From a5d2218a038418984e400d885f4b6f4a4b1f0f9a Mon Sep 17 00:00:00 2001 From: Adil Hafeez Date: Mon, 11 Aug 2025 16:42:31 -0700 Subject: [PATCH] fix cve_2025-6020 by removing libpam --- arch/Dockerfile | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/arch/Dockerfile b/arch/Dockerfile index b17d6d36..11a2b375 100644 --- a/arch/Dockerfile +++ b/arch/Dockerfile @@ -3,17 +3,27 @@ FROM rust:1.82.0 AS builder RUN rustup -v target add wasm32-wasip1 WORKDIR /arch COPY crates . - RUN cargo build --release --target wasm32-wasip1 -p prompt_gateway -p llm_gateway RUN cargo build --release -p brightstaff -# copy built filter into envoy image FROM docker.io/envoyproxy/envoy:v1.34-latest AS envoy -#Build config generator, so that we have a single build image for both Rust and Python FROM python:3.12-slim AS arch +# Purge PAM to avoid CVE-2025-6020 and install needed tools + +# 1) Install what you need while apt still works +RUN set -eux; \ + apt-get update; \ + apt-get install -y --no-install-recommends supervisor gettext-base curl; \ + apt-get clean; rm -rf /var/lib/apt/lists/* + +# 2) Force-remove PAM packages (don’t use apt here) +# We ignore dependencies and remove files so scanners don’t find them. +RUN set -eux; \ + dpkg -r --force-depends libpam-modules libpam-modules-bin libpam-runtime libpam0g || true; \ + dpkg -P --force-all libpam-modules libpam-modules-bin libpam-runtime libpam0g || true; \ + rm -rf /etc/pam.d /lib/x86_64-linux-gnu/security /usr/lib/security || true -RUN apt-get update && apt-get install -y supervisor gettext-base curl && apt-get clean && rm -rf /var/lib/apt/lists/* COPY --from=builder /arch/target/wasm32-wasip1/release/prompt_gateway.wasm /etc/envoy/proxy-wasm-plugins/prompt_gateway.wasm COPY --from=builder /arch/target/wasm32-wasip1/release/llm_gateway.wasm /etc/envoy/proxy-wasm-plugins/llm_gateway.wasm @@ -29,11 +39,8 @@ COPY arch/arch_config_schema.yaml . COPY arch/supervisord.conf /etc/supervisor/conf.d/supervisord.conf RUN pip install requests -RUN touch /var/log/envoy.log -RUN mkdir -p /var/log/supervisor/ -RUN touch /var/log/supervisor/supervisord.log +RUN mkdir -p /var/log/supervisor && touch /var/log/envoy.log /var/log/supervisor/supervisord.log ENTRYPOINT ["sh","-c", "/usr/bin/supervisord"] - # ENTRYPOINT ["sh","-c", "python config_generator.py && envsubst < /etc/envoy/envoy.yaml > /etc/envoy.env_sub.yaml && envoy -c /etc/envoy.env_sub.yaml --log-level trace 2>&1 | tee /var/log/envoy.log"] # ENTRYPOINT ["sh","-c", "python config_generator.py && envsubst < /etc/envoy/envoy.yaml > /etc/envoy.env_sub.yaml && envoy -c /etc/envoy.env_sub.yaml --component-log-level wasm:info 2>&1 | tee /var/log/envoy.log"]