Docker scout reports critical and high vulnerabilities for Ubuntu docker images with installed gosu
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-images |
Invalid
|
Undecided
|
Unassigned | ||
gosu (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Previously reported here: https:/
Using the latest official ubuntu:noble (or ubuntu:24.10 and probably others) images from dockerhub and installing gosu via `apt update && apt install gosu`.
If I create such an image, docker scout reports a few critical and high vulnerabilities.
----
docker run -it ubuntu:noble /bin/bash
# inside the container
apt update && apt install gosu
gosu --version
1.17 (go1.21.3 on linux/arm64; gc)
# create a new image with installed gosu
docker commit <container_id> ubuntu-
docker scout cves --locations --only-severity "critical,high" ubuntu-
...
✗ Detected 1 vulnerable package with 3 vulnerabilities
## Packages and Vulnerabilities
1C 2H 0M 0L stdlib 1.21.3
pkg:golang/
6: sha256:
/usr/sbin/gosu (evident by)
✗ CRITICAL CVE-2024-24790
https:/
Affected range : <1.21.11
Fixed version : 1.21.11
✗ HIGH CVE-2024-24791
https:/
Affected range : <1.21.12
Fixed version : 1.21.12
✗ HIGH CVE-2023-45283
https:/
Affected range : >=1.21.0-0
Fixed version : 1.21.4
CVE References
information type: | Private Security → Public |
`gosu` is a universe package in Ubuntu, and from what i can see was inherited from `side` at version 1.17.1
https:/ /packages. debian. org/sid/ gosu
I see no open bugs against `gosu` : https:/ /bugs.debian. org/cgi- bin/pkgreport. cgi?src= gosu , and it needs to be confirmed that it's built against golang 1.17 in `debian`. Not my expertise
normally the correct move would be to go upstream first. Since i control things on the Ubuntu side for cloud-images, i'll move the ticket around there. I'll also make it public as it's not a new security vulnerability (private security bugs are for new disclosures, not for tracking already announced vulnerabilities).
Public Ubuntu tracking of the golang vulnerability:
https:/ /ubuntu. com/security/ CVE-2024- 24790
Note, since this is reported against Noble, i _believe_ this is an incorrect match. I'm working on double checking, but in noble, the golangs have been patched (both 1.21 and 1.22) It's likely a bad version string match. but i've listed this against `gosu` for someone to double check my assertions. `gosu` in noble is building against `golang-go=1.22`
http:// archive. ubuntu. com/ubuntu/ pool/universe/ g/gosu/ gosu_1. 17-1.dsc