Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security: libUV security issue per docker hub? #34

Open
xgpt opened this issue Feb 27, 2024 · 6 comments
Open

security: libUV security issue per docker hub? #34

xgpt opened this issue Feb 27, 2024 · 6 comments

Comments

@xgpt
Copy link

xgpt commented Feb 27, 2024

See link: https://hub.docker.com/layers/library/znc/latest/images/sha256-9ee87dce4120706eb1da4bbde51224efd1780117177e2e28ab5c72fc32669001?context=repo&tab=vulnerabilities

Looks like libuv needs to be updated from 1.47 to 1.48

@DarthGandalf
Copy link
Member

@tianon Hi, any idea how to fix this? The alpine version is already correct in the image

@psychon
Copy link
Member

psychon commented Feb 28, 2024

Out of curiosity: Does anyone know why libuv is being installed? The command for that layer is apk add --no-cache build-base cmake icu-dev openssl-dev perl python3. I don't have Docker nor alpine around, so I can only check my local Debian testing. There, libuv is a dependency of CMake. That's only a build dependency and not actually used at run time and sounds a lot like that means the libuv bug is a non-issue.

@DarthGandalf Random guess would be to rebuild the image. Somehow remove the relevant base image and cause a rebuild of everything. How are the images build currently? Do you do that locally or is there some automation that I am missing?

@DarthGandalf
Copy link
Member

Do you do that locally or is there some automation that I am missing?

https://hub.docker.com/r/zncbouncer/znc-git is built and pushed to docker hub by github actions. The official image (https://hub.docker.com/_/znc) though is done somehow through https://github.com/docker-library/official-images/blob/master/library/znc

@psychon
Copy link
Member

psychon commented Feb 28, 2024

https://hub.docker.com/r/zncbouncer/znc-git is built and pushed to docker hub by github actions.

That one seems to be rebuild on each run. Looking at the output of a random recent execution of that:

[...]
#9 [4/7] RUN apk add --no-cache         argon2-libs         boost         build-base         ca-certificates         cmake         cyrus-sasl         gettext         icu-dev         icu-data-full         openssl-dev         perl         python3         su-exec         tini         tzdata
#9 1.152 fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
#9 1.557 fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
#9 1.808 (1/102) Installing argon2-libs (20190702-r5)
#9 1.835 (2/102) Installing libgcc (13.2.1_git20231014-r0)
#9 1.840 (3/102) Installing libstdc++ (13.2.1_git20231014-r0)
[...]

So, this rebuilds the image on every run.
But libuv does not appear in the build output, so... it was never installed? Dunno.

The official image (https://hub.docker.com/_/znc) though is done somehow through https://github.com/docker-library/official-images/blob/master/library/znc

The readme of that file says about "what are official images":

Actively rebuild for updates and security fixes

So, this one will just fix itself, I guess? There is a link in the text, but that doesn't explain things for me and I can't find out what they actually mean. It only says:

Tags in the library file are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bookworm would be rebuilt when debian:bookworm is built). Only what is in the library file will be rebuilt when a base has updates.

So... they will fix this on the next alpine release?

@DarthGandalf
Copy link
Member

So... they will fix this on the next alpine release?

Every alpine release already have the fixed libuv.

That's why I tagged @tianon here - I don't know what we can do on our side.

@DarthGandalf
Copy link
Member

Actually, no, only 3.19 has the bad version, I was reading alpine packages wrong.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants