[CVE-2023-25139]tini-static executable seems vulnerable

[HarinadhD]

CVE-2023-25139 is applicable to glibc version 2.37.
When we scan(using synopsis BDBA tool)for vulnerabilities, tini-static executable (built with tini release version 0.19.0) shows as vulnerable.
Could someone please confirm what is the glibc version used in tini-static executable?

[krallin]

It seems likely it’s built with a vulnerable version, but note that Tini doesn’t actually use that function, let alone in the circumstances described there. I’ll try to publish updated binaries, but if you rely on security scanners and they get triggered by this, I really would encourage you to build Tini yourself. In fact, that’s a good security practice: it’s one thing to be worried about CVEs, but if you’re concerned about security, downloading and running binaries built by people you don’t now (me in this case) should arguably be a bigger concern!

…

On Tue, 7 Mar 2023 at 13:14, HarinadhD ***@***.***> wrote: CVE-2023-25139 <https://github.com/advisories/GHSA-2g67-jw5m-244m> is applicable to glibc version 2.37. When we scan(using synopsis BDBA tool)for vulnerabilities, tini-static executable (built with tini release version 0.19.0) shows as vulnerable. Could someone please confirm what is the glibc version used in tini-static executable? — Reply to this email directly, view it on GitHub <#210>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AANIHVRE2XEDGO2GRWQ6BZDW24RDFANCNFSM6AAAAAAVSMRVCI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>