.18.3.linux-386.tar.gz'; 			sha256='72b73da021397a3a1ce182c19d2a890a5346bfe80885d9dd7d1ff04ce6597938'; 			;; 		'mips64el') 			export GOARCH='mips64le' GOOS='linux'; 			;; 		'ppc64el') 			url='https://dl.google.com/go/go1.18.3.linux-ppc64le.tar.gz'; 			sha256='5d42bd252e7af9f854df92e46bb2e88be7b2fb310cc937c0fe091afd8c4f2016'; 			;; 		's390x') 			url='https://dl.google.com/go/go1.18.3.linux-s390x.tar.gz'; 			sha256='ebb4efddec5bbd22bdd9c87137cb3dd59e874b5dfcf93d00bef351c60d2c7401'; 			;; 		*) echo >&2 "error: unsupported architecture '$arch' (likely packaging update needed)"; exit 1 ;; 	esac; 	build=; 	if [ -z "$url" ]; then 		build=1; 		url='https://dl.google.com/go/go1.18.3.src.tar.gz'; 		sha256='0012386ddcbb5f3350e407c679923811dbd283fcdc421724931614a842ecbc2d'; 		echo >&2; 		echo >&2 "warning: current architecture ($arch) does not have a compatible Go binary release; will be building from source"; 		echo >&2; 	fi; 		wget -O go.tgz.asc "$url.asc"; 	wget -O go.tgz "$url" --progress=dot:giga; 	echo "$sha256 *go.tgz" | sha256sum -c -; 		GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; 	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796'; 	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys '2F52 8D36 D67B 69ED F998  D857 78BD 6547 3CB3 BD13'; 	gpg --batch --verify go.tgz.asc go.tgz; 	gpgconf --kill all; 	rm -rf "$GNUPGHOME" go.tgz.asc; 		tar -C /usr/local -xzf go.tgz; 	rm go.tgz; 		if [ -n "$build" ]; then 		savedAptMark="$(apt-mark showmanual)"; 		apt-get update; 		apt-get install -y --no-install-recommends golang-go; 				export GOCACHE='/tmp/gocache'; 				( 			cd /usr/local/go/src; 			export GOROOT_BOOTSTRAP="$(go env GOROOT)" GOHOSTOS="$GOOS" GOHOSTARCH="$GOARCH"; 			./make.bash; 		); 				apt-mark auto '.*' > /dev/null; 		apt-mark manual $savedAptMark > /dev/null; 		apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; 		rm -rf /var/lib/apt/lists/*; 				rm -rf 			/usr/local/go/pkg/*/cmd 			/usr/local/go/pkg/bootstrap 			/usr/local/go/pkg/obj 			/usr/local/go/pkg/tool/*/api 			/usr/local/go/pkg/tool/*/go_bootstrap 			/usr/local/go/src/cmd/dist/dist 			"$GOCACHE" 		; 	fi; 		go version

[wglambert]

https://security-tracker.debian.org/tracker/CVE-2015-4042

Fixed version: 8.32-4
coreutils (Debian does not apply coreutils-i18n.patch)

The coreutils version in the latest golang:1.18 image is 8.32-4+b1 which doesn't have the vulnerability

$ docker run -it --rm golang:1.18 bash
Unable to find image 'golang:1.18' locally
1.18: Pulling from library/golang
d836772a1c1f: Pull complete
66a9e63c657a: Pull complete
d1989b6e74cf: Pull complete
c28818711e1e: Pull complete
9d6246ba248c: Pull complete
59e23c1b5fe8: Pull complete
4adeeae69874: Pull complete
Digest: sha256:9349ed889adb906efa5ebc06485fe1b6a12fb265a01c9266a137bb1352565560
Status: Downloaded newer image for golang:1.18
root@582a3578a6ff:/go# apt list --installed | grep -i coreutils

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

coreutils/now 8.32-4+b1 amd64 [installed,local]

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

[tooptoop4]

@wglambert /usr/local/go/pkg/tool/linux_amd64/link is the file showing with the old coreutils

[yosifkit]

1.18.3 is no longer updated. 1.18 was updated with 1.18.4 (a security fix) in ad25ff1 and pushed to Docker Hub with docker-library/official-images#12786. I don't see that file in the new version. Does your scanner still show a problem with the newer version?

[tooptoop4]

@yosifkit 1.18.4 still shows the issue:

FROM debian:11.4-slim
COPY --from=golang:1.18.4-bullseye /usr/local/go /usr/local/go

[yosifkit]

The "vulnerable" file is coming from a file from go's download (like https://dl.google.com/go/go1.18.4.linux-amd64.tar.gz) and since the file is self-contained (i.e. not linked to an .so from any Debian packages), then it should probably be addressed in go's releases. Edit: assuming that the file in question does contain the vulnerable library and it isn't a false positive in the scanner.

As for the Debian package of coreutils, it is not vulnerable to "CVE-2015-4042"; see: https://security-tracker.debian.org/tracker/CVE-2015-4042. And confusingly, is nowhere near version 1.8:

$ docker run -it --rm --pull=always golang:1.18.4-bullseye bash
1.18.4-bullseye: Pulling from library/golang
Digest: sha256:6689996f4aa27bdb565677edd0914f8147e699a8b613e9c6623c34cce6d0eac6
Status: Image is up to date for golang:1.18.4-bullseye
root@decf0b33524d:/go# dpkg -l | grep coreutils
ii  coreutils                  8.32-4+b1                      amd64        GNU core utilities
root@decf0b33524d:/go# 

[tooptoop4]

@yosifkit do u know anyone in the go repo that can fix it?

[yosifkit]

Unfortunately not. 😞 It seems that you already tried to let them know in golang/go#53897. I think to get anywhere, you'll need to show them that the file is just part of the released tar.gz and not image/container specific (see below) and that it actually contains the CVE in question and not just a false positive from the scanner vendor (no idea how to prove that but by asking your vendor for "proof").

root@f08197b5db56:/# curl -fsSL https://dl.google.com/go/go1.18.5.linux-amd64.tar.gz | tar -z --list | grep -E 'link$'
go/pkg/tool/linux_amd64/link

---

Edit: From past experience with security scanners, I'd say that it is very likely a false positive from the scanner vendor when they do their "binary" matching.