Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical CVE(s) in Docker Image; Update to Alpine 3.15 for base? #2580

Closed
jmacelroy opened this issue Jan 25, 2022 · 2 comments · Fixed by #2582
Closed

Critical CVE(s) in Docker Image; Update to Alpine 3.15 for base? #2580

jmacelroy opened this issue Jan 25, 2022 · 2 comments · Fixed by #2582
Labels
area/security

Comments

@jmacelroy
Copy link
Contributor

There are a number of critical CVE in the docker images built from the project.

CVE-2021-36159
CVE-2022-22822
CVE-2022-22823
CVE-2022-22824
CVE-2021-3711
CVE-2021-22945
CVE-2021-3711

I tried making a change to use alpine 3.15 as a base but there appears to be a dependency on a custom alpine for risc support and the rootless image that I don't have the ability to update myself.
@tonistiigi
Copy link
Member 

 # regctl image copy alpine:3.15 tonistiigi/alpine:3.15
 # ALPINE_REPO=tonistiigi/alpine:edge docker buildx bake "https://github.com/tonistiigi/dockerfile-alpine.git" all --push
[+] Building 19.5s (26/26) FINISHED
 => CACHED [internal] load git source https://github.com/tonistiigi/dockerfile-alpine.git                                                                    0.0s
 => resolve image config for docker.io/docker/dockerfile-upstream:master-labs                                                                                1.1s
 => [auth] docker/dockerfile-upstream:pull token for registry-1.docker.io                                                                                    0.0s
 => CACHED docker-image://docker.io/docker/dockerfile-upstream:master-labs@sha256:76155c447eb5eb453f265b227931dc02ba91185ade1cdcfa1e310b600685f9f1           0.0s
 => => resolve docker.io/docker/dockerfile-upstream:master-labs@sha256:76155c447eb5eb453f265b227931dc02ba91185ade1cdcfa1e310b600685f9f1                      0.0s
 => [linux/ppc64le internal] load metadata for docker.io/library/alpine:edge                                                                                 1.1s
 => [linux/arm/v7 internal] load metadata for docker.io/library/alpine:edge                                                                                  3.2s
 => [linux/amd64 internal] load metadata for docker.io/library/alpine:edge                                                                                   3.4s
 => [linux/s390x internal] load metadata for docker.io/library/alpine:edge                                                                                   3.4s
 => [linux/arm64 internal] load metadata for docker.io/library/alpine:edge                                                                                   3.2s
 => [linux/arm64 internal] load metadata for docker.io/tonistiigi/xx@sha256:21a61be4744f6531cb5f33b0e6f40ede41fa3a1b8c82d5946178f80cc84bfc04                 0.0s
 => [linux/arm/v6 internal] load metadata for docker.io/library/alpine:edge                                                                                  3.2s
 => [auth] library/alpine:pull token for registry-1.docker.io                                                                                                0.0s
 => [linux/arm64 builder 1/3] FROM docker.io/library/alpine:edge@sha256:1a4c2018cfbab67566904e18fde9bf6a5c190605bf7da0e1d181b26746a15188                     0.4s
 => => resolve docker.io/library/alpine:edge@sha256:1a4c2018cfbab67566904e18fde9bf6a5c190605bf7da0e1d181b26746a15188                                         0.0s
 => => sha256:863239114e4bd9eef9cdf736b57a7f9f349e18280a9d771cf0780288000cb0f9 2.71MB / 2.71MB                                                               0.3s
 => => extracting sha256:863239114e4bd9eef9cdf736b57a7f9f349e18280a9d771cf0780288000cb0f9                                                                    0.1s
 => [linux/arm/v6 alpine-release 1/1] FROM docker.io/library/alpine:edge@sha256:1a4c2018cfbab67566904e18fde9bf6a5c190605bf7da0e1d181b26746a15188             0.0s
 => => resolve docker.io/library/alpine:edge@sha256:1a4c2018cfbab67566904e18fde9bf6a5c190605bf7da0e1d181b26746a15188                                         0.0s
 => CACHED [linux/arm64 xx 1/1] FROM docker.io/tonistiigi/xx@sha256:21a61be4744f6531cb5f33b0e6f40ede41fa3a1b8c82d5946178f80cc84bfc04                         0.0s
 => => resolve docker.io/tonistiigi/xx@sha256:21a61be4744f6531cb5f33b0e6f40ede41fa3a1b8c82d5946178f80cc84bfc04                                               0.0s
 => [linux/amd64 alpine-release 1/1] FROM docker.io/library/alpine:edge@sha256:1a4c2018cfbab67566904e18fde9bf6a5c190605bf7da0e1d181b26746a15188              0.1s
 => => resolve docker.io/library/alpine:edge@sha256:1a4c2018cfbab67566904e18fde9bf6a5c190605bf7da0e1d181b26746a15188                                         0.0s
 => [linux/ppc64le alpine-release 1/1] FROM docker.io/library/alpine:edge@sha256:1a4c2018cfbab67566904e18fde9bf6a5c190605bf7da0e1d181b26746a15188            0.0s
 => => resolve docker.io/library/alpine:edge@sha256:1a4c2018cfbab67566904e18fde9bf6a5c190605bf7da0e1d181b26746a15188                                         0.0s
 => [linux/s390x alpine-release 1/1] FROM docker.io/library/alpine:edge@sha256:1a4c2018cfbab67566904e18fde9bf6a5c190605bf7da0e1d181b26746a15188              0.0s
 => => resolve docker.io/library/alpine:edge@sha256:1a4c2018cfbab67566904e18fde9bf6a5c190605bf7da0e1d181b26746a15188                                         0.0s
 => [linux/arm/v7 alpine-release 1/1] FROM docker.io/library/alpine:edge@sha256:1a4c2018cfbab67566904e18fde9bf6a5c190605bf7da0e1d181b26746a15188             0.0s
 => => resolve docker.io/library/alpine:edge@sha256:1a4c2018cfbab67566904e18fde9bf6a5c190605bf7da0e1d181b26746a15188                                         0.0s
 => [linux/arm64 builder 2/3] COPY --from=xx / /                                                                                                             0.0s
 => [linux/arm64 builder 3/3] RUN <<-eof (set -e...)                                                                                                         4.3s
 => [linux/riscv64 alpine-fromsource 1/1] COPY --from=builder /out /                                                                                         0.0s
 => exporting to image                                                                                                                                       9.4s
 => => exporting layers                                                                                                                                      0.2s
 => => exporting manifest sha256:7de875d78d653bcce92bd09552f85d7ccfe442b66de4811f58c5d9dab8583978                                                            0.0s
 => => exporting config sha256:e8e16565d4d0f4e5aec7336bfa359afbfe361e34bd9139eeed7b80599a24c460                                                              0.0s
 => => exporting manifest sha256:43a1b523a808f46352077ca522f6fe9ffd9f1096098fbf97b317ae812826d47e                                                            0.0s
 => => exporting config sha256:a1b84dedc45fc12484297a65d4ef9d3812cd7a31a40562fc3e42824b9878ae32                                                              0.0s
 => => exporting manifest sha256:0d8a93cb5b9d1f7f20a527e5e6fdd8d97af51a8e8dc6c506e0396e2ede1503a6                                                            0.0s
 => => exporting config sha256:c7804ee4cb01a725593783ef86162f61e1eb87eb633fe62089f0a362a178ce5b                                                              0.0s
 => => exporting manifest sha256:e401f55f74926f985bcf5723a09de985d7e7e9e80e8a1f3638d938c17aa4dc93                                                            0.0s
 => => exporting config sha256:dd7b73fca7553ab8679a4f24c0a28ac47c227598e822a091f0e0494727a78dbf                                                              0.0s
 => => exporting manifest sha256:bba76efb8d61adce63774536b048a0cfdaf58f3cd807488ba63f96ddbf19d200                                                            0.0s
 => => exporting config sha256:1732c60fdc4a12466eb0981f377e3f0911a9a7bd8e95d0a40849ac8ded3276f1                                                              0.0s
 => => exporting manifest sha256:419439bde1c559679d8dd4d78031ce7bf2fdb117eb39619156f3881d0a34e6aa                                                            0.0s
 => => exporting config sha256:cfe41c533280d3e659ce17297878ba246d4279c5ab2d11dd2b5932659fdd8af2                                                              0.0s
 => => exporting manifest sha256:89bba6207c5599c58db25d7d40907366e5987f3e3aa0419dad27cb545382503a                                                            0.0s
 => => exporting config sha256:08dee1a0216175cefcf2eebb1ee0435846f19c0ef46cd7b1a70bd592a6a1ef25                                                              0.0s
 => => exporting manifest list sha256:4e9b64a59f8ddf945dc938c8bae3890842151bf2b8f2af392b4b6e1c6821d47d                                                       0.0s
 => => pushing layers                                                                                                                                        6.1s
 => => pushing manifest for docker.io/tonistiigi/alpine:edge@sha256:4e9b64a59f8ddf945dc938c8bae3890842151bf2b8f2af392b4b6e1c6821d47d                         3.0s
 => [auth] tonistiigi/alpine:pull,push token for registry-1.docker.io                                                                                        0.0s
 => [auth] tonistiigi/alpine:pull,push token for registry-1.docker.io                                                                                        0.0s
 => [auth] library/alpine:pull tonistiigi/alpine:pull,push token for registry-1.docker.io                                                                    0.0s
 # docker buildx imagetools inspect tonistiigi/alpine:edge
Name:      docker.io/tonistiigi/alpine:edge
MediaType: application/vnd.docker.distribution.manifest.list.v2+json
Digest:    sha256:4e9b64a59f8ddf945dc938c8bae3890842151bf2b8f2af392b4b6e1c6821d47d

Manifests:
  Name:      docker.io/tonistiigi/alpine:edge@sha256:7de875d78d653bcce92bd09552f85d7ccfe442b66de4811f58c5d9dab8583978
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/amd64

  Name:      docker.io/tonistiigi/alpine:edge@sha256:43a1b523a808f46352077ca522f6fe9ffd9f1096098fbf97b317ae812826d47e
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/arm64

  Name:      docker.io/tonistiigi/alpine:edge@sha256:0d8a93cb5b9d1f7f20a527e5e6fdd8d97af51a8e8dc6c506e0396e2ede1503a6
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/arm/v7

  Name:      docker.io/tonistiigi/alpine:edge@sha256:e401f55f74926f985bcf5723a09de985d7e7e9e80e8a1f3638d938c17aa4dc93
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/arm/v6

  Name:      docker.io/tonistiigi/alpine:edge@sha256:bba76efb8d61adce63774536b048a0cfdaf58f3cd807488ba63f96ddbf19d200
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/ppc64le

  Name:      docker.io/tonistiigi/alpine:edge@sha256:419439bde1c559679d8dd4d78031ce7bf2fdb117eb39619156f3881d0a34e6aa
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/s390x

  Name:      docker.io/tonistiigi/alpine:edge@sha256:89bba6207c5599c58db25d7d40907366e5987f3e3aa0419dad27cb545382503a
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/riscv64
 # docker buildx imagetools create --append -t tonistiigi/alpine:3.15 docker.io/tonistiigi/alpine:edge@sha256:89bba6207c5599c58db25d7d40907366e5987f3e3aa0419dad27cb545382503a
docker.io/tonistiigi/alpine:3.15

@AkihiroSuda AkihiroSuda mentioned this issue Jan 26, 2022
Merged
@remidebette
Copy link

Hi, When do we expect a 3.15 alpine to be made available in the buildkit docker public images?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Dockerfile: update Alpine to 3.15 (install shadow-uidmap from APK) AkihiroSuda/buildkit_poc
4 participants
@tonistiigi @crazy-max @remidebette @jmacelroy