Upgrade kardianos service due to CVE-2022-29583

Summary

When running a scan on GitLab Runner, the vulnerabilty CVE-2022-29583 shows up in scans as a high severity vulnerability.

This came up in a Zendesk Ticket - internal only.

The customer is using azure defender to scan the GitLab Runner image.

The vulnerability also appears when running a scan using Grype.

It also seems that this vulnerability was disputed but it's still showing up in scans:

• https://github.com/advisories/GHSA-xm99-6pv5-q363
• https://github.com/kardianos/service/issues/289#issuecomment-1110546798
• https://github.com/kardianos/service/pull/290#issuecomment-1110547769

CVE-2022-29583

• https://github.com/kardianos/service/pull/290
• https://nvd.nist.gov/vuln/detail/CVE-2022-29583
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29583

Similar kardianos service upgrade issue: #27757 (closed)

Steps to reproduce

grype gitlab/gitlab-runner --scope all-layers -o json > runner-grype.json

cat runner-grype.json | grep 29583 || echo -e "\nCVE-2022-29583 NOT PRESENT\n"

Actual behavior

Customers running scans on GitLab Runner received reports of a vulnerability on the kardianos service package.

Expected behavior

The vulnerability should not be present after upgrading to kardianos service v1.2.2: require github.com/kardianos/service v1.2.2

Relevant logs and/or screenshots

Grype results

  {
   "vulnerability": {
    "id": "GHSA-xm99-6pv5-q363",
    "dataSource": "https://github.com/advisories/GHSA-xm99-6pv5-q363",
    "namespace": "github:language:go",
    "severity": "High",
    "urls": [
     "https://github.com/advisories/GHSA-xm99-6pv5-q363"
    ],
    "description": "OS Command injection in github.com/kardianos/service",
    "cvss": [],
    "fix": {
     "versions": [],
     "state": "not-fixed"
    },
    "advisories": []
   },
   "relatedVulnerabilities": [
    {
     "id": "CVE-2022-29583",
     "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-29583",
     "namespace": "nvd:cpe",
     "severity": "High",
     "urls": [
      "https://github.com/kardianos/service/pull/290"
     ],
     "description": "service_windows.go in the kardianos service package for Go omits quoting that is sometimes needed for execution of a Windows service executable from the intended directory.",
     "cvss": [
      {
       "version": "2.0",
       "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
       "metrics": {
        "baseScore": 4.6,
        "exploitabilityScore": 3.9,
        "impactScore": 6.4
       },
       "vendorMetadata": {}
      },
      {
       "version": "3.1",
       "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
       "metrics": {
        "baseScore": 7.8,
        "exploitabilityScore": 1.8,
        "impactScore": 5.9
       },
       "vendorMetadata": {}
      }
     ]
    }

Environment description

config.toml contents

Add your configuration here

Used GitLab Runner version

# gitlab-runner version
Runtime platform                                    arch=amd64 os=linux pid=9 revision=d540b510 version=15.9.1

Possible fixes

Upgrade kardianos service version to v1.2.2