Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Posible false positive detection - CVE-2022-1271 - gzip - Ubuntu 22.04 #2527

Open
Damian-Mangold opened this issue Mar 13, 2025 · 5 comments
Open

Posible false positive detection - CVE-2022-1271 - gzip - Ubuntu 22.04 #2527

Damian-Mangold opened this issue Mar 13, 2025 · 5 comments
Labels
bug Something isn't working false-positive

Comments

@Damian-Mangold
Copy link

Analysis and Justification: False Positive Detection of CVE-2022-1271 in gzip

Summary of the Finding

The Grype security scanner has reported a vulnerability in gzip (CVE-2022-1271) due to the presence of version 1.10-4ubuntu4.1 in our image. According to Grype’s database, this version is still vulnerable because the issue was fixed in gzip 1.12. However, after a thorough verification, we have determined that this detection is a false positive.

full analysis 

 ✔ Vulnerability DB                [updated]  
 ✔ Loaded image                                                                                                                                                                                                                                                                        cti_cti:latest 
 ✔ Parsed image                                                                                                                                                                                                               sha256:6f8374513a25632d47859b454246528fa99071f27d85dfae3fa875df2ec7b971 
 ✔ Cataloged contents                                                                                                                                                                                                                bc3b9f7b90943b4131423068d8facd43b61cd030c73695acf5f5407f8da119bf 
   ├── ✔ Packages                        [192 packages]  
   ├── ✔ File digests                    [3,317 files]  
   ├── ✔ File metadata                   [3,317 locations]  
   └── ✔ Executables                     [884 executables]  
 ✔ Scanned for vulnerabilities     [67 vulnerability matches]  
   ├── by severity: 0 critical, 1 high, 19 medium, 40 low, 7 negligible
   └── by status:   24 fixed, 43 not-fixed, 0 ignored 
NAME                   INSTALLED                 FIXED-IN                 TYPE    VULNERABILITY   SEVERITY   
coreutils              8.32-4.1ubuntu1.2                                  deb     CVE-2016-2781   Low         
curl                   7.81.0-1ubuntu1.20                                 deb     CVE-2025-0167   Low         
gcc-12-base            12.3.0-1ubuntu1~22.04                              deb     CVE-2022-27943  Low         
gcc-12-base            12.3.0-1ubuntu1~22.04                              deb     CVE-2023-4039   Low         
gpgv                   2.2.27-3ubuntu2.1                                  deb     CVE-2022-3219   Low         
gzip                   1.10                      1.12                     binary  CVE-2022-1271   High        
libc-bin               2.35-0ubuntu3.8           2.35-0ubuntu3.9          deb     CVE-2025-0395   Medium      
libc-bin               2.35-0ubuntu3.8                                    deb     CVE-2016-20013  Negligible  
libc6                  2.35-0ubuntu3.8           2.35-0ubuntu3.9          deb     CVE-2025-0395   Medium      
libc6                  2.35-0ubuntu3.8                                    deb     CVE-2016-20013  Negligible  
libcap2                1:2.44-1ubuntu0.22.04.1   1:2.44-1ubuntu0.22.04.2  deb     CVE-2025-1390   Medium      
libcurl4               7.81.0-1ubuntu1.20                                 deb     CVE-2025-0167   Low         
libgcc-s1              12.3.0-1ubuntu1~22.04                              deb     CVE-2022-27943  Low         
libgcc-s1              12.3.0-1ubuntu1~22.04                              deb     CVE-2023-4039   Low         
libgcrypt20            1.9.4-3ubuntu3                                     deb     CVE-2024-2236   Low         
libgnutls30            3.7.3-4ubuntu1.5          3.7.3-4ubuntu1.6         deb     CVE-2024-12243  Medium      
libgssapi-krb5-2       1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.5        deb     CVE-2024-3596   Medium      
libgssapi-krb5-2       1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb     CVE-2025-24528  Medium      
libgssapi-krb5-2       1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb     CVE-2024-26461  Low         
libgssapi-krb5-2       1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb     CVE-2024-26458  Negligible  
libk5crypto3           1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.5        deb     CVE-2024-3596   Medium      
libk5crypto3           1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb     CVE-2025-24528  Medium      
libk5crypto3           1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb     CVE-2024-26461  Low         
