Add pre-commit

[MH0386]

Summary by Sourcery

Add a dedicated pre-commit job to the GitHub Actions code analysis workflow and ensure it completes before downstream checks

CI:

• Introduce a “pre-commit” job in the code_analysis workflow to run pre-commit/action and pre-commit-ci/lite-action
• Update the final analysis job to depend on the new pre-commit job

Summary by CodeRabbit

• Chores
  • Added and updated configuration files for automated dependency updates, code formatting, Docker workflows, GitHub Actions, and HuggingFace deployment.
  • Introduced new workflow for scheduled Trunk upgrades.
  • Improved workflow reliability by pinning GitHub Actions to specific commit SHAs and refining concurrency controls.
  • Added IDE configuration and ignore files to streamline local development and version control integration.
  • Updated pre-commit check handling for workflow consistency.

[gitnotebooks]

Review these changes at https://app.gitnotebooks.com/AlphaSphereDotAI/vocalizr/pull/123

[sourcery-ai]

Reviewer's Guide

This PR integrates a pre-commit verification step into the CI pipeline by adding a dedicated job and updating downstream job dependencies in the GitHub Actions workflow.

Flow diagram for pre-commit job steps in CI

flowchart TD
    A[Start pre-commit job] --> B[Checkout repository]
    B --> C[Setup Python 3.x]
    C --> D[Run pre-commit checks]
    D --> E[Run pre-commit-ci lite action]
    E --> F[End pre-commit job]

Loading

File-Level Changes

Change	Details	Files
Add pre-commit job to CI workflow	Define a new 'pre-commit' job running on ubuntu-latest Checkout the repository Setup Python 3.x environment Execute pre-commit/[email protected] Execute pre-commit-ci/[email protected] with fallback	.github/workflows/code_analysis.yml
Include pre-commit as a dependency for downstream job	Add 'pre-commit' to the needs array of the existing job	.github/workflows/code_analysis.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Walkthrough

This update introduces several new configuration files for IDE and automation tools, restructures and refines GitHub Actions workflows by pinning action versions, consolidates pre-commit checks, and adds new workflows for dependency management and automated formatting upgrades. It also enhances concurrency controls and updates event triggers across workflows.

Changes

File(s)	Change Summary
.github/mergify.yml	Simplified queue rule for successful checks by consolidating pre-commit checks into a single unified check.
.github/dependabot.yaml	Added Dependabot configuration for weekly updates across multiple ecosystems.
.github/workflows/code_analysis.yaml	Restructured workflow: replaced Trunk formatting with pre-commit hooks, updated permissions, action versions.
.github/workflows/docker.yaml	Updated triggers, added concurrency, renamed jobs, and pinned all actions to commit SHAs.
.github/workflows/github.yaml	Added concurrency, removed RC tag trigger, pinned actions to SHAs, and updated install and release steps.
.github/workflows/huggingface.yaml	Changed triggers, permissions, concurrency, renamed job, and pinned actions to SHAs.
.github/workflows/trunk_upgrade.yaml	Added new scheduled workflow for Trunk Check upgrades with concurrency and pinned actions.
.idea/.gitignore, .idea/VoiceGenerator.iml, .idea/dictionaries/project.xml, .idea/inspectionProfiles/profiles_settings.xml, .idea/modules.xml, .idea/ruff.xml, .idea/vcs.xml	Added IDE configuration files: module, dictionary, inspection profiles, modules, Ruff config, VCS mapping.
.trunk/configs/.isort.cfg	Deleted isort configuration file specifying black profile.
.trunk/configs/.markdownlint.yaml	Removed comment line; retained prettier-friendly markdownlint preset.
.trunk/configs/.yamllint.yaml	Removed explicit max line length limit from YAML lint config.
.trunk/configs/ruff.toml	Replaced minimal Ruff config with detailed linting and formatting configuration.
.trunk/trunk.yaml	Upgraded trunk plugin version; updated lint config by disabling prettier, adding/removing/enabling linters; added new actions.

Sequence Diagram(s)

sequenceDiagram
    participant Developer
    participant GitHub Actions
    participant Pre-commit
    participant Trunk
    participant Dependabot

    Developer->>GitHub Actions: Push/PR/Release/Dispatch
    GitHub Actions->>Pre-commit: Run pre-commit hooks (code_analysis.yaml)
    GitHub Actions->>Trunk: Run Trunk job (if applicable)
    GitHub Actions->>Dependabot: Weekly dependency check (dependabot.yaml)
    GitHub Actions->>GitHub Actions: Enforce concurrency group (one run per branch/workflow)

Loading

Possibly related PRs

• AlphaSphereDotAI/vocalizr#112: Adds a .github/dependabot.yaml file configuring multiple ecosystems, directly related to the new Dependabot configuration.
• AlphaSphereDotAI/vocalizr#117: Modifies .github/mergify.yml, related to the simplification of pre-commit check conditions.
• AlphaSphereDotAI/vocalizr#110: Modifies .github/workflows/code_analysis.yaml, related to workflow restructuring and triggers.

Suggested reviewers

• sourcery-ai

Poem

In the warren of config and code,
New workflows and checks now neatly bestowed.
Dependabot hops in, updates in tow,
Pre-commit and Trunk keep the carrots in row.
With SHAs pinned tight and concurrency clear,
This bunny’s proud—automation is here!
🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f8e4be2 and b37ade1.

📒 Files selected for processing (8)

• .github/mergify.yml (3 hunks)
• .github/workflows/github.yaml (3 hunks)
• .idea/dictionaries/project.xml (1 hunks)
• .trunk/configs/.isort.cfg (0 hunks)
• .trunk/configs/.markdownlint.yaml (0 hunks)
• .trunk/configs/.yamllint.yaml (0 hunks)
• .trunk/configs/ruff.toml (1 hunks)
• .trunk/trunk.yaml (1 hunks)

💤 Files with no reviewable changes (3)

• .trunk/configs/.isort.cfg
• .trunk/configs/.markdownlint.yaml
• .trunk/configs/.yamllint.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• .idea/dictionaries/project.xml
• .github/mergify.yml
• .github/workflows/github.yaml

⏰ Context from checks skipped due to timeout of 90000ms (5)

• GitHub Check: Trunk Check
• GitHub Check: Trunk Code Quality
• GitHub Check: Build and push Docker image
• GitHub Check: Mergify Merge Protections
• GitHub Check: Summary

🔇 Additional comments (10)

.trunk/trunk.yaml (6)

10-10: Upgrade Trunk plugin to v1.7.0: verify compatibility
Ensure that moving from v1.6.8 to v1.7.0 doesn’t introduce breaking changes or require config adjustments based on the plugin’s release notes.

---

17-18: Explicitly disable Prettier: confirm formatting alternative
Disabling Prettier here implies you’re relying solely on other formatters (e.g., Ruff). Please confirm that no Prettier-dependent workflows or IDE settings remain.

---

20-24: Add new linters for broader coverage
Introducing ty, yamllint, pre-commit-hooks, trivy, and upgraded gitleaks strengthens linting and security checks—great addition.

---

27-27: Bump Checkov to 3.2.442: review changelog
Upgrading Checkov is beneficial, but double-check its changelog for any altered rule behavior or new dependencies.

---

31-33: Upgrade Renovate, Ruff & TruffleHog versions
Raising Renovate, Ruff, and TruffleHog to their latest minor releases is good. Ensure your updated ruff.toml and Renovate config align with these versions.

---

36-37: Enable new Trunk actions for pre-commit workflows
Adding trunk-check-pre-push-always and trunk-check-pre-commit integrates your pre-commit hooks into Trunk’s pipeline—solid improvement.

.trunk/configs/ruff.toml (4)

1-11: Expand exclude list to optimize linting performance
Excluding common artifacts (.git, caches, virtual environments, dist) is appropriate. Verify that any custom build/output dirs unique to this repo are also covered.

---

13-16: Set project‐wide formatting boundaries: confirm standards
indent-width = 4 and line-length = 79 adhere to PEP 8, but the team may prefer 88 (Black default). Please confirm these limits align with your style guide.

---

17-23: Refined lint settings with selective codes & fixables
Selecting E4, E7, E9, F and enabling all fixable issues is a thorough approach. The dummy-variable regex is correctly scoped.

---

24-31: Define formatting rules for consistency
Double quotes, space indentation, trailing commas, and dynamic docstring wrapping align with modern Python style. Looks good.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[deepsource-io]

Here's the code health analysis summary for commits ac3faf0..6166391. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
Python	✅ Success		View Check ↗
Docker	✅ Success		View Check ↗
Secrets	✅ Success		View Check ↗

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

[Copilot]

Pull Request Overview

This PR adds a new pre-commit job to the GitHub Actions workflow to integrate pre-commit hooks into the CI process.

• Introduces a dedicated pre-commit job with checkout, Python setup, and two pre-commit actions
• Updates the dependency chain for the subsequent job by adding the pre-commit job

[Copilot]

Consider adding an inline comment to clarify the need for using both pre-commit actions, which could help future maintainers understand their distinct roles within the workflow.

Suggested change

	python-version: 3.x
	- uses: pre-commit/[email protected]
	python-version: 3.x
	# Run pre-commit hooks locally to ensure code quality checks are performed.
	- uses: pre-commit/[email protected]
	# Ensure compliance with pre-commit checks, even if they fail locally.

[sourcery-ai]

Hey @MH0386 - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

.github/workflows/code_analysis.yml (1)

20-22: Clarify responsibilities of pre-commit steps
It’s not immediately obvious why both pre-commit/action and pre-commit-ci/lite-action are used. Consider adding inline comments to explain their distinct roles (e.g., local hook enforcement vs. CI reporting).

