postgres icon indicating copy to clipboard operation
postgres copied to clipboard
verified publisher icon supabase

chore(docker): bump gosu to 1.19

Open ImreSamu opened this issue 3 months ago • 2 comments

This pull request updates gosu from version 1.16 to 1.19 in the following Dockerfiles:

  • Dockerfile-15
  • Dockerfile-17
  • Dockerfile-orioledb-17

The official Docker Postgres image has already upgraded [5] to gosu 1.19 [1], and this change keeps these images consistent with the upstream base.

Using the latest gosu release [2] also helps reduce potential security findings reported by image scanners. For example, a recent local Trivy scan [3] reported several medium to critical issues in the older gosu binary.

No functional changes beyond the version update.

References

[1] Upstream Postgres Dockerfile (gosu 1.19):
https://github.com/docker-library/postgres/blob/master/Dockerfile-debian.template

[2] gosu 1.19 release notes:
https://github.com/tianon/gosu/releases/tag/1.19 Additional releases (1.17–1.19): https://github.com/tianon/gosu/releases

[3] Trivy scan example (old gosu 1.16 binary):

$ trivy image --ignore-unfixed supabase/postgres:17.5.1.041-orioledb
...
usr/local/bin/gosu (gobinary)
Total: 69 (UNKNOWN: 0, LOW: 2, MEDIUM: 30, HIGH: 34, CRITICAL: 3)

[5] https://github.com/docker-library/postgres/commit/a2433755c76d294477c85945d68944f8cdb7cf4b

ImreSamu avatar Oct 09 '25 21:10 ImreSamu

Thanks for this, we're going to look into this ASAP

samrose avatar Oct 10 '25 02:10 samrose

I wanted to gently bump this PR.

I recently ran a govulncheck scan on the gosu binary currently present in the supabase/postgres:17.6.1.059 image, and it flagged several vulnerabilities. Merging this upgrade to 1.19 should resolve these security issues. Thanks

code:

docker run -i --rm supabase/postgres:17.6.1.059 bash -s <<'EOF'
  wget -q https://go.dev/dl/go1.25.5.linux-amd64.tar.gz
  tar -C /usr/local -xzf go1.25.5.linux-amd64.tar.gz
  export PATH=$PATH:/usr/local/go/bin
  go install golang.org/x/vuln/cmd/govulncheck@latest
  /root/go/bin/govulncheck -version
  /root/go/bin/govulncheck -mode=binary /usr/local/bin/gosu
EOF

log :

$ docker run -i --rm supabase/postgres:17.6.1.059 bash -s <<'EOF'
>   wget -q https://go.dev/dl/go1.25.5.linux-amd64.tar.gz
>   tar -C /usr/local -xzf go1.25.5.linux-amd64.tar.gz
>   export PATH=$PATH:/usr/local/go/bin
>   go install golang.org/x/vuln/cmd/govulncheck@latest
>   /root/go/bin/govulncheck -version
>   /root/go/bin/govulncheck -mode=binary /usr/local/bin/gosu
> EOF

go: downloading golang.org/x/vuln v1.1.4
go: downloading golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7
go: downloading golang.org/x/mod v0.22.0
go: downloading golang.org/x/tools v0.29.0
go: downloading golang.org/x/sync v0.10.0
Go: go1.25.5
Scanner: [email protected]
DB: https://vuln.go.dev
DB updated: 2025-12-03 17:43:24 +0000 UTC

No vulnerabilities found.
=== Symbol Results ===

Vulnerability #1: GO-2025-4098
    Container escape and DDoS due to arbitrary write gadgets and procfs write
    redirects in github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2025-4098
  Module: github.com/opencontainers/runc
    Found in: github.com/opencontainers/[email protected]
    Fixed in: github.com/opencontainers/[email protected]
    Vulnerable symbols found:
      #1: system.Setgid
      #2: system.Setuid
      #3: user.GetExecUser
      #4: user.GetExecUserPath
      #5: user.ParseGroupFilter
      Use '-show traces' to see the other 1 found symbols

Vulnerability #2: GO-2025-3956
    Unexpected paths returned from LookPath in os/exec
  More info: https://pkg.go.dev/vuln/GO-2025-3956
  Standard library
    Found in: os/[email protected]
    Fixed in: os/[email protected]
    Vulnerable symbols found:
      #1: exec.LookPath

Vulnerability #3: GO-2024-3110
    Can be confused to create empty files/directories on the host in
    github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2024-3110
  Module: github.com/opencontainers/runc
    Found in: github.com/opencontainers/[email protected]
    Fixed in: github.com/opencontainers/[email protected]
    Vulnerable symbols found:
      #1: system.Setgid
      #2: system.Setuid
      #3: user.GetExecUser
      #4: user.GetExecUserPath
      #5: user.ParseGroupFilter
      Use '-show traces' to see the other 1 found symbols

Vulnerability #4: GO-2023-1840
    Unsafe behavior in setuid/setgid binaries in runtime
  More info: https://pkg.go.dev/vuln/GO-2023-1840
  Standard library
    Found in: [email protected]
    Fixed in: [email protected]
    Vulnerable symbols found:
      #1: runtime.Caller
      #2: runtime.CallersFrames
      #3: runtime.Frames.Next
      #4: runtime.Func.Entry
      #5: runtime.Func.Name
      Use '-show traces' to see the other 20 found symbols

Vulnerability #5: GO-2023-1683
    AppArmor bypass with symlinked /proc in github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2023-1683
  Module: github.com/opencontainers/runc
    Found in: github.com/opencontainers/[email protected]
    Fixed in: github.com/opencontainers/[email protected]
    Vulnerable symbols found:
      #1: system.Setgid
      #2: system.Setuid
      #3: user.GetExecUser
      #4: user.GetExecUserPath
      #5: user.ParseGroupFilter
      Use '-show traces' to see the other 1 found symbols

Vulnerability #6: GO-2023-1682
    Rootless: /sys/fs/cgroup is writable when cgroupns isn't unshared in
    github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2023-1682
  Module: github.com/opencontainers/runc
    Found in: github.com/opencontainers/[email protected]
    Fixed in: github.com/opencontainers/[email protected]
    Vulnerable symbols found:
      #1: system.Setgid
      #2: system.Setuid
      #3: user.GetExecUser
      #4: user.GetExecUserPath
      #5: user.ParseGroupFilter
      Use '-show traces' to see the other 1 found symbols

Vulnerability #7: GO-2023-1627
    Opencontainers runc Incorrect Authorization vulnerability in
    github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2023-1627
  Module: github.com/opencontainers/runc
    Found in: github.com/opencontainers/[email protected]
    Fixed in: github.com/opencontainers/[email protected]
    Vulnerable symbols found:
      #1: system.Setgid
      #2: system.Setuid
      #3: user.GetExecUser
      #4: user.GetExecUserPath
      #5: user.ParseGroupFilter
      Use '-show traces' to see the other 1 found symbols

Vulnerability #8: GO-2022-0452
    Default inheritable capabilities for linux container should be empty in
    github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2022-0452
  Module: github.com/opencontainers/runc
    Found in: github.com/opencontainers/[email protected]
    Fixed in: github.com/opencontainers/[email protected]
    Vulnerable symbols found:
      #1: system.Setgid
      #2: system.Setuid
      #3: user.GetExecUser
      #4: user.GetExecUserPath
      #5: user.ParseGroupFilter
      Use '-show traces' to see the other 1 found symbols

Your code is affected by 8 vulnerabilities from 1 module and the Go standard library.
This scan also found 4 vulnerabilities in packages you import and 63
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

ImreSamu avatar Dec 04 '25 06:12 ImreSamu