Loading...

Type: Bug
Resolution: Won't Do
Priority: Undefined
Fix Version/s: None
Affects Version/s: rhel-9.7
Component/s: git-lfs
Labels:
None

Regression:
No
Severity:
None
Keywords:

Translation

Pool Team:

rhel-sst-cs-base-utils
Sub-System Group:

ssg_core_services

Story Points:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Products:

Red Hat Enterprise Linux
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Architecture:

x86_64

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Hi there,

I'm a developer and reluctant docker image maintainer over at GitLab with the Runner team. We produce a couple of `ubi9` based image that are intended to be fips and FedRAMP certified. These images are subject to regular CVE vulnerability scan, both internally and also by customers which use these images.

Lately we've been receiving a lot (I mean a lot) of vulnerability reports against the package git-lfs specifically, both fro internal scanners and from slightly angry customers. Angry because the vulnerabilities have long-ago been fixed upstream, but still appear in our images (e.g. https://gitlab.com/gitlab-org/gitlab-runner/-/issues/?sort=created_date&state=all&search=git-lfs&label_name%5B%5D=FedRAMP%3A%3AVulnerability&first_page_size=50).

The latest packages version of git-lfs in ubi9 is git-lfs;3.4.1-4.el9_4, which has the following vulns (according to trivy at least):

┌──────────────────┬──────────────────┬──────────┬─────────────────────┬─────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────┼──────────────────┼──────────┼─────────────────────┼─────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ git-lfs │ CVE-2022-23806 │ MEDIUM │ under_investigation │ 3.5.1-1.el9 │ │ golang: crypto/elliptic: IsOnCurve returns true for invalid │
│ │ │ │ │ │ │ field elements │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23806 │
│ ├──────────────────┤ ├─────────────────────┤ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41723 │ │ will_not_fix │ │ │ golang.org/x/net/http2: avoid quadratic complexity in HPACK │
│ │ │ │ │ │ │ decoding │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41723 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41724 │ │ │ │ │ golang: crypto/tls: large handshake records may cause panics │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41724 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41725 │ │ │ │ │ golang: net/http, mime/multipart: denial of service from │
│ │ │ │ │ │ │ excessive resource consumption │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41725 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-24534 │ │ │ │ │ golang: net/http, net/textproto: denial of service from │
│ │ │ │ │ │ │ excessive memory allocation │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24534 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-24536 │ │ │ │ │ golang: net/http, net/textproto, mime/multipart: denial of │
│ │ │ │ │ │ │ service from excessive resource consumption │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24536 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-29406 │ │ │ │ │ golang: net/http: insufficient sanitization of Host header │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29406 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-29409 │ │ │ │ │ golang: crypto/tls: slow verification of certificate chains │
│ │ │ │ │ │ │ containing large RSA keys │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29409 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-39321 │ │ │ │ │ golang: crypto/tls: panic when processing post-handshake │
│ │ │ │ │ │ │ message on QUIC connections │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39321 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-39322 │ │ │ │ │ golang: crypto/tls: lack of a limit on buffered │
│ │ │ │ │ │ │ post-handshake │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39322 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24788 │ │ │ │ │ golang: net: malformed DNS message can cause infinite loop │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24788 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24790 │ │ │ │ │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24791 │ │ │ │ │ net/http: Denial of service due to improper 100-continue │
│ │ │ │ │ │ │ handling in net/http │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24791 │
│ ├──────────────────┤ ├─────────────────────┤ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-9355 │ │ affected │ │ │ golang-fips: Golang FIPS zeroed buffer │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-9355 │
└──────────────────┴──────────────────┴──────────┴─────────────────────┴─────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

and

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-45288 │ MEDIUM │ fixed │ v0.17.0 │ 0.23.0 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
├──────────────────┼────────────────┼──────────┤ ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ │ 1.21.8 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
│ ├────────────────┼──────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45288 │ HIGH │ │ │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34156 │ │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│ │ │ │ │ │ │ which contains deeply nested structures... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156 │
│ ├────────────────┼──────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24789 │ MEDIUM │ │ │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24789 │
│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24791 │ │ │ │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue │
│ │ │ │ │ │ │ handling in net/http │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24791 │
│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34155 │ │ │ │ 1.22.7, 1.23.1 │ go/parser: golang: Calling any of the Parse functions │
│ │ │ │ │ │ │ containing deeply nested literals... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34155 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34158 │ │ │ │ │ go/build/constraint: golang: Calling Parse on a "// +build" │
│ │ │ │ │ │ │ build tag line with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34158 │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

The latest release of git-lfs is [v3.5.1}https://github.com/git-lfs/git-lfs/releases/tag/v3.5.1], which was released on March 7 2024, so `ubi9` is already nearly 8 months behind upstream.