🧹 Nitpick comments (1)

.github/workflows/code_analysis.yml (1)

16-17: Standardize action version pinning
The pre-commit job uses floating tags for actions/checkout and actions/setup-python, whereas other jobs pin to specific SHAs. For reproducibility, consider unifying the pinning strategy across all jobs.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 42042b4 and 8df94ff.

📒 Files selected for processing (2)

• .github/mergify.yml (1 hunks)
• .github/workflows/code_analysis.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/code_analysis.yml

16-16: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

17-17: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: Build and push Docker image
• GitHub Check: Mergify Merge Protections
• GitHub Check: Summary

🔇 Additional comments (3)

.github/workflows/code_analysis.yml (2)

12-14: Add dedicated pre-commit CI job
The new pre-commit job is correctly configured under the workflow’s jobs to enforce pre-commit hooks on both push and PR events.

---

47-47: Ensure trunk waits for pre-commit
Updating trunk to depend on pre-commit ensures that code quality gates run before the main analysis. This correctly enforces the CI order.

.github/mergify.yml (1)

72-72: Include Pre-commit in Mergify queue rules
Adding the Pre-commit check ensures Mergify will only merge when the new CI job passes. Confirm that the check name exactly matches the workflow’s job name (Pre-commit).

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/code_analysis.yml (1)

14-24: Clarify the dual pre-commit steps
It’s not immediately obvious why both pre-commit/action (hooks execution) and pre-commit-ci/lite-action (CI annotation) are run. Adding an inline comment will help future maintainers understand their distinct roles.

Example:

    - uses: pre-commit/[email protected]    # Run hooks locally (checks & fixes)
    - uses: pre-commit-ci/[email protected]   # Annotate PR with hook results

🧹 Nitpick comments (2)

.github/workflows/code_analysis.yml (2)

38-43: Guard the commit step against no-op failures
If trunk fmt makes no changes, git commit will error and fail the job. Add a check so the commit only runs when there are modifications.

Proposed diff:

-          git commit -m "Formatting"
+          git diff --quiet || git commit -m "Formatting"

---

50-50: Review job ordering between formatting and pre-commit
Right now, trunk waits on both format_codebase and pre-commit in parallel. This can surface pre-commit failures on issues that the format step would auto-fix. Consider changing the dependency graph so formatting runs before the pre-commit checks to avoid redundant failures.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8df94ff and 7c2051a.

📒 Files selected for processing (1)

• .github/workflows/code_analysis.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/code_analysis.yml

18-18: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

21-21: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: Build and push Docker image
• GitHub Check: Mergify Merge Protections
• GitHub Check: Summary

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

.github/workflows/code_analysis.yml (1)

23-25: Add inline comments explaining both pre-commit actions.

Clarify that pre-commit/action runs hooks locally, and pre-commit-ci/lite-action enforces them on CI with annotations.

🧹 Nitpick comments (1)

.github/workflows/code_analysis.yml (1)

33-35: Unify checkout action version usage.

In the format_codebase job you pin actions/checkout to a commit SHA, while the pre-commit job uses actions/checkout@v3. For consistency and maintainability, consider using the same version pattern across all jobs.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f717c81 and 57b6f36.

📒 Files selected for processing (1)

• .github/workflows/code_analysis.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/code_analysis.yml

19-19: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

22-22: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: Build and push Docker image
• GitHub Check: Pre-commit
• GitHub Check: Mergify Merge Protections
• GitHub Check: Summary

🔇 Additional comments (2)

.github/workflows/code_analysis.yml (2)

10-13: Added pull-requests permission for annotation support.

This grants pre-commit-ci/lite-action the required permission to annotate pull requests, satisfying previous permission issues.

---

52-52: Include pre-commit in trunk job dependencies.

This ensures that pre-commit checks pass before quality analysis. Good integration.

[coderabbitai]

⚠️ Potential issue

Specify the Python version in setup-python.

The actions/setup-python@v4 step requires a python-version input (e.g., 3.x) to install the correct interpreter.
Apply this diff:

-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@v4
+      with:
+        python-version: 3.x

🧰 Tools

🪛 actionlint (1.7.7)

22-22: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

In .github/workflows/code_analysis.yml at line 22, the setup-python action is
missing the required python-version input. Add a python-version field with the
desired version (e.g., '3.x') to the uses step to specify which Python
interpreter version to install.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (5)

.github/workflows/code_analysis.yaml (2)

38-38: Unify actions/checkout version specification.

The pre-commit job uses @v4 while trunk uses a commit SHA pinned to v4. Consider standardizing your pinning approach for consistency.

---

61-61: Align setup-uv action version across jobs.

The compatibility job pins astral-sh/setup-uv to a different commit than trunk. Using a single commit SHA for both jobs will avoid version drift.

.github/workflows/huggingface.yaml (2)

11-11: Restrict broad read-all permission.

Granting read-all is overly permissive. Consider least-privilege scopes (e.g., contents: read) where possible.

---

23-23: Pin setup-uv action commit.

Good for stability—verify this SHA matches the one used in other workflows if needed.

.github/workflows/github.yaml (1)

47-47: Pin setup-uv action commit.

Pinning is good practice; ensure you align this SHA with others for consistency.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9100913 and f8e4be2.

📒 Files selected for processing (13)

• .github/dependabot.yaml (1 hunks)
• .github/workflows/code_analysis.yaml (2 hunks)
• .github/workflows/docker.yaml (3 hunks)
• .github/workflows/github.yaml (3 hunks)
• .github/workflows/huggingface.yaml (2 hunks)
• .github/workflows/trunk_upgrade.yaml (1 hunks)
• .idea/.gitignore (1 hunks)
• .idea/VoiceGenerator.iml (1 hunks)
• .idea/dictionaries/project.xml (1 hunks)
• .idea/inspectionProfiles/profiles_settings.xml (1 hunks)
• .idea/modules.xml (1 hunks)
• .idea/ruff.xml (1 hunks)
• .idea/vcs.xml (1 hunks)

✅ Files skipped from review due to trivial changes (9)

• .idea/VoiceGenerator.iml
• .idea/vcs.xml
• .idea/dictionaries/project.xml
• .idea/inspectionProfiles/profiles_settings.xml
• .idea/ruff.xml
• .idea/modules.xml
• .github/dependabot.yaml
• .github/workflows/trunk_upgrade.yaml
• .idea/.gitignore

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: Trunk Code Quality
• GitHub Check: Build and push Docker image
• GitHub Check: Mergify Merge Protections
• GitHub Check: Summary

🔇 Additional comments (31)

.github/workflows/code_analysis.yaml (3)

10-12: Review and tighten workflow permissions.

The workflow now grants contents: write and pull-requests: write. Ensure these are the minimum required scopes and adjust to follow the least-privilege principle.

---

14-26: Add pre-commit job for linting and formatting.

Introducing a dedicated pre-commit job with pinned versions and if: always() ensures consistent code hygiene before downstream checks.

---

33-35: Enforce pre-commit as dependency for Trunk.

The trunk job now depends on pre-commit (and compatibility), guaranteeing that formatting and lint checks pass first.

.github/workflows/huggingface.yaml (4)

3-6: Expand triggers to manual and release events.

Adding workflow_dispatch and release (published) broadens deployment flexibility. Confirm this aligns with your release process.

---

13-14: Add concurrency controls.

Ensures only one HuggingFace upload per branch, cancelling redundant runs.

---

21-22: Pin actions/checkout to a commit SHA.

Pinning provides reproducibility.

---

34-34: Fix .gitignore entry formatting.

Adding the trailing slash for .trunk/ ensures it is treated as a directory.

.github/workflows/github.yaml (8)

11-13: Add concurrency controls.

Grouping runs by workflow and ref prevents overlapping execution. Looks good.

---

22-22: Pin actions/checkout to a commit SHA.

Pinning ensures consistent checkouts across runs.

---

41-41: Reference details job via short array syntax.

Using needs: [details] simplifies dependencies. This is stylistic—no issues.

---

45-45: Pin actions/checkout in setup step.

Consistent use of pinned checkout across jobs.

---

59-59: Pin actions/upload-artifact to a commit SHA.

Ensures reproducible artifact uploads.

---

69-69: Pin actions/checkout in the release job.

Using the same checkout pin maintains stability.

---

73-73: Pin actions/download-artifact to a commit SHA.

Good for reproducibility.

---

81-83: Multi-line run step for gh release.

The step correctly constructs and runs the release command. Verify output formatting aligns with expectations.

.github/workflows/docker.yaml (16)

4-6: Restrict push events to main branch.

Limiting push to main may skip checks on feature branches. Confirm this is intentional.

---

9-11: Add manual and release triggers.

Including workflow_dispatch and release (published) provides additional build entrypoints.

---

16-18: Introduce concurrency controls.

Cancelling in-progress runs prevents redundant Docker builds.

---

20-21: Rename check_image to check_dockerfile.

The new name more accurately reflects its purpose.

---

25-27: Pin checkout and login actions.

Pinning actions/checkout and docker/login-action ensures consistent behavior.

---

33-33: Pin docker/build-push-action for build validation.

Using a specific SHA lock helps reproducibility.

---

38-38: Enforce check_dockerfile before build_image.

Correctly wires up the dependency.

---

44-46: Pin checkout and login in build job.

Consistent with the validation job.

---

52-52: Pin docker/setup-qemu-action for emulation.

Good practice for stability.

---

54-54: Pin docker/setup-buildx-action.

Ensures a reproducible build environment.

---

57-57: Pin docker/metadata-action for image metadata.

