Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

python:slim-bullseye – Is affected by CVE-2005-2541 #751

Closed
guilledipa opened this issue Aug 19, 2022 · 1 comment
Closed

python:slim-bullseye – Is affected by CVE-2005-2541 #751

guilledipa opened this issue Aug 19, 2022 · 1 comment
Labels
question Usability question, not directly related to an error with the image

Comments

@guilledipa
Copy link

Hey folks,

When running:

gcloud artifacts docker images scan docker.io/library/python:slim-bullseye

The following severity: CRITICAL vulnerability is being reported:

---
createTime: '2022-08-19T16:55:12.125386Z'
kind: VULNERABILITY
name: projects/gkeconfluence-gcr/locations/us/occurrences/f342fbbd-429a-47f6-90f1-b3d4ac510114
noteName: projects/goog-vulnz/notes/CVE-2005-2541
resourceUri: docker.io/library/python:3.8.13-slim-bullseye
updateTime: '2022-08-19T16:55:12.125386Z'
vulnerability:
  cvssScore: 10.0
  effectiveSeverity: LOW
  longDescription: Tar 1.15.1 does not properly warn the user when extracting setuid
    or setgid files, which may allow local users or remote attackers to gain privileges.
  packageIssue:
  - affectedCpeUri: cpe:/o:debian:debian_linux:11
    affectedPackage: tar
    affectedVersion:
      fullName: 1.34+dfsg-1
      kind: NORMAL
      name: 1.34+dfsg
      revision: '1'
    effectiveSeverity: LOW
    fixedCpeUri: cpe:/o:debian:debian_linux:11
    fixedPackage: tar
    fixedVersion:
      kind: MAXIMUM
  relatedUrls:
  - label: More Info
    url: https://security-tracker.debian.org/tracker/CVE-2005-2541
  - label: More Info
    url: https://nvd.nist.gov/vuln/detail/CVE-2005-2541
  - label: More Info
    url: https://access.redhat.com/security/cve/CVE-2005-2541
  severity: CRITICAL
  shortDescription: CVE-2005-2541
@wglambert wglambert added the question Usability question, not directly related to an error with the image label Aug 19, 2022
@wglambert
Copy link

It's from 2005, I wouldn't have high hopes of a fix soon

But really the Debian security team considers it intended behavior
https://security-tracker.debian.org/tracker/CVE-2005-2541

This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, #152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

@tianon tianon closed this as completed Aug 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Usability question, not directly related to an error with the image
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tianon @guilledipa @wglambert