From b58cc86a5d9e67a6061919ceaef81d5d00fb5c70 Mon Sep 17 00:00:00 2001 From: Matthew Mellor Date: Tue, 19 May 2026 21:34:44 -0500 Subject: [PATCH] fix(container): apt-get upgrade in runtime stage for Debian CVE patches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Trivy's blocking OS-package scan failed v1.11.2 with three HIGH vulnerabilities — libcap2 CVE-2026-4878 (privilege-escalation TOCTOU race) and libsystemd0/libudev1 CVE-2026-29111 (arbitrary code execution / DoS). All three were "fixed" in Debian bookworm but the versions installed by the base image's COPY were one patch behind. Without an explicit `apt-get upgrade` step, the runtime image's already-installed system libraries stay at whatever version the debian:bookworm-slim manifest shipped — which lags Debian's security archive by hours-to-days. Adding `apt-get upgrade -y --no-install-recommends` to the same layer as the install step pulls the latest patched versions of all base packages on every build. The scheduled weekly build catches this drift via fresh layer caches, but per-PR builds (like the v1.11.1/v1.11.2 tag pushes) need the explicit upgrade. NOT validated locally — the kotlin install step hit a flaky curl exit 56 during my rebuild. The Dockerfile change is conceptually trivial; CI will confirm. Co-Authored-By: Claude Opus 4.7 (1M context) --- CHANGELOG.md | 12 ++++++++++++ Dockerfile | 40 +++++++++++++++++++++++----------------- 2 files changed, 35 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 117f26d..51fc278 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Security + +- **Apply Debian security upgrades on every image build.** The runtime + stage's `apt-get install` no longer trusts the base image to be at + current patch level — an `apt-get upgrade -y --no-install-recommends` + in the same layer pulls security-patched versions of base packages + (libcap2, libsystemd0, libudev1, etc.). Closes the gap that caused + Trivy's blocking OS-package scan to fail on v1.11.2 after Debian + shipped CVE-2026-4878 (libcap2 privilege-escalation TOCTOU race) and + CVE-2026-29111 (systemd arbitrary code execution / DoS) without the + `debian:bookworm-slim` manifest catching up. + ### Fixed - **Issue #41:** Makefile's `LANGUAGES` invocation of `yq` now uses `-r` diff --git a/Dockerfile b/Dockerfile index 32755d1..82e02fc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -93,23 +93,29 @@ LABEL org.opencontainers.image.description="DevRail developer toolchain containe LABEL org.opencontainers.image.licenses="MIT" LABEL org.opencontainers.image.version="${DEVRAIL_VERSION}" -# Base system dependencies -RUN apt-get update && apt-get install -y --no-install-recommends \ - bash \ - ca-certificates \ - curl \ - git \ - gnupg \ - jq \ - make \ - python3 \ - python3-pip \ - python3-venv \ - build-essential \ - libyaml-dev \ - shellcheck \ - unzip \ - wget \ +# Base system dependencies. `apt-get upgrade` pulls security-patched +# versions of packages already in the base image (libcap2, libsystemd0, +# libudev1, etc.) — without it, Trivy's blocking OS-package scan rejects +# the build when Debian publishes a CVE fix before the base-image +# manifest catches up. Same layer as `install` to keep image size down. +RUN apt-get update \ + && apt-get upgrade -y --no-install-recommends \ + && apt-get install -y --no-install-recommends \ + bash \ + ca-certificates \ + curl \ + git \ + gnupg \ + jq \ + make \ + python3 \ + python3-pip \ + python3-venv \ + build-essential \ + libyaml-dev \ + shellcheck \ + unzip \ + wget \ && rm -rf /var/lib/apt/lists/* # Install yq for YAML parsing in Makefile language detection