This guarantees consistent tagging.

---

64-64: Pin docker/build-push-action for image push.

Maintains reproducible image builds.

---

74-74: Pin actions/attest-build-provenance.

Capturing provenance with a specific version is ideal.

---

81-81: Add dependency for docker_scout job.

Ensures security scanning only after image build.

---

86-86: Define matrix commands for Docker Scout.

Specifying quickview, cves, and recommendations covers key scan types.

---

95-95: Pin docker/scout-action for security scanning.

Locking this action improves reproducibility.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[mergify]

Thank you for your contribution @MH0386! Your pull request has been merged.

[MH0386]

Recommended fixes for image ghcr.io/alphaspheredotai/vocalizr:123-merge

Base image is python:3.12-slim

Name	3.12.11-slim-bookworm
Digest	sha256:85a16b09171c774647cf2c9f62027552de44a29386e8d09e76cc92a0bda66c22
Vulnerabilities
Pushed	2 weeks ago
Size	45 MB
Packages	151
Flavor	debian
OS	12
Runtime	3.12.11
Slim	✅

The base image is also available under the supported tag(s): 3.12-slim-bookworm, 3.12.11-slim, 3.12.11-slim-bookworm

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
3.13-slim Minor runtime version update Also known as: 3.13.5-slim 3-slim 3.13.5-slim-bookworm 3.13-slim-bookworm 3-slim-bookworm slim slim-bookworm	Benefits: Same OS detected Minor runtime version update Image is smaller by 1.0 MB Image contains 12 fewer packages Tag was pushed more recently Image introduces no new vulnerability but removes 3 Tag is using slim variant Image details: Size: 44 MB Flavor: debian OS: 12 Runtime: 3.13.5 Slim: ✅	1 week ago
alpine Tag is preferred tag Also known as: alpine3.22 3.13.5-alpine 3.13.5-alpine3.22 3.13-alpine 3.13-alpine3.22 3-alpine 3-alpine3.22	Benefits: Minor runtime version update Image is smaller by 27 MB Image contains 112 fewer packages Tag is preferred tag Tag was pushed more recently Image introduces no new vulnerability but removes 31 alpine was pulled 41K times last month Image details: Size: 17 MB Flavor: alpine OS: 3.22 Runtime: 3.13.5	1 week ago

[MH0386]

🔍 Vulnerabilities of ghcr.io/alphaspheredotai/vocalizr:123-merge

📦 Image Reference ghcr.io/alphaspheredotai/vocalizr:123-merge

digest	sha256:9d6d4b38adcdf3277191bd8b42b6c69e02df1e658cece17810be508bb7fd1613
vulnerabilities
platform	linux/amd64
size	3.5 GB
packages	708

📦 Base Image python:3.12-slim

also known as	3.12-slim-bookworm 3.12.11-slim 3.12.11-slim-bookworm aa9d901120003423ec69acacf5d11e94f20ebc299b8a0a0e62bc0f76e48cb4b9
digest	sha256:85a16b09171c774647cf2c9f62027552de44a29386e8d09e76cc92a0bda66c22
vulnerabilities

libxml2 2.9.14+dfsg-1.3~deb12u1 (deb) pkg:deb/debian/[email protected]%2Bdfsg-1.3~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=2.9.14+dfsg-1.3~deb12u1 Fixed version Not Fixed EPSS Score 0.030% EPSS Percentile 7th percentile Description xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free. [experimental] - libxml2 2.12.3+dfsg-0exp1 libxml2 2.12.7+dfsg+really2.9.14-0.4 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094238) Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b (v2.11.0) UAF DOM\XMLDocument xinclude php/php-src#17467 Affected range >=2.9.14+dfsg-1.3~deb12u1 Fixed version Not Fixed EPSS Score 0.009% EPSS Percentile 1st percentile Description libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047. libxml2 2.12.7+dfsg+really2.9.14-0.4 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098321) https://gitlab.gnome.org/GNOME/libxml2/-/issues/847 https://www.openwall.com/lists/oss-security/2025/02/18/2 Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8c8753ad5280ee13aee5eec9b0f6eee2ed920f57 Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/858ca26c0689161a6b903a6682cc8a1cc10a0ea8 (v2.12.10) Affected range >=2.9.14+dfsg-1.3~deb12u1 Fixed version Not Fixed EPSS Score 0.008% EPSS Percentile 0th percentile Description libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. libxml2 2.12.7+dfsg+really2.9.14-0.4 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098320) https://gitlab.gnome.org/GNOME/libxml2/-/issues/828 https://www.openwall.com/lists/oss-security/2025/02/18/2 Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/5880a9a6bd97c0f9ac8fc4f30110fe023f484746 Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/245b70d7d2768572ae1b05b3668ca858b9ec4ed4 (v2.12.10) Affected range >=2.9.14+dfsg-1.3~deb12u1 Fixed version Not Fixed EPSS Score 0.023% EPSS Percentile 5th percentile Description In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. libxml2 2.12.7+dfsg+really2.9.14-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103511) https://gitlab.gnome.org/GNOME/libxml2/-/issues/890 Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/487ee1d8711c6415218b373ef455fcd969d12399 (master) Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8ac33b1c821b4e67326e8e416945b31c9537c7c0 (v2.14.2) Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/384cc7c182fc00c6d5e2ab4b5e3671b2e3f93c84 (v2.13.8) Affected range >=2.9.14+dfsg-1.3~deb12u1 Fixed version Not Fixed EPSS Score 0.069% EPSS Percentile 22nd percentile Description libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c. libxml2 2.12.7+dfsg+really2.9.14-0.4 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098322) https://gitlab.gnome.org/GNOME/libxml2/-/issues/861 https://www.openwall.com/lists/oss-security/2025/02/18/2 Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/6c716d491dd2e67f08066f4dc0619efeb49e43e6 Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/503f788e84f1c1f1d769c2c7258d77faee94b5a3 (v2.12.10) Affected range >=2.9.14+dfsg-1.3~deb12u1 Fixed version Not Fixed EPSS Score 0.013% EPSS Percentile 1st percentile Description A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections. libxml2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107938) https://gitlab.gnome.org/GNOME/libxml2/-/issues/941 Affected range >=2.9.14+dfsg-1.3~deb12u1 Fixed version Not Fixed EPSS Score 0.125% EPSS Percentile 33rd percentile Description An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c. libxml2 2.12.7+dfsg+really2.9.14-0.4 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071162) https://gitlab.gnome.org/GNOME/libxml2/-/issues/720 Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8ddc7f13337c9fe7c6b6e616f404b0fffb8a5145 (v2.11.8) Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac5392a4e891b81e40e592c3ac6cb46016ce (v2.12.7) Crash in CLI tool, no security impact

icu 72.1-3 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=72.1-3 Fixed version Not Fixed EPSS Score 0.023% EPSS Percentile 4th percentile Description A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution. icu 76.1-4 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106684) https://unicode-org.atlassian.net/browse/ICU-22957 Fixed by: unicode-org/icu@2c667e3 (release-77-rc)

gradio 5.33.0 (pypi) pkg:pypi/[email protected] # Dockerfile (41:41) COPY --from=builder --chown=app:app /app/.venv /app/.venv OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2023-11-06 Fixed version Not Fixed CVSS Score 8.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N EPSS Score 1.662% EPSS Percentile 81st percentile Description Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository gradio-app/gradio prior to main.

pam 1.5.2-6+deb12u1 (deb) pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (24:24) FROM python:3.12-slim AS production Affected range >=1.5.2-6+deb12u1 Fixed version Not Fixed EPSS Score 0.020% EPSS Percentile 4th percentile Description A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions. pam (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107919) https://www.openwall.com/lists/oss-security/2025/06/17/1 GHSA-f9p8-gjr4-j9gx Fixed by: linux-pam/linux-pam@475bd60 (v1.7.1) Fixed by: linux-pam/linux-pam@592d84e (v1.7.1) Fixed by: linux-pam/linux-pam@976c200 (v1.7.1)

urllib3 2.4.0 (pypi) pkg:pypi/[email protected] # Dockerfile (41:41) COPY --from=builder --chown=app:app /app/.venv /app/.venv URL Redirection to Untrusted Site ('Open Redirect') Affected range <2.5.0 Fixed version 2.5.0 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.009% EPSS Percentile 1st percentile Description urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means you can use Python libraries to make HTTP requests from your browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects. However, the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. Affected usages Any code which relies on urllib3 to control the number of redirects for an HTTP request in a Pyodide runtime. Impact Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects may remain vulnerable if a Pyodide runtime redirect mechanism is unsuitable. Remediation If you use urllib3 in Node.js, upgrade to a patched version of urllib3. Unfortunately, browsers provide no suitable way which urllib3 can use: XMLHttpRequest provides no control over redirects, the Fetch API returns opaqueredirect responses lacking data when redirects are controlled manually. Expect default browser behavior for redirects. URL Redirection to Untrusted Site ('Open Redirect') Affected range <2.5.0 Fixed version 2.5.0 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.010% EPSS Percentile 1st percentile Description urllib3 handles redirects and retries using the same mechanism, which is controlled by the Retry object. The most common way to disable redirects is at the request level, as follows: resp = urllib3.request("GET", "https://httpbin.org/redirect/1", redirect=False) print(resp.status) # 302 However, it is also possible to disable redirects, for all requests, by instantiating a PoolManager and specifying retries in a way that disable redirects: import urllib3 http = urllib3.PoolManager(retries=0) # should raise MaxRetryError on redirect http = urllib3.PoolManager(retries=urllib3.Retry(redirect=0)) # equivalent to the above http = urllib3.PoolManager(retries=False) # should return the first response resp = http.request("GET", "https://httpbin.org/redirect/1") However, the retries parameter is currently ignored, which means all the above examples don't disable redirects. Affected usages Passing retries on PoolManager instantiation to disable redirects or restrict their number. By default, requests and botocore users are not affected. Impact Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. Remediation You can remediate this vulnerability with the following steps: Upgrade to a patched version of urllib3. If your organization would benefit from the continued support of urllib3 1.x, please contact [email protected] to discuss sponsorship or contribution opportunities. Disable redirects at the request() level instead of the PoolManager() level.

