dangerzone/.grype.yaml at main · freedomofpress/dangerzone · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
# This configuration file will be used to track CVEs that we can ignore for the
# latest release of Dangerzone, and offer our analysis.

ignore:
  # CVE-2025-6965, and other libsqlite CVEs
  # =======================================
  #
  # Verdict: libsqlite3-0 is only used by python, and we do not use any of its
  # SQLite-related features, so we are not affected.
  - package:
      name: libsqlite3-0
  # CVE-2023-45853
  # ==============
  #
  # Debian tracker: https://security-tracker.debian.org/tracker/CVE-2023-45853
  # Verdict: Dangerzone is not affected because the zlib library in Debian is
  # built in a way that is not vulnerable.
  - vulnerability: CVE-2023-45853
  # CVE-2024-38428
  # ==============
  #
  # Debian tracker: https://security-tracker.debian.org/tracker/CVE-2024-38428
  # Verdict: Dangerzone is not affected because it doesn't use wget in the
  # container image (which also has no network connectivity).
  - vulnerability: CVE-2024-38428
  # CVE-2024-57823
  # ==============
  #
  # Debian tracker: https://security-tracker.debian.org/tracker/CVE-2024-57823
  # Verdict: Dangerzone is not affected. First things first, LibreOffice is
  # using this library for parsing RDF metadata in a document [1], and has
  # issued a fix for the vendored raptor2 package they have for other distros
  # [2].
  #
  # On the other hand, the Debian security team has stated that this is a minor
  # issue [3], and there's no fix from the developers yet. It seems that the
  # Debian package is not affected somehow by this CVE, probably due to the way
  # it's packaged.
  #
  # [1] https://wiki.documentfoundation.org/Documentation/DevGuide/Office_Development#RDF_metadata
  # [2] https://cgit.freedesktop.org/libreoffice/core/commit/?id=2b50dc0e4482ac0ad27d69147b4175e05af4fba4
  # [2] From https://security-tracker.debian.org/tracker/CVE-2024-57823:
  #
  #       [bookworm] - raptor2 <postponed> (Minor issue, revisit when fixed upstream)
  #
  - vulnerability: CVE-2024-57823
  # CVE-2025-0665
  # ==============
  #
  # Debian tracker: https://security-tracker.debian.org/tracker/CVE-2025-0665
  # Verdict: Dangerzone is not affected because the vulnerable code is not
  # present in Debian Bookworm. Also, libcurl is an HTTP client, and the
  # Dangerzone container does not make any network calls.
  - vulnerability: CVE-2025-0665
  # CVE-2025-43859
  # ==============
  #
  # GitHub advisory: https://github.com/advisories/GHSA-vqfr-h8mv-ghfj
  # Verdict: Dangerzone is not affected because the vulnerable code is triggered
  # when parsing HTTP requests, e.g., by web **servers**. Dangerzone on the
  # other hand performs HTTP requests, i.e., it operates as **client**.
  - vulnerability: CVE-2025-43859
  - vulnerability: GHSA-vqfr-h8mv-ghfj
  # CVE-2025-2866
  # ==============
  #
  # Debian tracker: https://security-tracker.debian.org/tracker/CVE-2025-2866
  # Verdict: Dangerzone is not affected because it does not rely on the
  # signature checking feature of LibreOffice.
  - vulnerability: CVE-2025-2866
  # CVE-2025-4802
  # ==============
  #
  # Debian tracker: https://security-tracker.debian.org/tracker/CVE-2025-4802
  # Verdict: Dangerzone is not affected for three reasons:
  # 1. We don't ship custom setuid programs, only the ones that get installed
  #    through the official repos. This is important because as the glibc
  #    advisory mentions:
  #
  #      The only viable vector for exploitation of this bug is local, if a
  #      static setuid program exists, and that program calls dlopen, then it
  #      may search LD_LIBRARY_PATH to locate the SONAME to load. No such
  #      program has been discovered at the time of publishing this advisory,
  #      but the presence of custom setuid programs, although strongly
  #      discouraged as a security practice, cannot be discounted.
  #
  # 2. We do not allow programs to elevate their privileges, either on the
  #    gVisor sandbox or the outer container, via the `no-new-privileges` flag.
  # 3. A quick search with `find / -perm 6000` in our container image yields no
  #    setuid programs. That's most likely due to the way we package our
  #    Dangerzone image, where we copy-paste binaries from the outer container
  #    to the inner one, destroying the setuid bits in the process.
  #
  # [1] https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0002
  - vulnerability: CVE-2025-4802
  # CVE-2025-4517
  # =============
  #
  # Debian tracker: https://security-tracker.debian.org/tracker/CVE-2025-4517
  # Verdict: Dangerzone is not affected for two reasons:
  # 1. We don't use `filter="data"` in our code.
  # 2. Our container image is based on Debian Bookworm, which is not affected by
  #    this bug.
  - vulnerability: CVE-2025-4517