libk5crypto3           1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb     CVE-2024-26458  Negligible  
libkrb5-3              1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.5        deb     CVE-2024-3596   Medium      
libkrb5-3              1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb     CVE-2025-24528  Medium      
libkrb5-3              1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb     CVE-2024-26461  Low         
libkrb5-3              1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb     CVE-2024-26458  Negligible  
libkrb5support0        1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.5        deb     CVE-2024-3596   Medium      
libkrb5support0        1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb     CVE-2025-24528  Medium      
libkrb5support0        1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb     CVE-2024-26461  Low         
libkrb5support0        1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb     CVE-2024-26458  Negligible  
libncurses6            6.3-2ubuntu0.1                                     deb     CVE-2023-45918  Low         
libncurses6            6.3-2ubuntu0.1                                     deb     CVE-2023-50495  Low         
libncursesw6           6.3-2ubuntu0.1                                     deb     CVE-2023-45918  Low         
libncursesw6           6.3-2ubuntu0.1                                     deb     CVE-2023-50495  Low         
libpam-modules         1.4.0-11ubuntu2.5                                  deb     CVE-2024-10041  Medium      
libpam-modules-bin     1.4.0-11ubuntu2.5                                  deb     CVE-2024-10041  Medium      
libpam-runtime         1.4.0-11ubuntu2.5                                  deb     CVE-2024-10041  Medium      
libpam0g               1.4.0-11ubuntu2.5                                  deb     CVE-2024-10041  Medium      
libpcre2-8-0           10.39-3ubuntu0.1                                   deb     CVE-2022-41409  Low         
libpcre3               2:8.39-13ubuntu0.22.04.1                           deb     CVE-2017-11164  Negligible  
libpython3.10-minimal  3.10.12-1~22.04.9                                  deb     CVE-2025-1795   Low         
libpython3.10-stdlib   3.10.12-1~22.04.9                                  deb     CVE-2025-1795   Low         
libssl3                3.0.2-0ubuntu1.18         3.0.2-0ubuntu1.19        deb     CVE-2024-13176  Low         
libssl3                3.0.2-0ubuntu1.18                                  deb     CVE-2024-41996  Low         
libssl3                3.0.2-0ubuntu1.18         3.0.2-0ubuntu1.19        deb     CVE-2024-9143   Low         
libstdc++6             12.3.0-1ubuntu1~22.04                              deb     CVE-2022-27943  Low         
libstdc++6             12.3.0-1ubuntu1~22.04                              deb     CVE-2023-4039   Low         
libsystemd0            249.11-0ubuntu3.12                                 deb     CVE-2023-7008   Low         
libtasn1-6             4.18.0-4build1            4.18.0-4ubuntu0.1        deb     CVE-2024-12133  Medium      
libtasn1-6             4.18.0-4build1                                     deb     CVE-2021-46848  Low         
libtinfo6              6.3-2ubuntu0.1                                     deb     CVE-2023-45918  Low         
libtinfo6              6.3-2ubuntu0.1                                     deb     CVE-2023-50495  Low         
libudev1               249.11-0ubuntu3.12                                 deb     CVE-2023-7008   Low         
libzstd1               1.4.8+dfsg-3build1                                 deb     CVE-2022-4899   Low         
login                  1:4.8.1-2ubuntu2.2                                 deb     CVE-2024-56433  Medium      
login                  1:4.8.1-2ubuntu2.2                                 deb     CVE-2023-29383  Low         
ncurses-base           6.3-2ubuntu0.1                                     deb     CVE-2023-45918  Low         
ncurses-base           6.3-2ubuntu0.1                                     deb     CVE-2023-50495  Low         
ncurses-bin            6.3-2ubuntu0.1                                     deb     CVE-2023-45918  Low         
ncurses-bin            6.3-2ubuntu0.1                                     deb     CVE-2023-50495  Low         
openssl                3.0.2-0ubuntu1.19                                  deb     CVE-2024-41996  Low         
passwd                 1:4.8.1-2ubuntu2.2                                 deb     CVE-2024-56433  Medium      
passwd                 1:4.8.1-2ubuntu2.2                                 deb     CVE-2023-29383  Low         
python3.10             3.10.12-1~22.04.9                                  deb     CVE-2025-1795   Low         
python3.10-minimal     3.10.12-1~22.04.9                                  deb     CVE-2025-1795   Low

Reason for the False Positive

  1. Ubuntu has already patched CVE-2022-1271 in gzip 1.10-4ubuntu4.1

    • According to the gzip changelog in Ubuntu 22.04, multiple patches addressing CVE-2022-1271 have been applied.
    • Running apt changelog gzip | grep CVE-2022-1271 confirms that six specific patches (patch-1 to patch-6) were implemented to mitigate the vulnerability without upgrading to 1.12. 
       root@32f432d75ee3:/# apt changelog gzip | grep CVE-2022-1271

 WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

 - debian/patches/CVE-2022-1271-1.patch: avoid exploit via multi-newline
 - debian/patches/CVE-2022-1271-2.patch: add test in tests/Makefile.am,
 - debian/patches/CVE-2022-1271-3.patch: port to POSIX sed in zgrep.in.
 - debian/patches/CVE-2022-1271-4.patch: optimize out a grep in
 - debian/patches/CVE-2022-1271-5.patch: use C locale more often in
 - debian/patches/CVE-2022-1271-6.patch: fix "binary file matches"
 - CVE-2022-1271

  2. Grype does not recognize Ubuntu's security patches

    • Grype detects vulnerabilities based on software versions without considering distribution-specific security patches.
    • As a result, it mistakenly assumes that gzip 1.10 is still vulnerable, even though the installed version (1.10-4ubuntu4.1) already contains the necessary fixes.

  3. Official confirmation from Ubuntu

    • The Ubuntu security page for CVE-2022-1271 confirms that the issue was fixed in version 1.10-4ubuntu4.
    • The installed version (1.10-4ubuntu4.1) is newer and includes the same security patches.

  4. Installation verification

    • The following command confirms that the patched version of gzip is installed: 
        root@32f432d75ee3:/# apt list -a gzip
  Listing... Done
  gzip/jammy-updates,now 1.10-4ubuntu4.1 amd64 [installed]
  gzip/jammy 1.10-4ubuntu4 amd64
    • This verifies that we are running the patched version of gzip.

  5. Grype is using NVD feed instead of Ubuntu vulnerability feed

    • By executing the command grype <image_name> -o json | jq '.matches[] | select(.artifact.name == "gzip")' we obtain the following result
    Details 

         ✔ Loaded image                                                                                                                                                                                                                                                                        cti_cti:latest 
     ✔ Vulnerability DB                [no update available]  
     ✔ Parsed image                                                                                                                                                                                                               sha256:6f8374513a25632d47859b454246528fa99071f27d85dfae3fa875df2ec7b971 
     ✔ Cataloged contents                                                                                                                                                                                                                bc3b9f7b90943b4131423068d8facd43b61cd030c73695acf5f5407f8da119bf 
       ├── ✔ Packages                        [192 packages]  
       ├── ✔ File digests                    [3,317 files]  
       ├── ✔ File metadata                   [3,317 locations]  
       └── ✔ Executables                     [884 executables]  
     ✔ Scanned for vulnerabilities     [67 vulnerability matches]  
       ├── by severity: 0 critical, 1 high, 19 medium, 40 low, 7 negligible
       └── by status:   24 fixed, 43 not-fixed, 0 ignored 
    {
      "vulnerability": {
        "id": "CVE-2022-1271",
        "dataSource": "nvd",
        "namespace": "nvd:cpe",
        "severity": "High",
        "urls": [
          "https://nvd.nist.gov/vuln/detail/CVE-2022-1271",
          "https://access.redhat.com/security/cve/CVE-2022-1271",
          "https://bugzilla.redhat.com/show_bug.cgi?id=2073310",
          "https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6",
          "https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html",
          "https://security-tracker.debian.org/tracker/CVE-2022-1271",
          "https://security.gentoo.org/glsa/202209-01",
          "https://security.netapp.com/advisory/ntap-20220930-0006/",
          "https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch",
          "https://www.openwall.com/lists/oss-security/2022/04/07/8",
          "https://access.redhat.com/security/cve/CVE-2022-1271",
          "https://bugzilla.redhat.com/show_bug.cgi?id=2073310",
          "https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6",
          "https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html",
          "https://security-tracker.debian.org/tracker/CVE-2022-1271",
          "https://security.gentoo.org/glsa/202209-01",
          "https://security.netapp.com/advisory/ntap-20220930-0006/",
          "https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch",
          "https://www.openwall.com/lists/oss-security/2022/04/07/8"
        ],
        "description": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.",
        "cvss": [
          {
            "source": "[email protected]",
            "type": "Primary",
            "version": "3.1",
            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "metrics": {
              "baseScore": 8.8,
              "exploitabilityScore": 2.9,
              "impactScore": 5.9
            },
            "vendorMetadata": {}
          }
        ],
        "epss": [
          {
            "cve": "CVE-2022-1271",
            "epss": 0.07629,
            "percentile": 0.94292,
            "date": "2025-03-12"
          }
        ],
        "fix": {
          "versions": [
            "1.12"
          ],
          "state": "fixed"
        },
        "advisories": []
      },
      "relatedVulnerabilities": [
        {
          "id": "CVE-2022-1271",
          "dataSource": "nvd",
          "namespace": "nvd:cpe",
          "severity": "High",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-1271",
            "https://access.redhat.com/security/cve/CVE-2022-1271",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2073310",
            "https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6",
            "https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html",
            "https://security-tracker.debian.org/tracker/CVE-2022-1271",
            "https://security.gentoo.org/glsa/202209-01",
            "https://security.netapp.com/advisory/ntap-20220930-0006/",
            "https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch",
            "https://www.openwall.com/lists/oss-security/2022/04/07/8",
            "https://access.redhat.com/security/cve/CVE-2022-1271",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2073310",
            "https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6",
            "https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html",
            "https://security-tracker.debian.org/tracker/CVE-2022-1271",
            "https://security.gentoo.org/glsa/202209-01",
            "https://security.netapp.com/advisory/ntap-20220930-0006/",
            "https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch",
            "https://www.openwall.com/lists/oss-security/2022/04/07/8"
          ],
          "description": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.",
          "cvss": [
            {
              "source": "[email protected]",
              "type": "Primary",
              "version": "3.1",
              "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "metrics": {
                "baseScore": 8.8,
                "exploitabilityScore": 2.9,
                "impactScore": 5.9
              },
              "vendorMetadata": {}
            }
          ],
          "epss": [
            {
              "cve": "CVE-2022-1271",
              "epss": 0.07629,
              "percentile": 0.94292,
              "date": "2025-03-12"
            }
          ]
        }
      ],
      "matchDetails": [
        {
          "type": "cpe-match",
          "matcher": "stock-matcher",
          "searchedBy": {
            "namespace": "nvd:cpe",
            "cpes": [
              "cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*"
            ],
            "package": {
              "name": "gzip",
              "version": "1.10"
            }
          },
          "found": {
            "vulnerabilityID": "CVE-2022-1271",
            "versionConstraint": "< 1.12 (unknown)",
            "cpes": [
              "cpe:2.3:a:gnu:gzip:*:*:*:*:*:*:*:*"
            ]
          },
          "fix": {
            "suggestedVersion": "1.12"
          }
        }
      ],
      "artifact": {
        "id": "acbe1c441587db3e",
        "name": "gzip",
        "version": "1.10",
        "type": "binary",
        "locations": [
          {
            "path": "/usr/bin/gzip",
            "layerID": "sha256:270a1170e7e398434ff1b31e17e233f7d7b71aa99a40473615860068e86720af",
            "accessPath": "/usr/bin/gzip",
            "annotations": {
              "evidence": "primary"
            }
          }
        ],
        "language": "",
        "licenses": [],
        "cpes": [
          "cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*"
        ],
        "purl": "pkg:generic/[email protected]",
        "upstreams": []
      }
    }

Environment:

  • Output of grype version: 
    Application:         grype
Version:             0.89.0
BuildDate:           2025-03-06T22:15:44Z
GitCommit:           1bf47c38bede40dea7b72bbe4712191820f1aa15
GitDescription:      v0.89.0
Platform:            linux/amd64
GoVersion:           go1.24.1
Compiler:            gc
Syft Version:        v1.20.0
Supported DB Schema: 6
  • OS (e.g: cat /etc/os-release or similar): 
    PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.5 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
@Damian-Mangold Damian-Mangold added the bug Something isn't working label Mar 13, 2025
@popey
Copy link
Contributor

popey commented Mar 13, 2025

Hi @Damian-Mangold . Thanks for the issue.

