From 17ff2285fcc872e6b639be3654d7e01a1821df03 Mon Sep 17 00:00:00 2001 From: Gero Posmyk-Leinemann Date: Thu, 5 Mar 2026 11:14:37 +0000 Subject: [PATCH] [ide-proxy] Fix CVE-2019-1010022 by not copying system binaries into final image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The compress stage copied local-app binaries into /bin, then COPY --from=compress /bin pulled the entire directory — including glibc's ldconfig — into the final image. Use a dedicated /app-bin directory so only the intended binaries are included. fixes CLC-2225 Co-authored-by: Ona --- components/ide-proxy/Dockerfile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/components/ide-proxy/Dockerfile b/components/ide-proxy/Dockerfile index da7f644201c56b..6743dc57460db0 100644 --- a/components/ide-proxy/Dockerfile +++ b/components/ide-proxy/Dockerfile @@ -6,10 +6,11 @@ FROM cgr.dev/chainguard/wolfi-base:latest@sha256:c2279797be0446bd0c92a079b1975c5 RUN apk add brotli gzip curl -# Gitpod CLI and Local App -COPY components-local-app--app-with-manifest/bin/* /bin/ +# Gitpod CLI and Local App — use a dedicated directory to avoid copying +# system binaries (e.g. glibc's ldconfig) into the final image. +COPY components-local-app--app-with-manifest/bin/* /app-bin/ -RUN for FILE in `ls /bin/gitpod-local-companion*`;do \ +RUN for FILE in `ls /app-bin/gitpod-local-companion*`;do \ gzip -v -f -9 -k "$FILE"; \ done @@ -29,4 +30,4 @@ COPY --from=caddy-builder /caddy /usr/bin/caddy COPY conf/Caddyfile /etc/caddy/Caddyfile COPY static /www/ COPY --from=compress /static /www -COPY --from=compress /bin /www/static/bin +COPY --from=compress /app-bin /www/static/bin