gosu binary Vuln with thirdparty github.com/opencontainers/runc (CVE-2023-27561)

[eshafaq1]

There looks to be a vulnerability with a third party package (github.com/opencontainers/runc) in the latest version of gosu. (see screenshot)

This also mentioned as part of a regression here:
opencontainers/runc#2197 (comment)

Filing this ticket in hopes folks can get gosu patched.

[tianon]

https://github.com/tianon/gosu/blob/master/SECURITY.md

[eshafaq1]

@tianon https://pkg.go.dev/vuln/GO-2022-0274

More context here: GHSA-c3xm-pvg7-gh7r

[tianon]

I get the feeling you didn't read the link 🤔 can you share the source of your binary and the exact command and output of your govulncheck invocation?

[eshafaq1]

@tianon I did read the link you supplied and scanned the gosu binary present in the mongo:6.0.8 container, but the only vulnerability is that is present is in your exceptions list is GO-2023-1840

4d764a2d38e3 mongo:6.0.8
docker cp 4d764a2d38e3:/usr/local/bin/gosu /tmp/
govulncheck -mode=binary /tmp/gosu
GO-2023-1840

I believe this is still a valid vulnerability and from the referenced links be been reintroduced due to a regression for a fix to this CVE. and I don't think it's recorded in the Go Vuln DB yet.

Fix and reference to original CVE in this ticket - opencontainers/runc#3751

[tianon]

The gosu tool does not create any mounts, though, so I'm a little confused how that vulnerability could apply (in other words, govulncheck is successfully detecting that we do not use any of the affected functionality).

[tianon]

See also https://github.com/search?q=repo%3Agolang%2Fvulndb%20GO-2022-0274&type=code (this vulnerability is definitely in the database)

[eshafaq1]

The actual vulnerability is with the runc lib (v1.1.0) used by gosu.

I noticed you have some info in the readme about runc vulns

If you believe you have found a new vulnerability in gosu, chances are very high that it's actually a vulnerability in runc (or at the very least, runc's code), and should be reported appropriately and responsibly

They (runc) have captured and resolved this vulnerability in version v1.1.5. -

• Fix [CVE-2023-27561](https://github.com/advisories/GHSA-vpvm-3wq2-2wvm) kubernetes-sigs/vsphere-csi-driver#2326
• GHSA-vpvm-3wq2-2wvm

I don't know much about Go dependancies, but it seems like gosu/go.mod require github.com/opencontainers/runc v1.1.0 ---> needs to be upgraded to v1.1.5

[tianon]

The vulnerable code in runc is the code that performs mounts. The gosu tool does not invoke any of that code under any circumstances.

[minakolta]

Hi @tianon can you please introduce this update suggested by @eshafaq1? I am pretty convinced by your point, on the other hand, if that won't impact the package it's better to upgrade the version as a lot of reported issues are marked on all images that utilize gosu including MongoDB

[tianon]

This project does not rebuild/release to "fix" CVEs which do not apply to actual builds of gosu.

[docgurureddy]

Hi @tianon,

Your latest version on the gosu build on go 1.18.2. Any chance on building new go release like go 1.20.5 or higher?

Thanks!

[tianon]

This project does not rebuild/release to "fix" CVEs which do not apply to actual builds of gosu.