Yes, I have reproduced that here with a simple container:

FROM ubuntu:22.04
RUN apt update -y
RUN apt install -y gzip
$ grype docker.io/library/grype-2527 -o json | grype explain --id CVE-2022-1271
[0000]  WARN grype explain is a prototype feature and is subject to change
 ✔ Loaded image index.docker.io/library/grype-2527:latest
 ✔ Parsed image sha256:285fd3cd1149e658358a2732bed6b1f3385977ea09c67789150664f8313340a5
 ✔ Cataloged contents 58348c5ad0344485d8ce41b2463e393172c3ddfa439719eb0db5964e10311515
   ├── ✔ Packages                        [103 packages]
   ├── ✔ File digests                    [2,291 files]
   ├── ✔ File metadata                   [2,291 locations]
   └── ✔ Executables                     [733 executables]
 ✔ Scanned for vulnerabilities     [60 vulnerability matches]
   ├── by severity: 0 critical, 1 high, 19 medium, 33 low, 7 negligible
   └── by status:   24 fixed, 36 not-fixed, 0 ignored
CVE-2022-1271 from nvd:cpe (High) 
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.
  Matched packages:
    - Package: gzip, version: 1.10
        PURL: pkg:generic/[email protected]
        Match explanation(s):
          - nvd:cpe:CVE-2022-1271 CPE match on `cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*`.
        Locations:
          - /usr/bin/gzip
        URLs:
           - nvd

Grype does know about the Ubuntu patches.

$ grype db search --distro ubuntu:22.04 --pkg gzip CVE-2022-1271
VULNERABILITY  PACKAGE  ECOSYSTEM  NAMESPACE                   VERSION CONSTRAINT
CVE-2022-1271  gzip     deb        ubuntu:distro:ubuntu:22.04  < 1.10-4ubuntu4

Seems we're matching on nvd though.

@westonsteimel
Copy link
Contributor

westonsteimel commented Mar 13, 2025
edited
Loading

gzip 1.10 1.12 binary CVE-2022-1271 High

We always match against nvd for packages with package type binary, that is expected. What should be happening though is that the binary package should get a ownership-by-file-overlap relationship with the deb package and end up being ignored for vuln matches since ubuntu is a comprehensive distro, so I think that would be where to look for issues

@westonsteimel
Copy link
Contributor

westonsteimel commented Mar 13, 2025
edited
Loading

So the issue appears to be that the path /usr/bin/gzip is not included in the file manifest for the gzip package in the dpkg file data, therefore syft does not know that /usr/bin/gzip should be considered as part of the debian package and does not create an ownership-by-file-overlap relationship for it. If the relationship did exist then grype would suppress this FP.

cat /var/lib/dpkg/info/gzip.list
/.
/bin
/bin/gunzip
/bin/gzexe
/bin/gzip
/bin/uncompress
/bin/zcat
/bin/zcmp
/bin/zdiff
/bin/zegrep
/bin/zfgrep
/bin/zforce
/bin/zgrep
/bin/zless
/bin/zmore
/bin/znew
/usr
/usr/share
/usr/share/doc
/usr/share/doc/gzip
/usr/share/doc/gzip/NEWS.gz
/usr/share/doc/gzip/README.gz
/usr/share/doc/gzip/TODO
/usr/share/doc/gzip/changelog.Debian.gz
/usr/share/doc/gzip/copyright
/usr/share/info
/usr/share/info/gzip.info.gz
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/gzexe.1.gz
/usr/share/man/man1/gzip.1.gz
/usr/share/man/man1/zdiff.1.gz
/usr/share/man/man1/zforce.1.gz
/usr/share/man/man1/zgrep.1.gz
/usr/share/man/man1/zless.1.gz
/usr/share/man/man1/zmore.1.gz
/usr/share/man/man1/znew.1.gz
/usr/share/man/man1/gunzip.1.gz
/usr/share/man/man1/uncompress.1.gz
/usr/share/man/man1/zcat.1.gz
/usr/share/man/man1/zcmp.1.gz
/usr/share/man/man1/zegrep.1.gz
/usr/share/man/man1/zfgrep.1.gz

@Damian-Mangold
Copy link
Author

Hi @westonsteimel @popey Thank you very much for the analysis. One extra piece of information that might be useful. With version 0.87 the vulnerability was not detected.

Details 

 ✔ Vulnerability DB                [updated]  
 ✔ Loaded image                                                                                                                                                                                                                                                                         cti_cti:latest
 ✔ Parsed image                                                                                                                                                                                                                sha256:bcde3477e12b7bbd3481bbe90351b890f1e2b6814088423d6aa59d47f48470c9
 ✔ Cataloged contents                                                                                                                                                                                                                 5c64cd1fa7d091d393de1cddd3ab9399b52ebf230d47b80604e01c5a8b3d8884
   ├── ✔ Packages                        [190 packages]  
   ├── ✔ File digests                    [3,317 files]  
   ├── ✔ File metadata                   [3,317 locations]  
   └── ✔ Executables                     [884 executables]  
 ✔ Scanned for vulnerabilities     [66 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 19 medium, 40 low, 7 negligible
   └── by status:   23 fixed, 43 not-fixed, 0 ignored 
NAME                   INSTALLED                 FIXED-IN                 TYPE  VULNERABILITY   SEVERITY   
coreutils              8.32-4.1ubuntu1.2                                  deb   CVE-2016-2781   Low         
curl                   7.81.0-1ubuntu1.20                                 deb   CVE-2025-0167   Low         
gcc-12-base            12.3.0-1ubuntu1~22.04                              deb   CVE-2023-4039   Low         
gcc-12-base            12.3.0-1ubuntu1~22.04                              deb   CVE-2022-27943  Low         
gpgv                   2.2.27-3ubuntu2.1                                  deb   CVE-2022-3219   Low         
libc-bin               2.35-0ubuntu3.8           2.35-0ubuntu3.9          deb   CVE-2025-0395   Medium      
libc-bin               2.35-0ubuntu3.8                                    deb   CVE-2016-20013  Negligible  
libc6                  2.35-0ubuntu3.8           2.35-0ubuntu3.9          deb   CVE-2025-0395   Medium      
libc6                  2.35-0ubuntu3.8                                    deb   CVE-2016-20013  Negligible  
libcap2                1:2.44-1ubuntu0.22.04.1   1:2.44-1ubuntu0.22.04.2  deb   CVE-2025-1390   Medium      
libcurl4               7.81.0-1ubuntu1.20                                 deb   CVE-2025-0167   Low         
libgcc-s1              12.3.0-1ubuntu1~22.04                              deb   CVE-2023-4039   Low         
libgcc-s1              12.3.0-1ubuntu1~22.04                              deb   CVE-2022-27943  Low         
libgcrypt20            1.9.4-3ubuntu3                                     deb   CVE-2024-2236   Low         
libgnutls30            3.7.3-4ubuntu1.5          3.7.3-4ubuntu1.6         deb   CVE-2024-12243  Medium      
libgssapi-krb5-2       1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb   CVE-2025-24528  Medium      
libgssapi-krb5-2       1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.5        deb   CVE-2024-3596   Medium      
libgssapi-krb5-2       1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb   CVE-2024-26461  Low         
libgssapi-krb5-2       1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb   CVE-2024-26458  Negligible  
libk5crypto3           1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb   CVE-2025-24528  Medium      
libk5crypto3           1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.5        deb   CVE-2024-3596   Medium      
libk5crypto3           1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb   CVE-2024-26461  Low         
libk5crypto3           1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb   CVE-2024-26458  Negligible  
libkrb5-3              1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb   CVE-2025-24528  Medium      
libkrb5-3              1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.5        deb   CVE-2024-3596   Medium      
libkrb5-3              1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb   CVE-2024-26461  Low         
libkrb5-3              1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb   CVE-2024-26458  Negligible  
libkrb5support0        1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb   CVE-2025-24528  Medium      
libkrb5support0        1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.5        deb   CVE-2024-3596   Medium      
libkrb5support0        1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb   CVE-2024-26461  Low         
