akanealw
eec8c28fb3
5.4 KiB
Executable File
Gosu CVE Remediation Summary
Date: 2026-01-18
Overview
This document summarizes the security vulnerability remediation performed on the Charon Docker image, specifically addressing 22 HIGH/CRITICAL CVEs related to the Go stdlib embedded in the gosu package.
Root Cause Analysis
The Debian bookworm repository ships gosu version 1.14, which was compiled with Go 1.19.8. This old Go version contains numerous known vulnerabilities in the standard library that are embedded in the gosu binary.
Vulnerable Component
- Package: gosu (Debian bookworm package)
- Version: 1.14
- Compiled with: Go 1.19.8
- Binary location:
/usr/sbin/gosu
CVEs Fixed (22 Total)
Critical Severity (7 CVEs)
| CVE | Description | Fixed Version |
|---|---|---|
| CVE-2023-24531 | Incorrect handling of permissions in the file system | Go 1.25+ |
| CVE-2023-24540 | Improper handling of HTML templates | Go 1.25+ |
| CVE-2023-29402 | Command injection via go:generate directives | Go 1.25+ |
| CVE-2023-29404 | Code execution via linker flags | Go 1.25+ |
| CVE-2023-29405 | Code execution via linker flags | Go 1.25+ |
| CVE-2024-24790 | net/netip ParseAddr panic | Go 1.25+ |
| CVE-2025-22871 | stdlib vulnerability | Go 1.25+ |
High Severity (15 CVEs)
| CVE | Description | Fixed Version |
|---|---|---|
| CVE-2023-24539 | HTML template vulnerability | Go 1.25+ |
| CVE-2023-29400 | HTML template vulnerability | Go 1.25+ |
| CVE-2023-29403 | Race condition in cgo | Go 1.25+ |
| CVE-2023-39323 | HTTP/2 RESET flood (incomplete fix) | Go 1.25+ |
| CVE-2023-44487 | HTTP/2 Rapid Reset Attack | Go 1.25+ |
| CVE-2023-45285 | cmd/go vulnerability | Go 1.25+ |
| CVE-2023-45287 | crypto/tls timing attack | Go 1.25+ |
| CVE-2023-45288 | HTTP/2 CONTINUATION flood | Go 1.25+ |
| CVE-2024-24784 | net/mail parsing vulnerability | Go 1.25+ |
| CVE-2024-24791 | net/http vulnerability | Go 1.25+ |
| CVE-2024-34156 | encoding/gob vulnerability | Go 1.25+ |
| CVE-2024-34158 | text/template vulnerability | Go 1.25+ |
| CVE-2025-4674 | stdlib vulnerability | Go 1.25+ |
| CVE-2025-47907 | stdlib vulnerability | Go 1.25+ |
| CVE-2025-58187 | stdlib vulnerability | Go 1.25+ |
| CVE-2025-58188 | stdlib vulnerability | Go 1.25+ |
| CVE-2025-61723 | stdlib vulnerability | Go 1.25+ |
| CVE-2025-61725 | stdlib vulnerability | Go 1.25+ |
| CVE-2025-61729 | stdlib vulnerability | Go 1.25+ |
Solution Implemented
Added a new gosu-builder stage to the Dockerfile that builds gosu from source using Go 1.25-bookworm, eliminating all Go stdlib CVEs.
Dockerfile Changes
# ---- Gosu Builder ----
# Build gosu from source to avoid CVEs from Debian's pre-compiled version (Go 1.19.8)
FROM --platform=$BUILDPLATFORM golang:1.25-bookworm AS gosu-builder
COPY --from=xx / /
WORKDIR /tmp/gosu
ARG TARGETPLATFORM
ARG TARGETOS
ARG TARGETARCH
# renovate: datasource=github-releases depName=tianon/gosu
ARG GOSU_VERSION=1.17
RUN apt-get update && apt-get install -y --no-install-recommends \
git clang lld \
&& rm -rf /var/lib/apt/lists/*
RUN xx-apt install -y gcc libc6-dev
# Clone and build gosu from source with modern Go
RUN git clone --depth 1 --branch "${GOSU_VERSION}" https://github.com/tianon/gosu.git .
# Build gosu for target architecture with patched Go stdlib
RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg/mod \
CGO_ENABLED=0 xx-go build -v -ldflags '-s -w' -o /gosu-out/gosu . && \
xx-verify /gosu-out/gosu
Runtime Stage Changes
Removed gosu from apt-get install and copied the custom-built binary:
# Copy gosu binary from gosu-builder (built with Go 1.25+ to avoid stdlib CVEs)
COPY --from=gosu-builder /gosu-out/gosu /usr/sbin/gosu
RUN chmod +x /usr/sbin/gosu
Verification
Before Fix
- Total HIGH/CRITICAL CVEs: 34
- Go stdlib CVEs from gosu: 22
After Fix
- Total HIGH/CRITICAL CVEs: 6
- Go stdlib CVEs from gosu: 0
- Gosu version:
1.17 (go1.25.6 on linux/amd64; gc)
Remaining CVEs (Unfixable - Debian upstream)
The remaining 6 HIGH/CRITICAL CVEs are in Debian base image packages with wont-fix status:
| CVE | Severity | Package | Version | Status |
|---|---|---|---|---|
| CVE-2023-2953 | High | libldap-2.5-0 | 2.5.13+dfsg-5 | wont-fix |
| CVE-2023-45853 | Critical | zlib1g | 1:1.2.13.dfsg-1 | wont-fix |
| CVE-2025-13151 | High | libtasn1-6 | 4.19.0-2+deb12u1 | wont-fix |
| CVE-2025-6297 | High | dpkg | 1.21.22 | wont-fix |
| CVE-2025-7458 | Critical | libsqlite3-0 | 3.40.1-2+deb12u2 | wont-fix |
| CVE-2026-0861 | High | libc-bin | 2.36-9+deb12u13 | wont-fix |
These CVEs cannot be fixed without upgrading to a newer Debian release (e.g., Debian 13 "Trixie") or switching to a different base image distribution.
Renovate Integration
The gosu version is tracked by Renovate via the comment:
# renovate: datasource=github-releases depName=tianon/gosu
ARG GOSU_VERSION=1.17
Files Modified
- Dockerfile - Added gosu-builder stage and updated runtime stage
Conclusion
This remediation successfully eliminated 22 HIGH/CRITICAL CVEs by building gosu from source with a modern Go version. The approach follows the same pattern already used for CrowdSec and Caddy in this project, ensuring all Go binaries in the final image are compiled with Go 1.25+ and contain no vulnerable stdlib code.