From 16f37d36464277f3b7f9cfb3eb0ffe17c04b8f40 Mon Sep 17 00:00:00 2001 From: vineela-pachchipulusu Date: Thu, 3 Apr 2025 05:20:39 -0400 Subject: [PATCH] Fix for critical CVE-2024-45492 and CVE-2024-45491 Issue-ID: INF-493 Change-Id: I5404e3a93e0812e5b687cbfca9ac7f7231d4c44e Signed-off-by: vineela-pachchipulusu --- Dockerfile | 6 +++++ Dockerfile.localtest | 75 ++++++++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 70 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index 628b3a2..c6a21f4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -52,6 +52,12 @@ ARG group=orano2 USER root +# Upgrade expat to latest version to mitigate CVE-2024-45492 +RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories && \ + apk update && \ + apk add --upgrade expat && \ + apk info expat + RUN apk add --no-cache bash COPY --from=build /.venv /.venv diff --git a/Dockerfile.localtest b/Dockerfile.localtest index 7ced03b..445dfd2 100644 --- a/Dockerfile.localtest +++ b/Dockerfile.localtest @@ -40,13 +40,13 @@ COPY helm_sdk/ /src/helm_sdk/ COPY configs/ /etc/o2/ COPY configs/ /configs/ +# First install base packages from stable repository RUN apk add --no-cache \ git \ curl \ bluez-dev \ bzip2-dev \ dpkg-dev dpkg \ - expat-dev \ gcc \ libc-dev \ libffi-dev \ @@ -54,7 +54,6 @@ RUN apk add --no-cache \ libtirpc-dev \ linux-headers \ make \ - ncurses-dev \ openssl-dev \ pax-utils \ sqlite-dev \ @@ -65,16 +64,70 @@ RUN apk add --no-cache \ xz-dev \ zlib-dev +# Then add edge main repository and install dependencies +RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories && \ + apk update && \ + # Install ncurses packages first from edge repository + apk add --no-cache --repository https://dl-cdn.alpinelinux.org/alpine/edge/main \ + ncurses-dev \ + ncurses-terminfo-base \ + ncurses-libs && \ + # Install other build dependencies + apk add --no-cache --repository https://dl-cdn.alpinelinux.org/alpine/edge/main \ + python3-dev \ + gcc \ + musl-dev \ + libffi-dev \ + openssl-dev \ + bzip2-dev \ + zlib-dev \ + readline-dev \ + sqlite-dev \ + tcl-dev \ + tk-dev \ + make \ + linux-headers && \ + # Install expat and fontconfig-dev + apk add --no-cache --repository https://dl-cdn.alpinelinux.org/alpine/edge/main expat=2.7.0-r0 expat-dev=2.7.0-r0 fontconfig-dev && \ + # Download and build Python from source + cd /tmp && \ + curl -O https://www.python.org/ftp/python/3.12.2/Python-3.12.2.tgz && \ + tar xzf Python-3.12.2.tgz && \ + cd Python-3.12.2 && \ + ./configure --with-system-expat --without-readline && \ + make && \ + make install && \ + cd /tmp && \ + rm -rf Python-3.12.2 Python-3.12.2.tgz && \ + # Clean up build dependencies + apk del --no-cache \ + python3-dev \ + gcc \ + musl-dev \ + libffi-dev \ + openssl-dev \ + bzip2-dev \ + zlib-dev \ + readline-dev \ + sqlite-dev \ + tcl-dev \ + tk-dev \ + make \ + linux-headers + RUN set -ex \ - && apk add --no-cache bash \ - && apk add --no-cache --virtual .fetch2-deps \ - && pip install -r /tmp/requirements.txt -c /tmp/constraints.txt \ - && pip install -r /tmp/requirements-test.txt \ - && pip install -e /cgtsclient/sysinv/cgts-client/cgts-client/ \ - && pip install -e /distcloud-client/distributedcloud-client \ - && pip install -e /faultclient/python-fmclient/fmclient/ \ - && pip install -e /src \ - && apk del --no-network .fetch2-deps + && echo "https://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories && \ + apk update && \ + apk add --no-cache bash && \ + apk add --no-cache --repository https://dl-cdn.alpinelinux.org/alpine/edge/main expat=2.7.0-r0 && \ + apk add --no-cache --virtual .fetch2-deps && \ + pip install -r /tmp/requirements.txt -c /tmp/constraints.txt && \ + pip install -r /tmp/requirements-test.txt && \ + pip install -e /cgtsclient/sysinv/cgts-client/cgts-client/ && \ + pip install -e /distcloud-client/distributedcloud-client && \ + pip install -e /faultclient/python-fmclient/fmclient/ && \ + pip install -e /src && \ + apk del --no-network .fetch2-deps COPY tests/ /tests/ -- 2.16.6