jpeg-xl 0.7.0-10 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=0.7.0-10 Fixed version Not Fixed EPSS Score 0.062% EPSS Percentile 20th percentile Description There exists an out of bounds read/write in LibJXL versions prior to commit 9cc451b91b74ba470fd72bd48c121e9f33d24c99. The JPEG decoder used by the JPEG XL encoder when doing JPEG recompression (i.e. if using JxlEncoderAddJPEGFrame on untrusted input) does not properly check bounds in the presence of incomplete codes. This could lead to an out-of-bounds write. In jpegli which is released as part of the same project, the same vulnerability is present. However, the relevant buffer is part of a bigger structure, and the code makes no assumptions on the values that could be overwritten. The issue could however cause jpegli to read uninitialised memory, or addresses of functions. [experimental] - jpeg-xl 0.10.4-1 jpeg-xl 0.10.4-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088818) libjxl/libjxl@9cc451b Affected range >=0.7.0-10 Fixed version Not Fixed EPSS Score 0.303% EPSS Percentile 53rd percentile Description libjxl v0.5.0 is affected by a Assertion failed issue in lib/jxl/image.cc jxl::PlaneBase::PlaneBase(). When encoding a malicous GIF file using cjxl, an attacker can trigger a denial of service. jpeg-xl (unimportant) Assertion failed in lib/jxl/image.cc jxl::PlaneBase::PlaneBase libjxl/libjxl#422 Special case of better handling of memory allocation failures libjxl/libjxl#762 Negligible security impact

requests 2.32.3 (pypi) pkg:pypi/[email protected] # Dockerfile (41:41) COPY --from=builder --chown=app:app /app/.venv /app/.venv Insufficiently Protected Credentials Affected range <2.32.4 Fixed version 2.32.4 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N EPSS Score 0.062% EPSS Percentile 20th percentile Description Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Workarounds For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on your Requests Session (docs). References psf/requests#6965 https://seclists.org/fulldisclosure/2025/Jun/2

torch 2.7.1 (pypi) pkg:pypi/[email protected] # Dockerfile (41:41) COPY --from=builder --chown=app:app /app/.venv /app/.venv Improper Resource Shutdown or Release Affected range <=2.7.1 Fixed version Not Fixed CVSS Score 4.8 CVSS Vector CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N EPSS Score 0.023% EPSS Percentile 5th percentile Description A vulnerability, which was classified as problematic, was found in PyTorch 2.6.0. Affected is the function torch.nn.functional.ctc_loss of the file aten/src/ATen/native/LossCTC.cpp. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The name of the patch is 46fc5d8e360127361211cb237d5f9eef0223e567. It is recommended to apply a patch to fix this issue.

openjpeg2 2.5.0-2+deb12u1 (deb) pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=2.5.0-2+deb12u1 Fixed version Not Fixed EPSS Score 0.313% EPSS Percentile 54th percentile Description Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash). openjpeg2 (unimportant) uclouvain/openjpeg@c277159 Debian binary packages built with BUILD_MJ2:BOOL=OFF Affected range >=2.5.0-2+deb12u1 Fixed version Not Fixed EPSS Score 0.566% EPSS Percentile 67th percentile Description An issue was discovered in OpenJPEG 2.3.0. A heap-based buffer overflow was discovered in the function t2_encode_packet in lib/openmj2/t2.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly unspecified other impact. openjpeg2 (unimportant) Potential heap-based buffer overflow in function t2_encode_packet in src/lib/openmj2/t2.c  uclouvain/openjpeg#1127 We build with -DBUILD_MJ2:BOOL=OFF Affected range >=2.5.0-2+deb12u1 Fixed version Not Fixed EPSS Score 0.437% EPSS Percentile 62nd percentile Description An issue was discovered in OpenJPEG 2.3.0. Missing checks for header_info.height and header_info.width in the function pnmtoimage in bin/jpwl/convert.c can lead to a heap-based buffer overflow. openjpeg2 (unimportant) Missing checks for header_info.height and header_info.width in function pnmtoimage in src/bin/jpwl/convert.c, which can lead to heap buffer overflow uclouvain/openjpeg#1126 We build with -DBUILD_JPWL:BOOL=OFF Affected range >=2.5.0-2+deb12u1 Fixed version Not Fixed EPSS Score 6.320% EPSS Percentile 90th percentile Description In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the pgxtoimage function in jpwl/convert.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly remote code execution. openjpeg2 (unimportant) Similar vulnerable functions related to CVE-2017-14041 uclouvain/openjpeg#1044 Debian packaging does not build JPWL, has BUILD_JPWL:BOOL=OFF Affected range >=2.5.0-2+deb12u1 Fixed version Not Fixed EPSS Score 0.400% EPSS Percentile 60th percentile Description An infinite loop vulnerability in tiftoimage that results in heap buffer overflow in convert_32s_C1P1 was found in openjpeg 2.1.2. openjpeg2 (unimportant) Out-of-Bounds Write issue can occur in function convert_32s_C1P1 (openjpeg-2.1.2/src/bin/jp2/convert.c:153) uclouvain/openjpeg#872 Fixed by: szukw000/openjpeg@cadff5f not built into the binary packages Affected range >=2.5.0-2+deb12u1 Fixed version Not Fixed EPSS Score 0.449% EPSS Percentile 63rd percentile Description An integer overflow vulnerability was found in tiftoimage function in openjpeg 2.1.2, resulting in heap buffer overflow. openjpeg2 (unimportant) Out-of-Bounds Write issue caused by integer overflow that can occur in function convert_8u32s_C1R()(openjpeg-2.1.2/src/bin/jp2/convert.c:368). uclouvain/openjpeg#871 Fixed by: szukw000/openjpeg@cadff5f not built into the binary packages Affected range >=2.5.0-2+deb12u1 Fixed version Not Fixed EPSS Score 0.357% EPSS Percentile 57th percentile Description NULL Pointer Access in function imagetopnm of convert.c(jp2):1289 in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file. openjpeg2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844556) NULL Pointer Access in function imagetopnm of convert.c(jp2):1289 uclouvain/openjpeg#860 No code injection, function only exposed in the CLI tool Affected range >=2.5.0-2+deb12u1 Fixed version Not Fixed EPSS Score 0.357% EPSS Percentile 57th percentile Description NULL Pointer Access in function imagetopnm of convert.c:2226(jp2) in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file. openjpeg2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844555) NULL Pointer Access in function imagetopnm of convert.c:2226(jp2)  uclouvain/openjpeg#859 No code injection, function only exposed in the CLI tool Affected range >=2.5.0-2+deb12u1 Fixed version Not Fixed EPSS Score 0.374% EPSS Percentile 58th percentile Description Heap Buffer Over-read in function imagetotga of convert.c(jp2):942 in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file. openjpeg2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844554) Heap Buffer Overflow in function imagetotga of convert.c(jp2):942 uclouvain/openjpeg#858 No code injection, function only exposed in the CLI tool Affected range >=2.5.0-2+deb12u1 Fixed version Not Fixed EPSS Score 0.607% EPSS Percentile 69th percentile Description There is a NULL Pointer Access in function imagetopnm of convert.c:1943(jp2) of OpenJPEG 2.1.2. image->comps[compno].data is not assigned a value after initialization(NULL). Impact is Denial of Service. openjpeg2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844553) NULL Pointer Access in function imagetopnm of convert.c:1943(jp2) uclouvain/openjpeg#857 No code injection, function only exposed in the CLI tool Affected range >=2.5.0-2+deb12u1 Fixed version Not Fixed EPSS Score 0.448% EPSS Percentile 63rd percentile Description There is a NULL pointer dereference in function imagetobmp of convertbmp.c:980 of OpenJPEG 2.1.2. image->comps[0].data is not assigned a value after initialization(NULL). Impact is Denial of Service. openjpeg2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844552) NULL point dereference in function imagetobmp of convertbmp.c uclouvain/openjpeg#856 No code injection, function only exposed in the CLI tool Affected range >=2.5.0-2+deb12u1 Fixed version Not Fixed EPSS Score 0.656% EPSS Percentile 70th percentile Description NULL pointer dereference vulnerabilities in the imagetopnm function in convert.c, sycc444_to_rgb function in color.c, color_esycc_to_rgb function in color.c, and sycc422_to_rgb function in color.c in OpenJPEG before 2.2.0 allow remote attackers to cause a denial of service (application crash) via crafted j2k files. openjpeg2 (unimportant) [CVE-2016-10505] Null Pointer Access in function imagetopnm of convert.c uclouvain/openjpeg#776 [CVE-2016-10505] Null Pointer Access in function sycc444_to_rgb of color.c uclouvain/openjpeg#784 [CVE-2016-10505] Null Pointer Access in function color_esycc_to_rgb of color.c uclouvain/openjpeg#785 [CVE-2016-10505] Null Pointer Access in function sycc422_to_rgb of color.c uclouvain/openjpeg#792

