dsnet/compress package causes import of vulnerable ulikunitz/xz v0.5.6

[Niksko]

ulikunitz/xz v0.5.6 is vulnerable to a denial of service attack fixed in v0.5.8. This package is introduced into skopeo via dsnet/compress. This package is introduced via opencontainers/image-tools:

$ go mod why github.com/dsnet/compress
# github.com/dsnet/compress
github.com/containers/skopeo/integration
github.com/containers/skopeo/integration.test
github.com/opencontainers/image-tools/image
github.com/opencontainers/image-tools/image.test
github.com/dsnet/compress/bzip2
github.com/dsnet/compress/internal/prefix
github.com/dsnet/compress

Unfortunately, both dsnet/compress and opencontainers/image-tools seem pretty light on the releases of late. opencontainers/image-tools has been superseded by opencontainers/umoci, however that package doesn't seem to do the verification of OCI images that skopeo uses image-tools for.

dsnet/compress seems to be the only bz2 encoder for golang that's around, and the author seems to have had a hard time getting bz2 encoding into the go standard library. I've raised a PR there (dsnet/compress#70) to update xz, so if that's merged we may be able to use a replace directive to use an updated version of dsnet/compress.

[vrothberg]

Thanks for reaching out! Can you share a link to the DOS attack? Is there a CVE?

We do actually have a direct dependency on it in our stack: vendor/github.com/containers/image/v5/pkg/compression/compression.go

I think we can easily bump it in containers/image.

[vrothberg]

The main branch is already on github.com/ulikunitz/xz v0.5.9 and c/image main is on v0.5.10.

[Niksko]

Hey @vrothberg, CWE-400 and CVE-2020-16845.

Yes the direct dependencies have been updated, but the dependency on dsnet/compress:0.0.1 is indirect (via image-tools), and is still pulling in xz.

$ go mod graph | grep github.com/ulikunitz/xz@v0.5.6
github.com/dsnet/compress@v0.0.1 github.com/ulikunitz/xz@v0.5.6

My PR over in dsnet/compress has been merged, so can we update to the latest commit on master? See #1228

[vrothberg]

github.com/dsnet/compress@v0.0.1 github.com/ulikunitz/xz@v0.5.6

Doesn't this only state that dsnet requires this specific version (i.e., a lower bound)? It doesn't say which version is actually used by Skopeo.

So I don't think Skopeo is affected by the CVEs, see below:

skopeo (master) $ grep xz vendor/modules.txt | head -n1
# github.com/ulikunitz/xz v0.5.9

[Niksko]

@vrothberg my mistake, sorry about that. You're totally right, there's only going to be one version. Although I'm confused as to why the older version ends up in the go.sum.

Regardless, vulnerability scanning tools such as Snyk are fooled by this as well, so the PR you merged should stop skopeo being flagged with these vulnerabilities.

[vrothberg]

No worries at all. Better safe than sorry and it's super kind of you to fix the issue right away. I mostly wanted to make sure that Skopeo is not impacted to prevent users (and us) from worrying :)