Rebuild drone/git for CVE-2021-45960 (expat bug; minor)

saj · February 21, 2022, 11:06am

Hello! Could you please rebuild drone/git with refreshed packages from Alpine?

Found in drone/git:latest:

crit    expat   2.2.9-r1        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45960

This was fixed by Alpine in expat 2.2.10-r2 for branch 3.13.

I expect this bug is entirely harmless – there should be no reason to parse XML while cloning a Git repository – though the presence of this old package is enough to trip alarm bells in security tools.

Thanks!

(I did go hunting for a way to override the default, but it would appear as though this is a fixed constant.)

tkushnir · February 21, 2022, 3:22pm

The best way is to upgrade base container to latest Alpine (3.15).

drone · February 21, 2022, 5:44pm

We had previously upgraded to 3.13 and then had to rollback due to dns issues with 3.13. There are also reports of dns issues in Kubernetes, and it is unclear that those are resolved in newer versions. These dns issues effectively caused outages for a large percentage of our installations. Since these security issues do not pose a practical threat to Drone users, we are taking a conservative approach to updates at this time. It is something we will look to resolve, but only once we are sure the dns issue is mitigated.

I did go hunting for a way to override the default, but it would appear as though this is a fixed constant

It is true that the image name is a constant, however, it can be overridden at a global level using the DRONE_RUNNER_CLONE_IMAGE environment variable.

saj · February 22, 2022, 10:50am

That was very helpful. We’ve bumped our deployment to alpine:3.15.

I think we can close this off. CLONE_IMAGE is a satisfactory local workaround for anyone who happens to care about this minor issue.

Thanks!