Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vulnerabilities in early layer get flagged even through later layer fixes them #144

Open
majewsky opened this issue Feb 18, 2019 · 2 comments
Open

vulnerabilities in early layer get flagged even through later layer fixes them #144

majewsky opened this issue Feb 18, 2019 · 2 comments

Comments

@majewsky
Copy link

The image debian:stretch-slim from Docker Hub, as of now, has a vulnerable glibc version:

$ docker images$ docker images
REPOSITORY           TAG                    IMAGE ID            CREATED             SIZE
debian               stretch-slim           9a4a82cec2d2        12 days ago         55.3MB

$ klar debian:stretch-slim
...
-----------------------------------------
CVE-2017-15670: [High]
Found in: glibc [2.24-11+deb9u3]
Fixed By: 2.24-11+deb9u4
The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.
https://security-tracker.debian.org/tracker/CVE-2017-15670
-----------------------------------------
CVE-2017-1000408: [High]
Found in: glibc [2.24-11+deb9u3]
Fixed By: 2.24-11+deb9u4
A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.
https://security-tracker.debian.org/tracker/CVE-2017-1000408
...

My own image is based on that, but I do apt update as part of the image build process, so the final image has the fixed version:

$ docker run --rm -ti $OWN_IMAGE cat /var/lib/dpkg/status | sed -n '/^Package: libc6\s*$/,/^\s*$/{/^Version/p}'
Version: 2.24-11+deb9u4

However, klar still reports glibc as being vulnerable against the same CVEs. I checked with mitmproxy: klar uploads all layers of the image, but then only asks for the vulnerabilities of the first layer and stops there (presumably because it found vulnerabilities).

I'm not entirely sure if I'm holding something wrong here, because it doesn't make sense to me that Klar looks for vulnerabilities in the base layer. I'm not running the base layer, I'm running the entire image only.
@hstock
Copy link

hstock commented Apr 12, 2019

I can confirm this. Currently there is a Vulnerabilty in systemd in the debian:9 image, howerver I do an apt-get upgrade in my images which upgrades to a fixed version. Still klar reports the error in the base layer.

@fgreinacher
Copy link

Same problem here, for glibc and systemd

gonfva-bcl added a commit to gonfva-bcl/klar that referenced this issue Jan 14, 2020
@gonfva-bcl
Proposal to fix optiopay#144
1a7a29f 
Underlying layers may have a vulnerability that is fixed in the top layers. With this code, we introduce a new variable that allows to only analyse the last layer
@gonfva-bcl gonfva-bcl mentioned this issue Jan 14, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@majewsky @hstock @fgreinacher