tiff 4.5.0-6+deb12u2 (deb) pkg:deb/debian/[email protected]%2Bdeb12u2?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=4.5.0-6+deb12u1 Fixed version Not Fixed EPSS Score 0.043% EPSS Percentile 12th percentile Description REJECTED REJECTED Affected range >=4.5.0-6+deb12u2 Fixed version Not Fixed EPSS Score 0.014% EPSS Percentile 2nd percentile Description An issue was found in the tiffcp utility distributed by the libtiff package where a crafted TIFF file on processing may cause a heap-based buffer overflow leads to an application crash. tiff (unimportant) https://gitlab.com/libtiff/libtiff/-/issues/606 Fixed by: https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a Crash in CLI tool, no security impact Affected range >=4.5.0-6+deb12u2 Fixed version Not Fixed EPSS Score 0.010% EPSS Percentile 1st percentile Description A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file. tiff (unimportant) https://gitlab.com/libtiff/libtiff/-/issues/542 Crash in CLI tool, no security impact Affected range >=4.5.0-6+deb12u2 Fixed version Not Fixed EPSS Score 0.017% EPSS Percentile 2nd percentile Description A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x. tiff (unimportant) https://gitlab.com/libtiff/libtiff/-/issues/536 https://gitlab.com/libtiff/libtiff/-/issues/537 Crash in CLI tool, no security impact Affected range >=4.5.0-6+deb12u2 Fixed version Not Fixed EPSS Score 0.035% EPSS Percentile 9th percentile Description A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used. tiff (unimportant) [bullseye] - tiff (Minor issue) [buster] - tiff (Minor issue) https://gitlab.com/libtiff/libtiff/-/issues/402 Crash in CLI tool, no security impact Affected range >=4.5.0-6+deb12u2 Fixed version Not Fixed EPSS Score 0.456% EPSS Percentile 63rd percentile Description ijg-libjpeg before 9d, as used in tiff2pdf (from LibTIFF) and other products, does not check for a NULL pointer at a certain place in jpeg_fdct_16x16 in jfdctint.c. tiff (unimportant) http://bugzilla.maptools.org/show_bug.cgi?id=2786 Crash in CLI tool, no security impact Affected range >=4.5.0-6+deb12u2 Fixed version Not Fixed EPSS Score 0.097% EPSS Percentile 28th percentile Description In LibTIFF 4.0.6 and possibly other versions, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, as demonstrated by a heap-based buffer over-read in bmp2tiff. NOTE: mentioning bmp2tiff does not imply that the activation point is in the bmp2tiff.c file (which was removed before the 4.0.7 release). tiff (unimportant) tiff3 (Does not ship libtiff-tools) http://bugzilla.maptools.org/show_bug.cgi?id=2690 bmp2tiff utility removed in 4.0.6-3 and 4.0.3-12.3+deb8u2 Affected range >=4.5.0-6+deb12u2 Fixed version Not Fixed EPSS Score 0.457% EPSS Percentile 63rd percentile Description LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff. tiff (unimportant) http://bugzilla.maptools.org/show_bug.cgi?id=2664 bmp2tiff utility removed in 4.0.6-3 and 4.0.3-12.3+deb8u2 Affected range >=4.5.0-6+deb12u2 Fixed version Not Fixed EPSS Score 0.272% EPSS Percentile 50th percentile Description In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue tiff (unimportant) tiff3 (unimportant) http://bugzilla.maptools.org/show_bug.cgi?id=2769 Details on the issue are not confirmed by the reporter after several attempts and this does like a non-issue. More reprodicibly reports are from SUSE in https://bugzilla.suse.com/show_bug.cgi?id=1074318#c5 claiming this might be a duplicate of CVE-2017-9935. Unless the reporter provides more details on upstream report go and consider this as non-issue. Affected range >=4.5.0-6+deb12u2 Fixed version Not Fixed EPSS Score 1.738% EPSS Percentile 82nd percentile Description LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue tiff (unimportant) http://seclists.org/oss-sec/2017/q4/168 Related commit: https://gitlab.com/libtiff/libtiff/commit/25f9ffa56548c1846c4a1f19308b7f561f7b1ab0 This is actually only a partial fix, but upstream will not fix it completely. The related commit is included in 4.0.9. The underlying memory-based DOS would still be present. Affected range >=4.5.0-6 Fixed version Not Fixed Description REJECTED REJECTED Affected range >=4.5.0-6 Fixed version Not Fixed Description REJECTED REJECTED

llvm-toolchain-15 1:15.0.6-4 (deb) pkg:deb/debian/llvm-toolchain-15@1%3A15.0.6-4?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=1:15.0.6-4 Fixed version Not Fixed EPSS Score 0.105% EPSS Percentile 30th percentile Description LLVM before 18.1.3 generates code in which the LR register can be overwritten without data being saved to the stack, and thus there can sometimes be an exploitable error in the flow of control. This affects the ARM backend and can be demonstrated with Clang. NOTE: the vendor perspective is "we don't have strong objections for a CVE to be created ... It does seem that the likelihood of this miscompile enabling an exploit remains very low, because the miscompile resulting in this JOP gadget is such that the function is most likely to crash on most valid inputs to the function. So, if this function is covered by any testing, the miscompile is most likely to be discovered before the binary is shipped to production." llvm-toolchain-14 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070384; unimportant) llvm-toolchain-15 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070383; unimportant) llvm-toolchain-16 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070382; unimportant) llvm-toolchain-17 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070381; unimportant) llvm-toolchain-18 1:18.1.3-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070380; unimportant) [Bug][Clang][ARM] Wrong assembly code generation, "LR" corrupted. llvm/llvm-project#80287 https://bugs.chromium.org/p/llvm/issues/detail?id=69 llvmbot/llvm-project@0e16af8 Negligible security impact Affected range >=1:15.0.6-4 Fixed version Not Fixed EPSS Score 0.032% EPSS Percentile 7th percentile Description llvm-project commit a0138390 was discovered to contain a segmentation fault via the component mlir::Type::isa<mlir::LLVM::LLVMVoidType. llvm-toolchain-13 (unimportant) llvm-toolchain-14 (unimportant) llvm-toolchain-15 (unimportant) [mlir] Convert-spirv-to-llvm Pass trigger Segmentation fault in LLVMStructType verifier llvm/llvm-project#59990 Negligible security impact, also see https://llvm.org/docs/Security.html#what-is-considered-a-security-issue Affected range >=1:15.0.6-4 Fixed version Not Fixed EPSS Score 0.024% EPSS Percentile 5th percentile Description llvm-project commit a0138390 was discovered to contain a segmentation fault via the component matchAndRewriteSortOpmlir::sparse_tensor::SortOp(mlir::sparse_tensor::SortOp. llvm-toolchain-13 (unimportant) llvm-toolchain-14 (unimportant) llvm-toolchain-15 (unimportant) [mlir] Sparse-buffer-rewrite pass crashes with Segmentation fault llvm/llvm-project#59988 llvm/llvm-project@9a29d87 Negligible security impact, also see https://llvm.org/docs/Security.html#what-is-considered-a-security-issue Affected range >=1:15.0.6-4 Fixed version Not Fixed EPSS Score 0.020% EPSS Percentile 4th percentile Description llvm-project commit a0138390 was discovered to contain a segmentation fault via the component mlir::spirv::TargetEnv::TargetEnv(mlir::spirv::TargetEnvAttr). llvm-toolchain-13 1:13.0.1-12 (unimportant) llvm-toolchain-14 1:14.0.6-13 (unimportant) llvm-toolchain-15 1:15.0.7-7 (unimportant) [mlir] spirv-lower-abi-attrs crashes with segmentation faults llvm/llvm-project#59983 llvm/llvm-project@466aa58 Negligible security impact, also see https://llvm.org/docs/Security.html#what-is-considered-a-security-issue Affected range >=1:15.0.6-4 Fixed version Not Fixed EPSS Score 0.032% EPSS Percentile 8th percentile Description llvm-project commit a0138390 was discovered to contain an assertion failure at !replacements.count(op) && "operation was already replaced. llvm-toolchain-13 (unimportant) llvm-toolchain-14 (unimportant) llvm-toolchain-15 (unimportant) [mlir] gpu-to-llvm Pass crashed with error message "Assertion failed: (!replacements.count(op) && "operation was already replaced")" llvm/llvm-project#59182 Negligible security impact, also see https://llvm.org/docs/Security.html#what-is-considered-a-security-issue Affected range >=1:15.0.6-4 Fixed version Not Fixed EPSS Score 0.020% EPSS Percentile 4th percentile Description llvm-project commit 6c01b5c was discovered to contain a segmentation fault via the component mlir::Type::getDialect(). llvm-toolchain-13 1:13.0.1-12 (unimportant) llvm-toolchain-14 1:14.0.6-13 (unimportant) llvm-toolchain-15 1:15.0.7-7 (unimportant) [mlir] convert-scf-to-spirv Pass crashed with segmentation fault llvm/llvm-project#59136 llvm/llvm-project@80d5400 Negligible security impact, also see https://llvm.org/docs/Security.html#what-is-considered-a-security-issue Affected range >=1:15.0.6-4 Fixed version Not Fixed EPSS Score 0.020% EPSS Percentile 4th percentile Description llvm-project commit bd456297 was discovered to contain a segmentation fault via the component mlir::Block::getArgument. llvm-toolchain-13 (unimportant) llvm-toolchain-14 (unimportant) llvm-toolchain-15 1:15.0.7-7 (unimportant) [mlir] One shot bufferize crashed with segmentation fault. llvm/llvm-project#59442 Negligible security impact, also see https://llvm.org/docs/Security.html#what-is-considered-a-security-issue Affected range >=1:15.0.6-4 Fixed version Not Fixed EPSS Score 0.020% EPSS Percentile 4th percentile Description llvm-project commit fdbc55a5 was discovered to contain a segmentation fault via the component mlir::IROperand<mlir::OpOperand. llvm-toolchain-13 1:13.0.1-12 (unimportant) llvm-toolchain-14 1:14.0.6-13 (unimportant) llvm-toolchain-15 1:15.0.7-7 (unimportant) [mlir] canonicalize pass crashed with segmentation fault llvm/llvm-project#58745 llvm/llvm-project@d35fcf0 Negligible security impact, also see https://llvm.org/docs/Security.html#what-is-considered-a-security-issue Affected range >=1:15.0.6-4 Fixed version Not Fixed EPSS Score 0.025% EPSS Percentile 5th percentile Description LLVM a0dab4950 has a segmentation fault in mlir::outlineSingleBlockRegion. NOTE: third parties dispute this because the LLVM security policy excludes "Language front-ends ... for which a malicious input file can cause undesirable behavior." llvm-toolchain-14 (unimportant) llvm-toolchain-15 (unimportant) Negligible security impact, also see https://llvm.org/docs/Security.html#what-is-considered-a-security-issue

