fix(#363): rebuild gosu from source with Go 1.26 to fix CRITICAL CVEs

The gosu 1.19 binary bundled in the postgres base image was compiled with Go 1.24.6, which contains CVE-2025-68121 (CRITICAL) and 5 HIGH severity Go stdlib vulnerabilities. Since upstream gosu has not released a version built with patched Go (1.24.13+ / 1.25.7+), this adds a multi-stage Docker build that recompiles gosu from source using Go 1.26. Changes: - Pin postgres base image to 17.7-alpine3.22 for reproducibility - Add golang:1.26-alpine3.22 builder stage to compile gosu v1.19 - Replace bundled gosu binary with freshly built version - Pin all postgres:17-alpine references across compose files and CI CVEs fixed: - CVE-2025-68121 (CRITICAL): Go crypto/tls vulnerability - CVE-2025-58183 (HIGH): Go archive/tar unbounded allocation - CVE-2025-61726 (HIGH): Go net/url memory exhaustion - CVE-2025-61728 (HIGH): Go archive/zip CPU exhaustion - CVE-2025-61729 (HIGH): Go crypto/x509 DoS - CVE-2025-61730 (HIGH): Go TLS 1.3 handshake vulnerability Fixes #363 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 12:38:33 -06:00
parent dce975bf4e
commit 429cf85f87
6 changed files with 27 additions and 8 deletions
--- a/.woodpecker/api.yml
+++ b/.woodpecker/api.yml
@@ -29,7 +29,7 @@ variables:

 services:
  postgres:
-    image: postgres:17-alpine
+    image: postgres:17.7-alpine3.22
    environment:
      POSTGRES_DB: test_db
      POSTGRES_USER: test_user
--- a/docker-compose.swarm.portainer.yml
+++ b/docker-compose.swarm.portainer.yml
@@ -117,7 +117,7 @@ services:
  # For external Authentik, configure OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET in .env
  #
  # authentik-postgres:
-  #   image: postgres:17-alpine
+  #   image: postgres:17.7-alpine3.22
  #   environment:
  #     POSTGRES_USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
  #     POSTGRES_PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:-authentik_password}
--- a/docker-compose.swarm.yml
+++ b/docker-compose.swarm.yml
@@ -141,7 +141,7 @@ services:
  # For external Authentik, configure OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET in .env
  #
  # authentik-postgres:
-  #   image: postgres:17-alpine
+  #   image: postgres:17.7-alpine3.22
  #   env_file: .env
  #   environment:
  #     POSTGRES_USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -69,7 +69,7 @@ services:
  # Authentik PostgreSQL
  # ======================
  # authentik-postgres:
-  #   image: postgres:17-alpine
+  #   image: postgres:17.7-alpine3.22
  #   container_name: mosaic-authentik-postgres
  #   restart: unless-stopped
  #   environment:
--- a/docker/docker-compose.build.yml
+++ b/docker/docker-compose.build.yml
@@ -71,7 +71,7 @@ services:
  # Authentik PostgreSQL
  # ======================
  authentik-postgres:
-    image: postgres:17-alpine
+    image: postgres:17.7-alpine3.22
    container_name: mosaic-authentik-postgres
    restart: unless-stopped
    environment:
--- a/docker/postgres/Dockerfile
+++ b/docker/postgres/Dockerfile
@@ -1,9 +1,28 @@
-FROM postgres:17-alpine
+# Stage 1: Rebuild gosu with patched Go compiler
+# gosu 1.19 (bundled in postgres base image) was built with Go 1.24.6, which contains:
+#   - CVE-2025-68121 (CRITICAL): crypto/tls vulnerability
+#   - CVE-2025-58183 (HIGH): archive/tar unbounded allocation
+#   - CVE-2025-61726 (HIGH): net/url memory exhaustion
+#   - CVE-2025-61728 (HIGH): archive/zip CPU exhaustion
+#   - CVE-2025-61729 (HIGH): crypto/x509 DoS
+#   - CVE-2025-61730 (HIGH): TLS 1.3 handshake vulnerability
+# Rebuilding from source with Go 1.26 (Alpine 3.22) eliminates all Go stdlib CVEs.
+FROM golang:1.26-alpine3.22 AS gosu-builder
+
+ARG GOSU_VERSION=1.19
+RUN CGO_ENABLED=0 go install -ldflags '-s -w' -trimpath github.com/tianon/gosu@v${GOSU_VERSION}
+
+# Stage 2: PostgreSQL with pgvector and patched gosu
+FROM postgres:17.7-alpine3.22

 LABEL maintainer="Mosaic Stack <dev@mosaic.local>"
-LABEL description="PostgreSQL 17 with pgvector extension"
+LABEL description="PostgreSQL 17 with pgvector extension and patched gosu"

-# Update Alpine packages to patch Go stdlib vulnerabilities (CVE-2025-58183, CVE-2025-61726, CVE-2025-61728, CVE-2025-61729)
+# Replace vulnerable gosu binary with version rebuilt using Go 1.26
+COPY --from=gosu-builder /go/bin/gosu /usr/local/bin/gosu
+RUN chmod +sx /usr/local/bin/gosu && gosu nobody true
+
+# Update Alpine packages for any remaining OS-level patches
 RUN apk update && apk upgrade

 # Install build dependencies for pgvector