From 429cf85f87b830a956886aefb03af7b59c10bc9a Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason.woltje@uscllc.com>
Date: Thu, 12 Feb 2026 12:38:33 -0600
Subject: [PATCH] fix(#363): rebuild gosu from source with Go 1.26 to fix
 CRITICAL CVEs

The gosu 1.19 binary bundled in the postgres base image was compiled
with Go 1.24.6, which contains CVE-2025-68121 (CRITICAL) and 5 HIGH
severity Go stdlib vulnerabilities. Since upstream gosu has not released
a version built with patched Go (1.24.13+ / 1.25.7+), this adds a
multi-stage Docker build that recompiles gosu from source using Go 1.26.

Changes:
- Pin postgres base image to 17.7-alpine3.22 for reproducibility
- Add golang:1.26-alpine3.22 builder stage to compile gosu v1.19
- Replace bundled gosu binary with freshly built version
- Pin all postgres:17-alpine references across compose files and CI

CVEs fixed:
- CVE-2025-68121 (CRITICAL): Go crypto/tls vulnerability
- CVE-2025-58183 (HIGH): Go archive/tar unbounded allocation
- CVE-2025-61726 (HIGH): Go net/url memory exhaustion
- CVE-2025-61728 (HIGH): Go archive/zip CPU exhaustion
- CVE-2025-61729 (HIGH): Go crypto/x509 DoS
- CVE-2025-61730 (HIGH): Go TLS 1.3 handshake vulnerability

Fixes #363

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .woodpecker/api.yml                |  2 +-
 docker-compose.swarm.portainer.yml |  2 +-
 docker-compose.swarm.yml           |  2 +-
 docker-compose.yml                 |  2 +-
 docker/docker-compose.build.yml    |  2 +-
 docker/postgres/Dockerfile         | 25 ++++++++++++++++++++++---
 6 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/.woodpecker/api.yml b/.woodpecker/api.yml
index ea2736d..843057e 100644
--- a/.woodpecker/api.yml
+++ b/.woodpecker/api.yml
@@ -29,7 +29,7 @@ variables:
 
 services:
   postgres:
-    image: postgres:17-alpine
+    image: postgres:17.7-alpine3.22
     environment:
       POSTGRES_DB: test_db
       POSTGRES_USER: test_user
diff --git a/docker-compose.swarm.portainer.yml b/docker-compose.swarm.portainer.yml
index 84a2695..538fc21 100644
--- a/docker-compose.swarm.portainer.yml
+++ b/docker-compose.swarm.portainer.yml
@@ -117,7 +117,7 @@ services:
   # For external Authentik, configure OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET in .env
   #
   # authentik-postgres:
-  #   image: postgres:17-alpine
+  #   image: postgres:17.7-alpine3.22
   #   environment:
   #     POSTGRES_USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
   #     POSTGRES_PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:-authentik_password}
diff --git a/docker-compose.swarm.yml b/docker-compose.swarm.yml
index 98145a2..0763c48 100644
--- a/docker-compose.swarm.yml
+++ b/docker-compose.swarm.yml
@@ -141,7 +141,7 @@ services:
   # For external Authentik, configure OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET in .env
   #
   # authentik-postgres:
-  #   image: postgres:17-alpine
+  #   image: postgres:17.7-alpine3.22
   #   env_file: .env
   #   environment:
   #     POSTGRES_USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
diff --git a/docker-compose.yml b/docker-compose.yml
index 9b8d508..beca7d0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -69,7 +69,7 @@ services:
   # Authentik PostgreSQL
   # ======================
   # authentik-postgres:
-  #   image: postgres:17-alpine
+  #   image: postgres:17.7-alpine3.22
   #   container_name: mosaic-authentik-postgres
   #   restart: unless-stopped
   #   environment:
diff --git a/docker/docker-compose.build.yml b/docker/docker-compose.build.yml
index f7e5651..f180fe9 100644
--- a/docker/docker-compose.build.yml
+++ b/docker/docker-compose.build.yml
@@ -71,7 +71,7 @@ services:
   # Authentik PostgreSQL
   # ======================
   authentik-postgres:
-    image: postgres:17-alpine
+    image: postgres:17.7-alpine3.22
     container_name: mosaic-authentik-postgres
     restart: unless-stopped
     environment:
diff --git a/docker/postgres/Dockerfile b/docker/postgres/Dockerfile
index 55147d4..4774f6a 100644
--- a/docker/postgres/Dockerfile
+++ b/docker/postgres/Dockerfile
@@ -1,9 +1,28 @@
-FROM postgres:17-alpine
+# Stage 1: Rebuild gosu with patched Go compiler
+# gosu 1.19 (bundled in postgres base image) was built with Go 1.24.6, which contains:
+#   - CVE-2025-68121 (CRITICAL): crypto/tls vulnerability
+#   - CVE-2025-58183 (HIGH): archive/tar unbounded allocation
+#   - CVE-2025-61726 (HIGH): net/url memory exhaustion
+#   - CVE-2025-61728 (HIGH): archive/zip CPU exhaustion
+#   - CVE-2025-61729 (HIGH): crypto/x509 DoS
+#   - CVE-2025-61730 (HIGH): TLS 1.3 handshake vulnerability
+# Rebuilding from source with Go 1.26 (Alpine 3.22) eliminates all Go stdlib CVEs.
+FROM golang:1.26-alpine3.22 AS gosu-builder
+
+ARG GOSU_VERSION=1.19
+RUN CGO_ENABLED=0 go install -ldflags '-s -w' -trimpath github.com/tianon/gosu@v${GOSU_VERSION}
+
+# Stage 2: PostgreSQL with pgvector and patched gosu
+FROM postgres:17.7-alpine3.22
 
 LABEL maintainer="Mosaic Stack <dev@mosaic.local>"
-LABEL description="PostgreSQL 17 with pgvector extension"
+LABEL description="PostgreSQL 17 with pgvector extension and patched gosu"
 
-# Update Alpine packages to patch Go stdlib vulnerabilities (CVE-2025-58183, CVE-2025-61726, CVE-2025-61728, CVE-2025-61729)
+# Replace vulnerable gosu binary with version rebuilt using Go 1.26
+COPY --from=gosu-builder /go/bin/gosu /usr/local/bin/gosu
+RUN chmod +sx /usr/local/bin/gosu && gosu nobody true
+
+# Update Alpine packages for any remaining OS-level patches
 RUN apk update && apk upgrade
 
 # Install build dependencies for pgvector