  # CVE-2025-49794, CVE-2025-49796
  # ==============================
  #
  # Debian tracker:
  # * https://security-tracker.debian.org/tracker/CVE-2025-49794
  # * https://security-tracker.debian.org/tracker/CVE-2025-49796
  #
  # Verdict: Dangerzone is not affected, mainly because the worst-case scenario
  # is Denial of Service (DoS). There is a bit of a background though for these
  # two CVEs that it's worth noting here:
  # 1. The maintainer has expressed that the issue is not critical, but it's
  #    still a lot of work to fix (among other notable concerns):
  #    https://gitlab.gnome.org/GNOME/libxml2/-/issues/913
  # 2. The Debian security team considers this issue minor, and they don't have
  #    a fix.
  - vulnerability: CVE-2025-49794
  - vulnerability: CVE-2025-49796

  # CVE-2025-13836
  # ==============
  #
  # When reading an HTTP response from a server, if no read amount is
  # specified, the default behavior will be to use Content-Length. This allows
  # a malicious server to cause the client to read large amounts of data into
  # memory, potentially causing OOM or other DoS.
  #
  # Debian tracker: https://security-tracker.debian.org/tracker/CVE-2025-13836
  #
  # Verdict: we are not affected because we don't use any HTTP server
  # capabilities inside the container. Outside the container, this could lead
  # to OOM attacks when looking for updates on the client in case of Github
  # servers compromise, which we deem acceptable until the next client release
  # (0.11.0). Moreover, the Debian Security team deems it as a minor issue for
  # Trixie, and there's currently no fix out for it.
  - vulnerability: CVE-2025-13836

  # CVE-2025-68973
  # ##############
  #
  # In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an
  # index variable where one is intended, leading to an out-of-bounds write for
  # crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)
  #
  # Debian Tracker: https://security-tracker.debian.org/tracker/CVE-2025-68973
  #
  # Verdict: the container doesn't use GPG itself and so is not affected.
  # Clients might be, but it's orthogonal to what we can do to solve this
  # issue.
  - vulnerability: CVE-2025-68973

  # CVE-2025-68972
  # ##############
  #
  # In GnuPG through 2.4.8, if a signed message has \f at the end of a
  # plaintext line, an adversary can construct a modified message that places
  # additional text after the signed material, such that signature verification
  # of the modified message succeeds (although an "invalid armor" message is
  # printed during verification). This is related to use of \f as a marker to
  # denote truncation of a long plaintext line.
  #
  # Debian Tracker: https://security-tracker.debian.org/tracker/CVE-2025-68972
  #
  # Verdict: We do not use GnuPG or dirmngr in a way that is problematic
  # related to this issue (e.g. we do not trust the text output in a way), and
  # no fixes have been provided by upstream so far.
  - vulnerability: CVE-2025-68972

  # CVE-2026-6100
  # ==============
  #
  # GitHub advisory: https://github.com/advisories/GHSA-pg25-7cx5-cvcm
  # Debian tracker: https://security-tracker.debian.org/tracker/CVE-2026-6100
  #
  # CPython can hit a use-after-free in lzma/bz2/gzip decompressors only when
  # the same instance is reused after a MemoryError during decompression; the
  # one-shot helpers (e.g. gzip.decompress()) are not affected.
  #
  # Verdict: Dangerzone is not affected because our conversion path does not
  # rely on reusing those decompressor objects across a MemoryError while
  # processing documents.
  - vulnerability: CVE-2026-6100
  - vulnerability: GHSA-pg25-7cx5-cvcm