glibc 2.36-9+deb12u10 (deb) pkg:deb/debian/[email protected]%2Bdeb12u10?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (24:24) FROM python:3.12-slim AS production Affected range >=2.36-9+deb12u10 Fixed version Not Fixed EPSS Score 0.164% EPSS Percentile 38th percentile Description In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern glibc (unimportant) eglibc (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=24269 Affected range >=2.36-9+deb12u10 Fixed version Not Fixed EPSS Score 0.235% EPSS Percentile 46th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22853 Affected range >=2.36-9+deb12u10 Fixed version Not Fixed EPSS Score 0.375% EPSS Percentile 58th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22852 Affected range >=2.36-9+deb12u10 Fixed version Not Fixed EPSS Score 0.703% EPSS Percentile 71st percentile Description GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851 Affected range >=2.36-9+deb12u10 Fixed version Not Fixed EPSS Score 0.145% EPSS Percentile 36th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850 Affected range >=2.36-9+deb12u10 Fixed version Not Fixed EPSS Score 1.996% EPSS Percentile 83rd percentile Description In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep. glibc (unimportant) eglibc (unimportant) https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141 https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html No treated as vulnerability: https://sourceware.org/glibc/wiki/Security%20Exceptions Affected range >=2.36-9+deb12u10 Fixed version Not Fixed EPSS Score 0.373% EPSS Percentile 58th percentile Description The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. glibc (unimportant) eglibc (unimportant) That's standard POSIX behaviour implemented by (e)glibc. Applications using glob need to impose limits for themselves

elfutils 0.188-2.1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=0.188-2.1 Fixed version Not Fixed EPSS Score 0.083% EPSS Percentile 25th percentile Description A vulnerability, which was classified as problematic, has been found in GNU elfutils 0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the component eu-strip. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a patch to fix this issue. elfutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=32673 https://sourceware.org/git/?p=elfutils.git;a=fbf1df9ca286de3323ae541973b08449f8d03aba Crash in CLI tool, considered only to be a normal bug by upstream Affected range >=0.188-2.1 Fixed version Not Fixed EPSS Score 0.061% EPSS Percentile 20th percentile Description A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue. elfutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=32672 https://sourceware.org/git/?p=elfutils.git;a=commit;h=b16f441cca0a4841050e3215a9f120a6d8aea918 Crash in CLI tool, considered only to be a normal bug by upstream Affected range >=0.188-2.1 Fixed version Not Fixed EPSS Score 0.034% EPSS Percentile 9th percentile Description A vulnerability was found in GNU elfutils 0.192. It has been declared as critical. Affected by this vulnerability is the function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf. The manipulation of the argument z/x leads to buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix this issue. elfutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=32656 https://sourceware.org/bugzilla/show_bug.cgi?id=32657 https://sourceware.org/git/?p=elfutils.git;a=commit;h=73db9d2021cab9e23fd734b0a76a612d52a6f1db Crash in CLI tool, considered only to be a normal bug by upstream Affected range >=0.188-2.1 Fixed version Not Fixed EPSS Score 0.034% EPSS Percentile 8th percentile Description A vulnerability has been found in GNU elfutils 0.192 and classified as problematic. This vulnerability affects the function handle_dynamic_symtab of the file readelf.c of the component eu-read. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is identified as b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a patch to fix this issue. elfutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=32655 https://sourceware.org/git/?p=elfutils.git;a=commit;h=b38e562a4c907e08171c76b8b2def8464d5a104a Crash in CLI tool, considered only to be a normal bug by upstream Affected range >=0.188-2.1 Fixed version Not Fixed EPSS Score 0.034% EPSS Percentile 9th percentile Description A vulnerability, which was classified as critical, was found in GNU elfutils 0.192. This affects the function process_symtab of the file readelf.c of the component eu-readelf. The manipulation of the argument D/a leads to buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 5e5c0394d82c53e97750fe7b18023e6f84157b81. It is recommended to apply a patch to fix this issue. elfutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=32654 https://sourceware.org/git/?p=elfutils.git;a=commit;h=5e5c0394d82c53e97750fe7b18023e6f84157b81 Crash in CLI tool, considered only to be a normal bug by upstream Affected range >=0.188-2.1 Fixed version Not Fixed EPSS Score 0.151% EPSS Percentile 37th percentile Description A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue. elfutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=32650 Fixed by: https://sourceware.org/git/?p=elfutils.git;a=2636426a091bd6c6f7f02e49ab20d4cdc6bfc753 Crash in CLI tool, considered only to be a normal bug by upstream Affected range >=0.188-2.1 Fixed version Not Fixed EPSS Score 0.014% EPSS Percentile 2nd percentile Description elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c. elfutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=31058 https://sourceware.org/git/?p=elfutils.git;a=commit;h=373f5212677235fc3ca6068b887111554790f944 Crash in CLI tool, considered only to be a normal bug by upstream

mesa 22.3.6-1+deb12u1 (deb) pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=22.3.6-1+deb12u1 Fixed version Not Fixed EPSS Score 0.187% EPSS Percentile 41st percentile Description Mesa 23.0.4 was discovered to contain a NULL pointer dereference in check_xshm() for the has_error state. NOTE: this is disputed because there is no scenario in which the vulnerability was demonstrated. mesa (unimportant) https://gitlab.freedesktop.org/mesa/mesa/-/issues/9859 Disputed and no reasonable security impact proven Affected range >=22.3.6-1+deb12u1 Fixed version Not Fixed EPSS Score 0.060% EPSS Percentile 19th percentile Description glx_pbuffer.c in Mesa 23.0.4 was discovered to contain a segmentation violation when calling __glXGetDrawableAttribute(). NOTE: this is disputed because there are no common situations in which users require uninterrupted operation with an attacker-controller server. mesa (unimportant) https://gitlab.freedesktop.org/mesa/mesa/-/issues/9857 Negligible security impact Affected range >=22.3.6-1+deb12u1 Fixed version Not Fixed EPSS Score 0.041% EPSS Percentile 12th percentile Description Mesa 23.0.4 was discovered to contain a buffer over-read in glXQueryServerString(). NOTE: this is disputed because there are no common situations in which users require uninterrupted operation with an attacker-controller server. mesa (unimportant) https://gitlab.freedesktop.org/mesa/mesa/-/issues/9858 Negligible (and disputed) security impact Affected range >=22.3.6-1+deb12u1 Fixed version Not Fixed EPSS Score 0.017% EPSS Percentile 2nd percentile Description Mesa v23.0.4 was discovered to contain a NULL pointer dereference via the function dri2GetGlxDrawableFromXDrawableId(). This vulnerability is triggered when the X11 server sends an DRI2_BufferSwapComplete event unexpectedly when the application is using DRI3. NOTE: this is disputed because there is no scenario in which the vulnerability was demonstrated. mesa (unimportant) https://gitlab.freedesktop.org/mesa/mesa/-/issues/9856 Negligible (and disputed) security impact

systemd 252.38-1~deb12u1 (deb) pkg:deb/debian/[email protected]~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (24:24) FROM python:3.12-slim AS production Affected range >=252.36-1~deb12u1 Fixed version Not Fixed EPSS Score 0.094% EPSS Percentile 28th percentile Description An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >=252.36-1~deb12u1 Fixed version Not Fixed EPSS Score 0.100% EPSS Percentile 29th percentile Description An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >=252.36-1~deb12u1 Fixed version Not Fixed EPSS Score 0.128% EPSS Percentile 33rd percentile Description An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >=252.36-1~deb12u1 Fixed version Not Fixed EPSS Score 0.074% EPSS Percentile 23rd percentile Description systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. systemd (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357) [wheezy] - systemd (/etc/tmpfiles.d not supported in Wheezy) https://bugzilla.redhat.com/show_bug.cgi?id=859060 only relevant to systems running systemd along with selinux

mbedtls 2.28.3-1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=2.28.3-1 Fixed version Not Fixed EPSS Score 0.017% EPSS Percentile 2nd percentile Description An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled. mbedtls (unimportant) No code fix, not a documentation change https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-1/ Affected range >=2.28.3-1 Fixed version Not Fixed EPSS Score 0.309% EPSS Percentile 54th percentile Description Mbed TLS 2.x before 2.28.5 and 3.x before 3.5.0 has a Buffer Overflow. mbedtls (unimportant) https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-1/ Vulnerability not present in default build and only present if compile-time configuration enables vulnerable cipher suites. Debian does not enable MBEDTLS_CIPHER_NULL_CIPHER and MBEDTLS_ARC4_C. Affected range >=2.28.3-1 Fixed version Not Fixed EPSS Score 0.104% EPSS Percentile 29th percentile Description ARM mbedTLS version 2.7.0 and earlier contains a Ciphersuite Allows Incorrectly Signed Certificates vulnerability in mbedtls_ssl_get_verify_result() that can result in ECDSA-signed certificates are accepted, when only RSA-signed ones should be.. This attack appear to be exploitable via Peers negotiate a TLS-ECDH-RSA-* ciphersuite. Any of the peers can then provide an ECDSA-signed certificate, when only an RSA-signed one should be accepted.. mbedtls (unimportant) polarssl (unimportant) TLS-ECDH-RSA-* Ciphersuites Allow ECDSA Signed Certificates Mbed-TLS/mbedtls#1561 No security impact

krb5 1.20.1-2+deb12u3 (deb) pkg:deb/debian/[email protected]%2Bdeb12u3?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (24:24) FROM python:3.12-slim AS production Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed EPSS Score 0.081% EPSS Percentile 25th percentile Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md Fixed by: krb5/krb5@c5f9c81 Codepath cannot be triggered via API calls, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed EPSS Score 0.152% EPSS Percentile 37th percentile Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md Fixed by: krb5/krb5@c5f9c81 Unused codepath, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed EPSS Score 0.463% EPSS Percentile 63rd percentile Description An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. krb5 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889684) https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow non-issue, codepath is only run on trusted input, potential integer overflow is non-issue

libgcrypt20 1.10.1-3 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (24:24) FROM python:3.12-slim AS production Affected range >=1.10.1-3 Fixed version Not Fixed EPSS Score 0.228% EPSS Percentile 46th percentile Description A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts. libgcrypt20 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065683) https://bugzilla.redhat.com/show_bug.cgi?id=2268268 https://lists.gnupg.org/pipermail/gcrypt-devel/2024-March/005607.html https://github.com/tomato42/marvin-toolkit/tree/master/example/libgcrypt https://people.redhat.com/~hkario/marvin/ https://dev.gnupg.org/T7136 https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/17 Not in scope for libgcrypt security policy, work ongoing to add support in the protocol layer Affected range >=1.10.1-3 Fixed version Not Fixed EPSS Score 1.266% EPSS Percentile 79th percentile Description cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. libgcrypt20 (unimportant) libgcrypt11 (unimportant) gnupg1 (unimportant) gnupg (unimportant) https://github.com/weikengchen/attack-on-libgcrypt-elgamal https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html GnuPG uses ElGamal in hybrid mode only. This is not a vulnerability in libgcrypt, but in an application using it in an insecure manner, see also https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004401.html

lcms2 2.14-2 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=2.14-2 Fixed version Not Fixed EPSS Score 0.145% EPSS Percentile 36th percentile Description A heap buffer overflow vulnerability has been identified in thesmooth2() in cmsgamma.c in lcms2-2.16 which allows a remote attacker to cause a denial of service. NOTE: the Supplier disputes this because "this is not exploitable as this function is never called on normal color management, is there only as a helper for low-level programming and investigation." lcms2 (unimportant) Heap Buffer Overflow in smooth2() in cmsgamma.c mm2/Little-CMS#475 Fixed by: mm2/Little-CMS@ec399d6 Negligible security impact, affected fuction never called on normal color managment Affected range >=2.14-2 Fixed version Not Fixed EPSS Score 0.055% EPSS Percentile 17th percentile Description A heap buffer overflow vulnerability has been identified in the lcms2-2.16. The vulnerability exists in the UnrollChunkyBytes function in cmspack.c, which is responsible for handling color space transformations. mm2/Little-CMS#476 Not considered an issue in src:lcms2 but in the fuzzer

perl 5.36.0-7+deb12u2 (deb) pkg:deb/debian/[email protected]%2Bdeb12u2?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (24:24) FROM python:3.12-slim AS production Affected range >=5.36.0-7+deb12u2 Fixed version Not Fixed EPSS Score 0.785% EPSS Percentile 73rd percentile Description HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. libhttp-tiny-perl 0.088-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962407; unimportant) [experimental] - perl 5.38.0~rc2-1 perl 5.38.2-2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954089) https://www.openwall.com/lists/oss-security/2023/04/18/14 verify_SSL being true by default (redux) chansen/p5-http-tiny#134 https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/ https://hackeriet.github.io/cpan-http-tiny-overview/ Applications need to explicitly opt in to enable verification. Affected range >=5.36.0-7+deb12u2 Fixed version Not Fixed EPSS Score 0.815% EPSS Percentile 73rd percentile Description _is_safe in the File::Temp module for Perl does not properly handle symlinks. perl (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776268) http://thread.gmane.org/gmane.comp.security.oss.general/6174/focus=6177 File:Temp::_is_safe() allows unsafe traversal of symlinks [rt.cpan.org #69106] Perl-Toolchain-Gang/File-Temp#14

coreutils 9.1-1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (24:24) FROM python:3.12-slim AS production Affected range >=9.1-1 Fixed version Not Fixed EPSS Score 0.014% EPSS Percentile 2nd percentile Description A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. coreutils (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106733; unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2368764 https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00036.html https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00040.html https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633 https://www.openwall.com/lists/oss-security/2025/05/27/2 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507 Crash in CLI tool, no security impact Affected range >=9.1-1 Fixed version Not Fixed EPSS Score 0.057% EPSS Percentile 18th percentile Description In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. coreutils (unimportant) http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html https://www.openwall.com/lists/oss-security/2018/01/04/3 Documentation patches proposed: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html Neutralised by kernel hardening

openssl 3.0.16-1~deb12u1 (deb) pkg:deb/debian/[email protected]~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (24:24) FROM python:3.12-slim AS production Affected range >=3.0.16-1~deb12u1 Fixed version Not Fixed EPSS Score 0.018% EPSS Percentile 3rd percentile Description OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable to a Minerva attack, exploitable by measuring the time of signing of random messages using the EVP_DigestSign API, and then using the private key to extract the K value (nonce) from the signatures. Next, based on the bit size of the extracted nonce, one can compare the signing time of full-sized nonces to signatures that used smaller nonces, via statistical tests. There is a side-channel in the P-364 curve that allows private key extraction (also, there is a dependency between the bit size of K and the size of the side channel). NOTE: This CVE is disputed because the OpenSSL security policy explicitly notes that any side channels which require same physical system to be detected are outside of the threat model for the software. The timing signal is so small that it is infeasible to be detected without having the attacking process running on the same physical system. openssl 3.5.0-1 (unimportant) Minerva attack on power PC architecture openssl/openssl#24253 openssl/openssl@85cabd9 (master) openssl/openssl@080c6be (openssl-3.5.0-beta1) Minerva attack on power PC architecture openssl/openssl#24253 (comment) Not considered a vulnerability by OpenSSL upstream Affected range >=3.0.11-1~deb12u2 Fixed version Not Fixed EPSS Score 0.098% EPSS Percentile 28th percentile Description OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf openssl/openssl#24540 Fault injection based attacks are not within OpenSSLs threat model according to the security policy: https://www.openssl.org/policies/general/security-policy.html

slang2 2.3.3-3 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=2.3.3-3 Fixed version Not Fixed EPSS Score 0.149% EPSS Percentile 37th percentile Description S-Lang 2.3.2 was discovered to contain a segmentation fault via the function fixup_tgetstr(). slang2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068144) http://lists.jedsoft.org/lists/slang-users/2023/0000002.html Negligible security impact Affected range >=2.3.3-3 Fixed version Not Fixed EPSS Score 0.195% EPSS Percentile 42nd percentile Description S-Lang 2.3.2 was discovered to contain an arithmetic exception via the function tt_sprintf(). slang2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068144) http://lists.jedsoft.org/lists/slang-users/2023/0000003.html Negligible security impact

expat 2.5.0-1+deb12u1 (deb) pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=2.5.0-1+deb12u1 Fixed version Not Fixed EPSS Score 0.474% EPSS Percentile 64th percentile Description libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate). expat 2.6.1-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065868; unimportant) libxmltok [bookworm] - libxmltok (Minor issue, no runtime dependencies left) [CVE-2024-28757] Prevent billion laughs attacks in isolated external parser (part of #839) libexpat/libexpat#842 OSS-Fuzz/ClusterFuzz finding 66812 libexpat/libexpat#839 Fixed by: libexpat/libexpat@1d50b80 Tests: libexpat/libexpat@072eca0 Expat provides API to mitigate expansion attacks, ultimately under control of the app using Expat Cf. Billion laughs attack assessment for src:expat in CVE-2013-0340. Affected range >=2.5.0-1+deb12u1 Fixed version Not Fixed EPSS Score 0.019% EPSS Percentile 3rd percentile Description libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time. expat 2.6.0-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063240; unimportant) libxmltok [bookworm] - libxmltok (Minor issue, no runtime dependencies left) [CVE-2023-52426] Fix issues for compilation with XML_DTD undefined libexpat/libexpat#777 libexpat/libexpat@0f075ec [CVE-2023-52426] Fix issues for compilation with XML_DTD undefined libexpat/libexpat#777 (comment) CVE is for fixing billion laughs attacks for users compiling without XML_DTD defined, which is not the case for Debian.

