-
Notifications
You must be signed in to change notification settings - Fork 322
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gosu binary Vuln with thirdparty github.com/opencontainers/runc (CVE-2023-27561) #130
Comments
@tianon https://pkg.go.dev/vuln/GO-2022-0274 More context here: GHSA-c3xm-pvg7-gh7r |
I get the feeling you didn't read the link 🤔 can you share the source of your binary and the exact command and output of your |
@tianon I did read the link you supplied and scanned the gosu binary present in the mongo:6.0.8 container, but the only vulnerability is that is present is in your exceptions list is
I believe this is still a valid vulnerability and from the referenced links be been reintroduced due to a regression for a fix to this CVE. and I don't think it's recorded in the Go Vuln DB yet. Fix and reference to original CVE in this ticket - opencontainers/runc#3751 |
The |
See also https://github.com/search?q=repo%3Agolang%2Fvulndb%20GO-2022-0274&type=code (this vulnerability is definitely in the database) |
The actual vulnerability is with the runc lib (v1.1.0) used by gosu. I noticed you have some info in the readme about runc vulns
They (runc) have captured and resolved this vulnerability in version v1.1.5. -
I don't know much about Go dependancies, but it seems like gosu/go.mod |
The vulnerable code in runc is the code that performs mounts. The gosu tool does not invoke any of that code under any circumstances. |
|
Hi @tianon, Your latest version on the gosu build on go 1.18.2. Any chance on building new go release like go 1.20.5 or higher? Thanks! |
|
There looks to be a vulnerability with a third party package (github.com/opencontainers/runc) in the latest version of gosu. (see screenshot)
This also mentioned as part of a regression here:
opencontainers/runc#2197 (comment)
Filing this ticket in hopes folks can get gosu patched.
The text was updated successfully, but these errors were encountered: