CVE-2019-15847

[marijus-ravickas]

Hi,

Please fix CVE-2019-15847 in node:12-alpine image tag.

Thx.

[SimenB]

Please see https://github.com/nodejs/docker-node/blob/master/SECURITY.md

[marijus-ravickas]

Dear Simen,

Policy is clear and logical. But:

❯ docker pull node:12-alpine3.11
12-alpine3.11: Pulling from library/node
cbdbe7a5bc2a: Already exists
091983d60f65: Already exists
7bacc183740f: Already exists
c4a5a5d270d4: Already exists
Digest: sha256:9623cd396644f9b2e595d833dc0188a880333674488d939338ab5fde10ef7c43
Status: Downloaded newer image for node:12-alpine3.11
docker.io/library/node:12-alpine3.11

~
❯ docker run -it --rm --entrypoint '' docker.io/library/node:12-alpine3.11 sh
/ #
/ #
/ # apk list | grep gcc
WARNING: Ignoring APKINDEX.89bc0353.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.737d2c92.tar.gz: No such file or directory
libstdc++-9.2.0-r4 x86_64 {gcc} (GPL LGPL) [installed]
libgcc-9.2.0-r4 x86_64 {gcc} (GPL LGPL) [installed]

and I can see in dockerfile that this image is depends on FROM alpine:3.11 and this part of code actually installs build prerequisites. And if I am rebuilding using this Dockerfile, I am getting different gcc version: 9.3.0-r0.

❯ git clone https://github.com/nodejs/docker-node.git
Cloning into 'docker-node'...
remote: Enumerating objects: 25, done.
remote: Counting objects: 100% (25/25), done.
remote: Compressing objects: 100% (19/19), done.
remote: Total 8690 (delta 8), reused 18 (delta 6), pack-reused 8665
Receiving objects: 100% (8690/8690), 1.17 MiB | 2.49 MiB/s, done.
Resolving deltas: 100% (4416/4416), done.

~/clones/github
❯ cd docker-node/12/alpine3.11/

docker-node/12/alpine3.11 on  master
❯ docker build -t node:fresh_build .
Sending build context to Docker daemon  6.656kB
Step 1/8 : FROM alpine:3.11
3.11: Pulling from library/alpine
cbdbe7a5bc2a: Already exists
Digest: sha256:9a839e63dad54c3a6d1834e29692c8492d93f90c59c978c1ed79109ea4fb9a54
Status: Downloaded newer image for alpine:3.11
 ---> f70734b6a266
Step 2/8 : ENV NODE_VERSION 12.18.3
 ---> Running in 517d8c31e964
Removing intermediate container 517d8c31e964
 ---> abda67ceb854
Step 3/8 : RUN addgroup -g 1000 node     && adduser -u 1000 -G node -s /bin/sh -D node     && apk add --no-cache         libstdc++     && apk add --no-cache --virtual .build-deps         curl     && ARCH= && alpineArch="$(apk --print-arch)"       && case "${alpineArch##*-}" in         x86_64)           ARCH='x64'           CHECKSUM="14dafe026366e7a9cc8d4737b1fcdcb6c534667e22bbeea63a29a1791ac6ac1f"           ;;         *) ;;       esac   && if [ -n "${CHECKSUM}" ]; then     set -eu;     curl -fsSLO --compressed "https://unofficial-builds.nodejs.org/download/release/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz";     echo "$CHECKSUM  node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" | sha256sum -c -       && tar -xJf "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" -C /usr/local --strip-components=1 --no-same-owner       && ln -s /usr/local/bin/node /usr/local/bin/nodejs;   else     echo "Building from source"     && apk add --no-cache --virtual .build-deps-full         binutils-gold         g++         gcc         gnupg         libgcc         linux-headers         make         python     && for key in       4ED778F539E3634C779C87C6D7062848A1AB005C       94AE36675C464D64BAFA68DD7434390BDBE9B9C5       71DCFD284A79C3B38668286BC97EC7A07EDE3FC1       8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600       C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8       C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C       DD8F2338BAE7501E3DD5AC78C273792F7D83545D       A48C2BEE680E841632CD4E44F07496B3EB3C1762       B9E2F5981AA6E0CD28160D9FF13993A75599653C     ; do       gpg --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys "$key" ||       gpg --batch --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys "$key" ||       gpg --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key" ;     done     && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz"     && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc"     && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc     && grep " node-v$NODE_VERSION.tar.xz\$" SHASUMS256.txt | sha256sum -c -     && tar -xf "node-v$NODE_VERSION.tar.xz"     && cd "node-v$NODE_VERSION"     && ./configure     && make -j$(getconf _NPROCESSORS_ONLN) V=     && make install     && apk del .build-deps-full     && cd ..     && rm -Rf "node-v$NODE_VERSION"     && rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt;   fi   && rm -f "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz"   && apk del .build-deps   && node --version   && npm --version
 ---> Running in 0ca8d38487f8
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz
(1/2) Installing libgcc (9.3.0-r0)
(2/2) Installing libstdc++ (9.3.0-r0)
OK: 7 MiB in 16 packages
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz
(1/5) Installing ca-certificates (20191127-r2)
(2/5) Installing nghttp2-libs (1.40.0-r1)
(3/5) Installing libcurl (7.67.0-r0)
(4/5) Installing curl (7.67.0-r0)
(5/5) Installing .build-deps (20200819.121436)
Executing busybox-1.31.1-r9.trigger
Executing ca-certificates-20191127-r2.trigger
OK: 9 MiB in 21 packages
node-v12.18.3-linux-x64-musl.tar.xz: OK
WARNING: Ignoring APKINDEX.70f61090.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.ca2fea5b.tar.gz: No such file or directory
(1/5) Purging .build-deps (20200819.121436)
(2/5) Purging curl (7.67.0-r0)
(3/5) Purging libcurl (7.67.0-r0)
(4/5) Purging ca-certificates (20191127-r2)
Executing ca-certificates-20191127-r2.post-deinstall
(5/5) Purging nghttp2-libs (1.40.0-r1)
Executing busybox-1.31.1-r9.trigger
OK: 7 MiB in 16 packages
v12.18.3
6.14.6
Removing intermediate container 0ca8d38487f8
 ---> 606535ca0729
Step 4/8 : ENV YARN_VERSION 1.22.4
 ---> Running in 3fd27f744944
Removing intermediate container 3fd27f744944
 ---> 826b82fc606d
Step 5/8 : RUN apk add --no-cache --virtual .build-deps-yarn curl gnupg tar   && for key in     6A010C5166006599AA17F08146C2130DFD2497F5   ; do     gpg --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys "$key" ||     gpg --batch --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys "$key" ||     gpg --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key" ;   done   && curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz"   && curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc"   && gpg --batch --verify yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz   && mkdir -p /opt   && tar -xzf yarn-v$YARN_VERSION.tar.gz -C /opt/   && ln -s /opt/yarn-v$YARN_VERSION/bin/yarn /usr/local/bin/yarn   && ln -s /opt/yarn-v$YARN_VERSION/bin/yarnpkg /usr/local/bin/yarnpkg   && rm yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz   && apk del .build-deps-yarn   && yarn --version
 ---> Running in 1fe18ed9f037
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz
(1/35) Installing ca-certificates (20191127-r2)
(2/35) Installing nghttp2-libs (1.40.0-r1)
(3/35) Installing libcurl (7.67.0-r0)
(4/35) Installing curl (7.67.0-r0)
(5/35) Installing libgpg-error (1.36-r2)
(6/35) Installing libassuan (2.5.3-r0)
(7/35) Installing libcap (2.27-r0)
(8/35) Installing libffi (3.2.1-r6)
(9/35) Installing libintl (0.20.1-r2)
(10/35) Installing libblkid (2.34-r1)
(11/35) Installing libmount (2.34-r1)
(12/35) Installing pcre (8.43-r0)
(13/35) Installing glib (2.62.6-r0)
(14/35) Installing ncurses-terminfo-base (6.1_p20200118-r4)
(15/35) Installing ncurses-libs (6.1_p20200118-r4)
(16/35) Installing libgcrypt (1.8.5-r0)
(17/35) Installing libsecret (0.19.1-r0)
(18/35) Installing pinentry (1.1.0-r2)
Executing pinentry-1.1.0-r2.post-install
(19/35) Installing libbz2 (1.0.8-r1)
(20/35) Installing gmp (6.1.2-r1)
(21/35) Installing nettle (3.5.1-r0)
(22/35) Installing p11-kit (0.23.18.1-r0)
(23/35) Installing libtasn1 (4.15.0-r0)
(24/35) Installing libunistring (0.9.10-r0)
(25/35) Installing gnutls (3.6.14-r0)
(26/35) Installing libksba (1.3.5-r0)
(27/35) Installing db (5.3.28-r1)
(28/35) Installing libsasl (2.1.27-r5)
(29/35) Installing libldap (2.4.48-r2)
(30/35) Installing npth (1.6-r0)
(31/35) Installing sqlite-libs (3.30.1-r2)
(32/35) Installing gnupg (2.2.19-r0)
(33/35) Installing libacl (2.2.53-r0)
(34/35) Installing tar (1.32-r1)
(35/35) Installing .build-deps-yarn (20200819.121451)
Executing busybox-1.31.1-r9.trigger
Executing ca-certificates-20191127-r2.trigger
OK: 29 MiB in 51 packages
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 1646B01B86E50310: public key "Yarn Packaging <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Signature made Mon Mar  9 15:52:13 2020 UTC
gpg:                using RSA key 6D98490C6F1ACDDD448E45954F77679369475BAA
gpg: Good signature from "Yarn Packaging <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 72EC F46A 56B4 AD39 C907  BBB7 1646 B01B 86E5 0310
     Subkey fingerprint: 6D98 490C 6F1A CDDD 448E  4595 4F77 6793 6947 5BAA
WARNING: Ignoring APKINDEX.70f61090.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.ca2fea5b.tar.gz: No such file or directory
(1/35) Purging .build-deps-yarn (20200819.121451)
(2/35) Purging curl (7.67.0-r0)
(3/35) Purging gnupg (2.2.19-r0)
(4/35) Purging pinentry (1.1.0-r2)
(5/35) Purging tar (1.32-r1)
(6/35) Purging libcurl (7.67.0-r0)
(7/35) Purging ca-certificates (20191127-r2)
Executing ca-certificates-20191127-r2.post-deinstall
(8/35) Purging nghttp2-libs (1.40.0-r1)
(9/35) Purging libksba (1.3.5-r0)
(10/35) Purging libsecret (0.19.1-r0)
(11/35) Purging libgcrypt (1.8.5-r0)
(12/35) Purging libassuan (2.5.3-r0)
(13/35) Purging libgpg-error (1.36-r2)
(14/35) Purging libcap (2.27-r0)
(15/35) Purging glib (2.62.6-r0)
(16/35) Purging gnutls (3.6.14-r0)
(17/35) Purging p11-kit (0.23.18.1-r0)
(18/35) Purging libffi (3.2.1-r6)
(19/35) Purging libintl (0.20.1-r2)
(20/35) Purging libmount (2.34-r1)
(21/35) Purging libblkid (2.34-r1)
(22/35) Purging pcre (8.43-r0)
(23/35) Purging ncurses-libs (6.1_p20200118-r4)
(24/35) Purging ncurses-terminfo-base (6.1_p20200118-r4)
(25/35) Purging libbz2 (1.0.8-r1)
(26/35) Purging nettle (3.5.1-r0)
(27/35) Purging gmp (6.1.2-r1)
(28/35) Purging libtasn1 (4.15.0-r0)
(29/35) Purging libunistring (0.9.10-r0)
(30/35) Purging libldap (2.4.48-r2)
(31/35) Purging libsasl (2.1.27-r5)
(32/35) Purging db (5.3.28-r1)
(33/35) Purging npth (1.6-r0)
(34/35) Purging sqlite-libs (3.30.1-r2)
(35/35) Purging libacl (2.2.53-r0)
Executing busybox-1.31.1-r9.trigger
OK: 7 MiB in 16 packages
1.22.4
Removing intermediate container 1fe18ed9f037
 ---> 0548d4e0a8c8
Step 6/8 : COPY docker-entrypoint.sh /usr/local/bin/
 ---> 11be19a3b31b
Step 7/8 : ENTRYPOINT ["docker-entrypoint.sh"]
 ---> Running in 835aca638393
Removing intermediate container 835aca638393
 ---> e80a8105e141
Step 8/8 : CMD [ "node" ]
 ---> Running in 4a3ff62b5cc3
Removing intermediate container 4a3ff62b5cc3
 ---> ee74ea3a59e4
Successfully built ee74ea3a59e4
Successfully tagged node:fresh_build

docker-node/12/alpine3.11 on  master
❯ docker run -it --rm --entrypoint '' node:fresh_build sh
/ # apk list | grep gcc
WARNING: Ignoring APKINDEX.70f61090.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.ca2fea5b.tar.gz: No such file or directory
libstdc++-9.3.0-r0 x86_64 {gcc} (GPL LGPL) [installed]
libgcc-9.3.0-r0 x86_64 {gcc} (GPL LGPL) [installed]

And this is the right version, which has no vulnerability. So may be in docker hub, this image somehow not updated. Bashbrew process failed or cache is taken?

[SimenB]

Dunno... @tianon?

[marijus-ravickas]

@tianon

At least from the latest Jenkins build in here I can tell that only for 14th node version images were rebuilt, other images mostly taken from the bashbrew cache. Or I am missing something?

[marijus-ravickas]

On August 19, 2020 12:34:42 PM UTC, Simen Bekkhus ***@***.***> wrote: Dunno... @tianon?

This also might be an answer. Package updated in alpine 6 days ago. https://git.alpinelinux.org/aports/commit/?h=3.11-stable&id=998910db5afb89b3f84a6c9237f4c02c164fc1c5

[tianon]

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves, especially:

Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule.

What I would suggest is asking the Alpine Linux community to make a new release of 3.11 so that downstream images can get rebuilt and include the updated packages (especially security fixes).

[marijus-ravickas]

@tianon
I would ask them if that would be the issue, but in this case we are in a grey zone. Package got updated in alpine apk repos, but this package isn't installed in alpine images by default, so nothing to update in vanilla images. The only way to fix node images is to rebuild, as during rebuild process updated package will be installed instead of vulnerable one.

[yosifkit]

Tags in the library file are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:jessie would be rebuilt when debian:jessie is built).

-https://github.com/docker-library/official-images/tree/aea415109ed49cae865efb53668bf5b39e37abd4#library-definition-files

Unfortunately, official-images builds make heavy use of "docker build" cache so as to not cause unnecessary image churn for users. So the only way to get images to rebuild is to update the base image. Which is why we rebuild all debian and ubuntu base images every ~30 days, whether or not it has any package updates in the base image or not.

[SimenB]

Wait, iss gcc installed by us, but it's not present in the base image? If so, that's a bug (we just wanna add node, npm and yarn on top of the base image, nothing else). Seems to me like we (try to) uninstall them, though

docker-node/12/alpine3.11/Dockerfile

Lines 28 to 36 in 4798f99

	&& apk add --no-cache --virtual .build-deps-full \
	binutils-gold \
	g++ \
	gcc \
	gnupg \
	libgcc \
	linux-headers \
	make \
	python \

docker-node/12/alpine3.11/Dockerfile

Line 62 in 4798f99

&& apk del .build-deps-full \

[marijus-ravickas]

the issue is with this line:

docker-node/12/alpine3.11/Dockerfile

Lines 7 to 8 in 4798f99

	&& apk add --no-cache \
	libstdc++ \

It installs:

/ # apk add libstdc++
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz
(1/2) Installing libgcc (9.3.0-r0)
(2/2) Installing libstdc++ (9.3.0-r0)

This is a prerequisite for node to be working actually, if libstdc++ is removed, then node is not working at all.

[SimenB]

We could cheat to trigger a rebuild by adding a comment above those lines about why it's installed, then? Doing so would trigger an updated build for docker hub

[marijus-ravickas]

Unless new release is planned in near future.

[SimenB]

• v10 schedule Release plan - v10.x Maintenance Release#504
• v12 schedule Release plan - v12.x Maintenance Release#494
• v14 schedule Release plan - v14.x Maintenance LTS Release#567

[marijus-ravickas]

aprox 2 months from today. Hmm, unless alpine will release some bug fixes before. I don't know if You want to rely on Alpine or trigger rebuild manually. I would prefer rebuild, as node is dependent on libstdc++. But You decide.

[marijus-ravickas]

@SimenB,
there is one more upcoming release of node which fixes npm vulnerability, may be this can trigger next images rebuild.
nodejs/node#34708 (comment)

[nschonni]

I'm not sure why you're actually hitting the install steps, as there is a pre-built binary that should be picked up for the x64 platform. The manual build step should only kick in when running on something like ARM or other chipsets

[marijus-ravickas]

I'm not sure why you're actually hitting the install steps, as there is a pre-built binary that should be picked up for the x64 platform. The manual build step should only kick in when running on something like ARM or other chipsets

@nschonni
Try check this comment. It’s actualy before manual step.

#1315 (comment)

[nschonni]

Thanks! I'm thinking it was required for running Node as it's also like this in https://github.com/nodejs/unofficial-builds/blob/master/recipes/musl/Dockerfile, but I'm not really sure

[marijus-ravickas]

It is actualy a mandatory requirement, without it node breaks.

[jansepke]

So what is the alternative to waiting for the next nodejs or alpine release? Do I just need to update gcc in my container?

[yosifkit]

So what is the alternative to waiting for the next nodejs or alpine release? Do I just need to update gcc in my container?

You could. But in the description of CVE-2019-15847 and made clear on the Debian security tracker, it "affects only POWER9 binaries". So it is unlikely to be relevant.

Note that this CVE is "unfixed" in all stable and LTS releases of Debian and Ubuntu.

this is part of the power9 ISA, and Ubuntu binaries are built
with the power8 ISA, so no binaries in the archive are affected

setting priority to negligible

- https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html