Ubuntu
gosu package

Docker scout reports critical and high vulnerabilities for Ubuntu docker images with installed gosu

Bug #2072883 reported by Juraj Martinka
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-images
Invalid
Undecided
Unassigned
gosu (Ubuntu)
New
Undecided
Unassigned

Bug Description

Previously reported here: https://github.com/docker-library/cassandra/issues/276#issuecomment-2222627720

Using the latest official ubuntu:noble (or ubuntu:24.10 and probably others) images from dockerhub and installing gosu via `apt update && apt install gosu`.
If I create such an image, docker scout reports a few critical and high vulnerabilities.
----

docker run -it ubuntu:noble /bin/bash

# inside the container
apt update && apt install gosu
gosu --version
1.17 (go1.21.3 on linux/arm64; gc)

# create a new image with installed gosu
docker commit <container_id> ubuntu-noble-security
docker scout cves --locations --only-severity "critical,high" ubuntu-noble-security
...
    ✗ Detected 1 vulnerable package with 3 vulnerabilities
## Packages and Vulnerabilities

   1C 2H 0M 0L stdlib 1.21.3
pkg:golang/stdlib@1.21.3

6: sha256:72d0bb40b06f68e2b1dbbd238d3aa6696de4df6793602d68417c2bac696c10ca
/usr/sbin/gosu (evident by)

    ✗ CRITICAL CVE-2024-24790
      https://scout.docker.com/v/CVE-2024-24790
      Affected range : <1.21.11
      Fixed version : 1.21.11

    ✗ HIGH CVE-2024-24791
      https://scout.docker.com/v/CVE-2024-24791
      Affected range : <1.21.12
      Fixed version : 1.21.12

    ✗ HIGH CVE-2023-45283
      https://scout.docker.com/v/CVE-2023-45283
      Affected range : >=1.21.0-0
                     : <1.21.4
      Fixed version : 1.21.4

See original description
John Chittum (jchittum)
information type: Private Security → Public
Revision history for this message
John Chittum (jchittum) wrote (last edit ):

`gosu` is a universe package in Ubuntu, and from what i can see was inherited from `side` at version 1.17.1

https://packages.debian.org/sid/gosu

I see no open bugs against `gosu` : https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=gosu , and it needs to be confirmed that it's built against golang 1.17 in `debian`. Not my expertise

normally the correct move would be to go upstream first. Since i control things on the Ubuntu side for cloud-images, i'll move the ticket around there. I'll also make it public as it's not a new security vulnerability (private security bugs are for new disclosures, not for tracking already announced vulnerabilities).

Public Ubuntu tracking of the golang vulnerability:

https://ubuntu.com/security/CVE-2024-24790

Note, since this is reported against Noble, i _believe_ this is an incorrect match. I'm working on double checking, but in noble, the golangs have been patched (both 1.21 and 1.22) It's likely a bad version string match. but i've listed this against `gosu` for someone to double check my assertions. `gosu` in noble is building against `golang-go=1.22`

http://archive.ubuntu.com/ubuntu/pool/universe/g/gosu/gosu_1.17-1.dsc

Changed in cloud-images:
status: New → Invalid
Revision history for this message
Juraj Martinka (jumarko) wrote :

Thanks John for the quick action and sorry for not reporting this properly. I'm a newbie here so I wasn't sure what's the best way and the proper place for this report.

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

> I see no open bugs against `gosu` :
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=gosu , and
> it needs to be confirmed that it's built against golang 1.17
> in `debian`. Not my expertise

gosu is built with golang-any and in Noble, that defaults to 1.22. I think golang-any should be patched for those vulnerabilities and therefore needs a no-change rebuild to fix all this. :)

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

https://launchpad.net/ubuntu/+source/gosu/1.17-1ubuntu0.24.04.1 -> ah, there, 9 hours ago. So you should see the fixes shortly. :)

Revision history for this message
Juraj Martinka (jumarko) wrote :

I tried the same procedure as described in the original report. It seems that one CVE is fixed but the other two remain:

docker run ubuntu:noble -it /bin/bash

apt update && apt install gosu
gosu --version
1.17 (go1.22.2 on linux/arm64; gc)

docker commit <container_id> ubuntu-noble-security
docker scout cves --locations --only-severity "critical,high" ubuntu-noble-security
...
## Packages and Vulnerabilities

   1C 1H 0M 0L stdlib 1.22.2
pkg:golang/stdlib@1.22.2

6: sha256:74098bae0fa49d842f7abd64314d0e24efa515611d738d265566498d9caafd12
/usr/sbin/gosu (evident by)

    ✗ CRITICAL CVE-2024-24790
      https://scout.docker.com/v/CVE-2024-24790
      Affected range : >=1.22.0-0
                     : <1.22.4
      Fixed version : 1.22.4

    ✗ HIGH CVE-2024-24791
      https://scout.docker.com/v/CVE-2024-24791
      Affected range : >=1.22.0-0
                     : <1.22.5
      Fixed version : 1.22.5

description: updated
Revision history for this message
John Chittum (jchittum) wrote :

you can check any progress in Ubuntu by checking the issue tracker

https://ubuntu.com/security/CVE-2024-24790

https://ubuntu.com/security/CVE-2024-24791

it looks like 2024-24690 is fixed, so may be a false-positive.

24791 is still in needs-triage on the page.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.