But even the latest release of git-lfs (`v3.5.1`) has a number of (transitive) CVE vulnerabilities (again, according to trivy):

Note: This CVE report is from an image I made by installing the `v3.5.1` `rpm` of git-lfs provided by upstream in a `redhad/ubi9-minimal` base image. (See https://gitlab.com/gitlab-org/gitlab-runner/-/blob/main/dockerfiles/ci/ubi.fips.base.Dockerfile?ref_type=heads).

┌──────────────────┬──────────────────┬──────────┬─────────────────────┬─────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────┼──────────────────┼──────────┼─────────────────────┼─────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ git-lfs │ CVE-2022-23806 │ MEDIUM │ under_investigation │ 3.5.1-1.el9 │ │ golang: crypto/elliptic: IsOnCurve returns true for invalid │
│ │ │ │ │ │ │ field elements │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23806 │
│ ├──────────────────┤ ├─────────────────────┤ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41723 │ │ will_not_fix │ │ │ golang.org/x/net/http2: avoid quadratic complexity in HPACK │
│ │ │ │ │ │ │ decoding │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41723 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41724 │ │ │ │ │ golang: crypto/tls: large handshake records may cause panics │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41724 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41725 │ │ │ │ │ golang: net/http, mime/multipart: denial of service from │
│ │ │ │ │ │ │ excessive resource consumption │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41725 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-24534 │ │ │ │ │ golang: net/http, net/textproto: denial of service from │
│ │ │ │ │ │ │ excessive memory allocation │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24534 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-24536 │ │ │ │ │ golang: net/http, net/textproto, mime/multipart: denial of │
│ │ │ │ │ │ │ service from excessive resource consumption │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24536 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-29406 │ │ │ │ │ golang: net/http: insufficient sanitization of Host header │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29406 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-29409 │ │ │ │ │ golang: crypto/tls: slow verification of certificate chains │
│ │ │ │ │ │ │ containing large RSA keys │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29409 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-39321 │ │ │ │ │ golang: crypto/tls: panic when processing post-handshake │
│ │ │ │ │ │ │ message on QUIC connections │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39321 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-39322 │ │ │ │ │ golang: crypto/tls: lack of a limit on buffered │
│ │ │ │ │ │ │ post-handshake │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39322 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24788 │ │ │ │ │ golang: net: malformed DNS message can cause infinite loop │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24788 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24790 │ │ │ │ │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24791 │ │ │ │ │ net/http: Denial of service due to improper 100-continue │
│ │ │ │ │ │ │ handling in net/http │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24791 │
│ ├──────────────────┤ ├─────────────────────┤ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-9355 │ │ affected │ │ │ golang-fips: Golang FIPS zeroed buffer │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-9355 │
└──────────────────┴──────────────────┴──────────┴─────────────────────┴─────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

and

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-45288 │ MEDIUM │ fixed │ v0.17.0 │ 0.23.0 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
├──────────────────┼────────────────┼──────────┤ ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ │ 1.21.8 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
│ ├────────────────┼──────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45288 │ HIGH │ │ │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34156 │ │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│ │ │ │ │ │ │ which contains deeply nested structures... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156 │
│ ├────────────────┼──────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24789 │ MEDIUM │ │ │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24789 │
│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24791 │ │ │ │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue │
│ │ │ │ │ │ │ handling in net/http │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24791 │
│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34155 │ │ │ │ 1.22.7, 1.23.1 │ go/parser: golang: Calling any of the Parse functions │
│ │ │ │ │ │ │ containing deeply nested literals... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34155 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34158 │ │ │ │ │ go/build/constraint: golang: Calling Parse on a "// +build" │
│ │ │ │ │ │ │ build tag line with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34158 │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

Note that all but one of the vuln reports in the latest release of `git-lfs` are transitive vulns because git-lfs was built with a relatively old (1.21.8) version of the Go compiler/stdlib, which is the actual sources of the vulns.

So, with the ultimate goal of minimizing the number of CVE vulnerabilities reported against `git-lfs` in redhat images (`ubi9` or otherwise), my request is the following. Could RedHat pretty-please:
1. Create packages for `git-lfs` where the application is compiled with a modern (the most modern?) version of the Go compiler (today 1.23.3) instead of what is done today.
2. Update that package more frequently to pick up both new upstream releases and new Go compiler releases.

What were you trying to do that didn't work?

Create an image based on `redhat/ubi9-minimal` with a minimum number of active CVE vulnerabilities

What is the impact of this issue to you?

Risks our ability to comply with Fips/FedRamp certification, which in turn hurts our business since many customers require FedRAMP compliance, and if we can't provide it they have to go elsewhere.

Please provide the package NVR for which the bug is seen:

`redhat/ubi9-minimal`, but actually probably all the rhel9 images.

How reproducible is this bug?:

100% reproducible

Steps to reproduce

Build an image from the following `Dockerfile`

FROM redhat/ubi9-minimal
RUN microdnf update && microdnf install git-lfs

then run `trivy image` against the resulting image.

Expected results

A few CVE vuln reports

Actual results

A LOT of CVE vuln reports, particularly against git-lfs

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Easy Agile Planning Poker

Activity

People

Dates