Vulnerable components (CVEs) in docker images

[Crashthatch]

According to Docker Store, the latest 9.6.3 has 4 vulnerable components:

In Bash:
CVE-2017-5932
The path autocompletion feature in Bash 4.4 allows local users to gain privileges via a crafted filename starting with a " (double quote) character and a command substitution metacharacter.

CVE-2016-9401
popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address.

In pcre:
CVE-2015-3217
PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\.|([^\\\\W_])?)+)+$/.

CVE-2017-6004
The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.

In expat:
CVE-2016-6702
A remote code execution vulnerability in libjpeg in Android 4.x before 4.4.4, 5.0.x before 5.0.2, and 5.1.x before 5.1.1 could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses libjpeg. Android ID: A-30259087.

In libxml2:
CVE-2016-4448
CVE-2016-9318
CVE-2017-8872
CVE-2015-6838
CVE-2015-6837
CVE-2017-5969

Full details of scan (Requires logging in with your Docker Hub account):
https://store.docker.com/images/postgres/plans/cfa7881b-dad1-4d72-8dca-58b5d15bfc71/scans/library/postgres/9.6.3

[yosifkit]

We get these reports quite often, and they usually involve a large amount of digging which ends up in very little which is actionable. See the list below for an example of where I dove into a lot of these reports and found most of them to be either false positives or out of our hands (because Debian upstream hasn't patched the vulnerabilities, usually because they looked into it and deemed it to be a minor issue).

If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

• CVE-2017-5932, fixed in the version that is installed, https://security-tracker.debian.org/tracker/CVE-2017-5932
• CVE-2016-9401, "[jessie] - bash (Minor issue)", https://security-tracker.debian.org/tracker/CVE-2016-9401. In other words the Debian Security Team has decided not to port the upstream fixes to the version available in Debian Jessie (RedHat has also not published a fix for bash in RHEL 7).
• CVE-2015-3217, "[jessie] - pcre3 (Minor issue)",, https://security-tracker.debian.org/tracker/CVE-2015-3217 (many of the RedHat packages with this CVE are "will not fix" for RHEL 7)
• CVE-2017-6004, fixed in the version that is installed, https://security-tracker.debian.org/tracker/CVE-2017-6004
• CVE-2016-6702, not applicable to Debian since it is an Android specific patch, https://security-tracker.debian.org/tracker/CVE-2016-6702
• CVE-2016-4448, "Minor impact; too intrusive to backport", https://security-tracker.debian.org/tracker/CVE-2016-4448
• CVE-2016-9318, "[jessie] - libxml2 (Minor issue)", https://security-tracker.debian.org/tracker/CVE-2016-9318
• CVE-2017-8872, [jessie] - libxml2 (Minor issue)", https://security-tracker.debian.org/tracker/CVE-2017-8872
• CVE-2015-6838, PHP bug not libxml2, https://security-tracker.debian.org/tracker/CVE-2015-6838
• CVE-2015-6837, PHP bug not libxml2, https://security-tracker.debian.org/tracker/CVE-2015-6837
• CVE-2017-5969, "[jessie] - libxml2 (Minor issue, only a denial-of-service when using recover mode)" https://security-tracker.debian.org/tracker/CVE-2017-5969

Related issues:
docker-library/openjdk#112
docker-library/drupal#84
docker-library/official-images#2740
docker-library/ruby#117
docker-library/ruby#94
docker-library/python#152
docker-library/php#242
docker-library/buildpack-deps#46