From b7d7acfe29985d0fc7dba17d78e335eef1e4fc79 Mon Sep 17 00:00:00 2001 From: Sneha Aradhey Date: Tue, 4 Jun 2024 00:47:40 +0000 Subject: [PATCH] fix CVEs CVE-2024-33600 CVE-2024-33602 CVE-2024-2961 CVE-2024-33601 CVE-2024-33599 --- Dockerfile | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index b6eaf6b00..b7bf67f2c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,13 +22,15 @@ ADD . . RUN GOARCH=$(echo $TARGETPLATFORM | cut -f2 -d '/') GCE_PD_CSI_STAGING_VERSION=$STAGINGVERSION make gce-pd-driver # Start from Kubernetes Debian base. -FROM gke.gcr.io/debian-base:bullseye-v1.4.3-gke.5 as debian + +FROM gke.gcr.io/debian-base:bookworm-v1.0.3-gke.0 as debian + # Install necessary dependencies # google_nvme_id script depends on the following packages: nvme-cli, xxd, bash RUN clean-install util-linux e2fsprogs mount ca-certificates udev xfsprogs nvme-cli xxd bash # Since we're leveraging apt to pull in dependencies, we use `gcr.io/distroless/base` because it includes glibc. -FROM gcr.io/distroless/base-debian11 as distroless-base +FROM gcr.io/distroless/base-debian12 as distroless-base # The distroless amd64 image has a target triplet of x86_64 FROM distroless-base AS distroless-amd64 @@ -72,8 +74,7 @@ COPY --from=debian /bin/ln /bin/ln COPY --from=debian /bin/udevadm /bin/udevadm # Copy shared libraries into distroless base. -COPY --from=debian /lib/${LIB_DIR_PREFIX}-linux-gnu/libpcre.so.3 \ - /lib/${LIB_DIR_PREFIX}-linux-gnu/libselinux.so.1 \ +COPY --from=debian /lib/${LIB_DIR_PREFIX}-linux-gnu/libselinux.so.1 \ /lib/${LIB_DIR_PREFIX}-linux-gnu/libtinfo.so.6 \ /lib/${LIB_DIR_PREFIX}-linux-gnu/libe2p.so.2 \ /lib/${LIB_DIR_PREFIX}-linux-gnu/libcom_err.so.2 \ @@ -82,7 +83,20 @@ COPY --from=debian /lib/${LIB_DIR_PREFIX}-linux-gnu/libpcre.so.3 \ /lib/${LIB_DIR_PREFIX}-linux-gnu/libgcc_s.so.1 \ /lib/${LIB_DIR_PREFIX}-linux-gnu/liblzma.so.5 \ /lib/${LIB_DIR_PREFIX}-linux-gnu/libreadline.so.8 \ - /lib/${LIB_DIR_PREFIX}-linux-gnu/libz.so.1 /lib/${LIB_DIR_PREFIX}-linux-gnu/ + /lib/${LIB_DIR_PREFIX}-linux-gnu/libz.so.1 \ + /lib/${LIB_DIR_PREFIX}-linux-gnu/libc.so.6 \ + /lib/${LIB_DIR_PREFIX}-linux-gnu/liburcu.so.8 \ + /lib/${LIB_DIR_PREFIX}-linux-gnu/libcap.so.2 \ + /lib/${LIB_DIR_PREFIX}-linux-gnu/libcrypto.so.3 \ + /lib/${LIB_DIR_PREFIX}-linux-gnu/libdbus-1.so.3 \ + /lib/${LIB_DIR_PREFIX}-linux-gnu/libgcrypt.so.20 \ + /lib/${LIB_DIR_PREFIX}-linux-gnu/libjson-c.so.5 \ + /lib/${LIB_DIR_PREFIX}-linux-gnu/liblz4.so.1 \ + /lib/${LIB_DIR_PREFIX}-linux-gnu/libm.so.6 \ + /lib/${LIB_DIR_PREFIX}-linux-gnu/libnvme-mi.so.1 \ + /lib/${LIB_DIR_PREFIX}-linux-gnu/libnvme.so.1 \ + /lib/${LIB_DIR_PREFIX}-linux-gnu/libsystemd.so.0 \ + /lib/${LIB_DIR_PREFIX}-linux-gnu/libzstd.so.1 /lib/${LIB_DIR_PREFIX}-linux-gnu/ COPY --from=debian /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libblkid.so.1 \ /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libbsd.so.0 \ @@ -93,9 +107,9 @@ COPY --from=debian /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libblkid.so.1 \ /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libacl.so.1 \ /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libattr.so.1 \ /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libedit.so.2 \ - /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libicudata.so.67 \ - /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libicui18n.so.67 \ - /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libicuuc.so.67 \ + /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libicudata.so.72 \ + /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libicui18n.so.72 \ + /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libicuuc.so.72 \ /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libkmod.so.2 \ /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libmd.so.0 \ /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libpcre2-8.so.0 \