libkrb5support0        1.19.2-2ubuntu0.4         1.19.2-2ubuntu0.6        deb   CVE-2024-26458  Negligible  
libncurses6            6.3-2ubuntu0.1                                     deb   CVE-2023-50495  Low         
libncurses6            6.3-2ubuntu0.1                                     deb   CVE-2023-45918  Low         
libncursesw6           6.3-2ubuntu0.1                                     deb   CVE-2023-50495  Low         
libncursesw6           6.3-2ubuntu0.1                                     deb   CVE-2023-45918  Low         
libpam-modules         1.4.0-11ubuntu2.5                                  deb   CVE-2024-10041  Medium      
libpam-modules-bin     1.4.0-11ubuntu2.5                                  deb   CVE-2024-10041  Medium      
libpam-runtime         1.4.0-11ubuntu2.5                                  deb   CVE-2024-10041  Medium      
libpam0g               1.4.0-11ubuntu2.5                                  deb   CVE-2024-10041  Medium      
libpcre2-8-0           10.39-3ubuntu0.1                                   deb   CVE-2022-41409  Low         
libpcre3               2:8.39-13ubuntu0.22.04.1                           deb   CVE-2017-11164  Negligible  
libpython3.10-minimal  3.10.12-1~22.04.9                                  deb   CVE-2025-1795   Low         
libpython3.10-stdlib   3.10.12-1~22.04.9                                  deb   CVE-2025-1795   Low         
libssl3                3.0.2-0ubuntu1.18         3.0.2-0ubuntu1.19        deb   CVE-2024-9143   Low         
libssl3                3.0.2-0ubuntu1.18                                  deb   CVE-2024-41996  Low         
libssl3                3.0.2-0ubuntu1.18         3.0.2-0ubuntu1.19        deb   CVE-2024-13176  Low         
libstdc++6             12.3.0-1ubuntu1~22.04                              deb   CVE-2023-4039   Low         
libstdc++6             12.3.0-1ubuntu1~22.04                              deb   CVE-2022-27943  Low         
libsystemd0            249.11-0ubuntu3.12                                 deb   CVE-2023-7008   Low         
libtasn1-6             4.18.0-4build1            4.18.0-4ubuntu0.1        deb   CVE-2024-12133  Medium      
libtasn1-6             4.18.0-4build1                                     deb   CVE-2021-46848  Low         
libtinfo6              6.3-2ubuntu0.1                                     deb   CVE-2023-50495  Low         
libtinfo6              6.3-2ubuntu0.1                                     deb   CVE-2023-45918  Low         
libudev1               249.11-0ubuntu3.12                                 deb   CVE-2023-7008   Low         
libzstd1               1.4.8+dfsg-3build1                                 deb   CVE-2022-4899   Low         
login                  1:4.8.1-2ubuntu2.2                                 deb   CVE-2024-56433  Medium      
login                  1:4.8.1-2ubuntu2.2                                 deb   CVE-2023-29383  Low         
ncurses-base           6.3-2ubuntu0.1                                     deb   CVE-2023-50495  Low         
ncurses-base           6.3-2ubuntu0.1                                     deb   CVE-2023-45918  Low         
ncurses-bin            6.3-2ubuntu0.1                                     deb   CVE-2023-50495  Low         
ncurses-bin            6.3-2ubuntu0.1                                     deb   CVE-2023-45918  Low         
openssl                3.0.2-0ubuntu1.19                                  deb   CVE-2024-41996  Low         
passwd                 1:4.8.1-2ubuntu2.2                                 deb   CVE-2024-56433  Medium      
passwd                 1:4.8.1-2ubuntu2.2                                 deb   CVE-2023-29383  Low         
python3.10             3.10.12-1~22.04.9                                  deb   CVE-2025-1795   Low         
python3.10-minimal     3.10.12-1~22.04.9                                  deb   CVE-2025-1795   Low
A newer version of grype is available for download: 0.89.0 (installed version is 0.87.0)

@westonsteimel
Copy link
Contributor

westonsteimel commented Mar 14, 2025
edited
Loading

So that appears to be because v0.87.0 of grype used syft v1.19.0 and if you create an sbom using that version of syft it does not output a binary type package for gzip, therefore grype won't match on it and get this FP. So for whoever investigates this further it seems likely that it is something on the syft side. Perhaps the gzip binary classifier wasn't working previously and now is? I'm not sure yet what changed their between releases that may have caused it to detect a new thing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working false-positive
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wagoodman @westonsteimel @popey @Damian-Mangold