gnutls28 3.7.9-2+deb12u4 (deb) pkg:deb/debian/[email protected]%2Bdeb12u4?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (24:24) FROM python:3.12-slim AS production Affected range >=3.7.9-2+deb12u4 Fixed version Not Fixed EPSS Score 5.423% EPSS Percentile 90th percentile Description The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. sun-java6 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) openjdk-6 6b23~pre11-1 openjdk-7 7~b147-2.0-1 iceweasel (Vulnerable code not present) http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/ chromium-browser 15.0.874.106~r107270-1 [squeeze] - chromium-browser lighttpd 1.4.30-1 strictly speaking this is no lighttpd issue, but lighttpd adds a workaround curl 7.24.0-1 http://curl.haxx.se/docs/adv_20120124B.html python2.6 2.6.8-0.1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684511) [squeeze] - python2.6 (Minor issue) python2.7 2.7.3~rc1-1 python3.1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678998) [squeeze] - python3.1 (Minor issue) python3.2 3.2.3~rc1-1 http://bugs.python.org/issue13885 python3.1 is fixed starting 3.1.5 cyassl gnutls26 (unimportant) gnutls28 (unimportant) No mitigation for gnutls, it is recommended to use TLS 1.1 or 1.2 which is supported since 2.0.0 haskell-tls (unimportant) No mitigation for haskell-tls, it is recommended to use TLS 1.1, which is supported since 0.2 matrixssl (low) [squeeze] - matrixssl (Minor issue) [wheezy] - matrixssl (Minor issue) matrixssl fix this upstream in 3.2.2 bouncycastle 1.49+dfsg-1 [squeeze] - bouncycastle (Minor issue) [wheezy] - bouncycastle (Minor issue) No mitigation for bouncycastle, it is recommended to use TLS 1.1, which is supported since 1.4.9 nss 3.13.1.with.ckbi.1.88-1 https://bugzilla.mozilla.org/show_bug.cgi?id=665814 https://hg.mozilla.org/projects/nss/rev/7f7446fcc7ab polarssl (unimportant) No mitigation for polarssl, it is recommended to use TLS 1.1, which is supported in all releases tlslite [wheezy] - tlslite (Minor issue) pound 2.6-2 Pound 2.6-2 added an anti_beast.patch to mitigate BEAST attacks. erlang 1:15.b-dfsg-1 [squeeze] - erlang (Minor issue) asterisk 1:13.7.2dfsg-1 [jessie] - asterisk 1:11.13.1dfsg-2+deb8u1 [wheezy] - asterisk (Minor issue) [squeeze] - asterisk (Not supported in Squeeze LTS) http://downloads.digium.com/pub/security/AST-2016-001.html https://issues.asterisk.org/jira/browse/ASTERISK-24972 patch for 11 (jessie): https://code.asterisk.org/code/changelog/asterisk?cs=f233bcd81d85626ce5bdd27b05bc95d131faf3e4 all versions vulnerable, backport required for wheezy

jbigkit 2.1-6.1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=2.1-6.1 Fixed version Not Fixed EPSS Score 0.271% EPSS Percentile 50th percentile Description In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack. jbigkit (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869708) http://bugzilla.maptools.org/show_bug.cgi?id=2707 The CVE was assigned for src:tiff by MITRE, but the issue actually lies in jbigkit itself.

libtheora 1.1.1+dfsg.1-16.1 (deb) pkg:deb/debian/[email protected]%2Bdfsg.1-16.1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=1.1.1+dfsg.1-16.1 Fixed version Not Fixed EPSS Score 7.751% EPSS Percentile 91st percentile Description oc_huff_tree_unpack in huffdec.c in libtheora in Theora through 1.0 7180717 has an invalid negative left shift. NOTE: this is disputed by third parties because there is no evidence of a security impact, e.g., an application would not crash. libtheora 1.2.0~alpha1+dfsg-6 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091633) https://github.com/UnionTech-Software/libtheora-CVE-2024-56431-PoC GHSA-8xp8-gmmj-xc8w undefined shifts xiph/theora#18 https://gitlab.xiph.org/xiph/theora/-/merge_requests/28 Fixed by: https://gitlab.xiph.org/xiph/theora/-/commit/5665f86b8fd8345bb09469990e79221562ac204b (v1.2.0beta1) No security impact

gcc-12 12.2.0-14+deb12u1 (deb) pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (24:24) FROM python:3.12-slim AS production Affected range >=12.2.0-14+deb12u1 Fixed version Not Fixed EPSS Score 0.044% EPSS Percentile 13th percentile Description libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new. gcc-12 (unimportant) Negligible security impact https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039

libpng1.6 1.6.39-2 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=1.6.39-2 Fixed version Not Fixed EPSS Score 0.043% EPSS Percentile 13th percentile Description A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service. libpng1.6 (unimportant) A potential heap overflow issue pnggroup/libpng#302 Crash in CLI package, not shipped in binary packages

x264 2:0.164.3095+gitbaee400-3 (deb) pkg:deb/debian/x264@2%3A0.164.3095%2Bgitbaee400-3?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=2:0.164.3095+gitbaee400-3 Fixed version Not Fixed EPSS Score 0.166% EPSS Percentile 39th percentile Description Insufficient tracking and releasing of allocated used memory in libx264 git master allows attackers to execute arbitrary code via creating a crafted AAC file. x264 (unimportant) Negligible security impact, usually only used for short-lived processes https://code.videolan.org/videolan/x264/-/issues/75

shadow 1:4.13+dfsg1-1+deb12u1 (deb) pkg:deb/debian/shadow@1%3A4.13%2Bdfsg1-1%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (24:24) FROM python:3.12-slim AS production Affected range >=1:4.13+dfsg1-1+deb12u1 Fixed version Not Fixed EPSS Score 0.245% EPSS Percentile 48th percentile Description initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. shadow (unimportant) See #290803, on Debian LOG_UNKFAIL_ENAB in login.defs is set to no so unknown usernames are not recorded on login failures

libglvnd 1.6.0-1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=1.6.0-1 Fixed version Not Fixed EPSS Score 0.090% EPSS Percentile 27th percentile Description libglxproto.c in OpenGL libglvnd bb06db5a was discovered to contain a segmentation violation via the function glXGetDrawableScreen(). NOTE: this is disputed because there are no common situations in which users require uninterrupted operation with an attacker-controller server. libglvnd (unimportant) https://gitlab.freedesktop.org/glvnd/libglvnd/-/issues/242 Negligible security impact

util-linux 2.38.1-5+deb12u3 (deb) pkg:deb/debian/[email protected]%2Bdeb12u3?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (24:24) FROM python:3.12-slim AS production Affected range >=2.38.1-5+deb12u3 Fixed version Not Fixed EPSS Score 0.025% EPSS Percentile 5th percentile Description A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. util-linux (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2053151 https://lore.kernel.org/util-linux/[email protected]/T/#u util-linux/util-linux@faa5a3a util-linux in Debian does build with readline support but chfn and chsh are provided by src:shadow and util-linux is configured with --disable-chfn-chsh

glib2.0 2.74.6-2+deb12u6 (deb) pkg:deb/debian/[email protected]%2Bdeb12u6?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=2.74.6-2+deb12u6 Fixed version Not Fixed EPSS Score 0.489% EPSS Percentile 64th percentile Description GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application. glib2.0 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655044)

cairo 1.16.0-7 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=1.16.0-7 Fixed version Not Fixed EPSS Score 0.196% EPSS Percentile 42nd percentile Description cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function). cairo (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916083) https://gitlab.freedesktop.org/cairo/cairo/issues/341 Negligible security impact

apt 2.6.1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (24:24) FROM python:3.12-slim AS production Affected range >=2.6.1 Fixed version Not Fixed EPSS Score 1.509% EPSS Percentile 80th percentile Description It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. apt (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480) Not exploitable in Debian, since no keyring URI is defined

sqlite3 3.40.1-2+deb12u1 (deb) pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (24:24) FROM python:3.12-slim AS production Affected range >=3.40.1-2+deb12u1 Fixed version Not Fixed EPSS Score 0.172% EPSS Percentile 39th percentile Description A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect. sqlite3 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005974) sqlite (unimportant) https://github.com/guyinatuxedo/sqlite3_record_leaking https://bugzilla.redhat.com/show_bug.cgi?id=2054793 https://sqlite.org/forum/forumpost/056d557c2f8c452ed5bb9c215414c802b215ce437be82be047726e521342161e Negligible security impact

libcaca 0.99.beta20-3 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=0.99.beta20-3 Fixed version Not Fixed EPSS Score 3.206% EPSS Percentile 86th percentile Description libcaca is affected by a Divide By Zero issue via img2txt, which allows a remote malicious user to cause a Denial of Service libcaca (unimportant) [BUG] Divide by zero in img2txt cacalabs/libcaca#65 Crash in CLI tool, no security impact

gnupg2 2.2.40-1.1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (24:24) FROM python:3.12-slim AS production Affected range >=2.2.40-1.1 Fixed version Not Fixed EPSS Score 0.012% EPSS Percentile 1st percentile Description GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. gnupg2 (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2127010 https://dev.gnupg.org/D556 https://dev.gnupg.org/T5993 https://www.openwall.com/lists/oss-security/2022/07/04/8 GnuPG upstream is not implementing this change.

tar 1.34+dfsg-1.2+deb12u1 (deb) pkg:deb/debian/[email protected]%2Bdfsg-1.2%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (24:24) FROM python:3.12-slim AS production Affected range >=1.34+dfsg-1.2+deb12u1 Fixed version Not Fixed EPSS Score 2.806% EPSS Percentile 85th percentile Description Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag tar (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328228; unimportant)

libvpx 1.12.0-1+deb12u4 (deb) pkg:deb/debian/[email protected]%2Bdeb12u4?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=1.12.0-1+deb12u3 Fixed version Not Fixed EPSS Score 2.719% EPSS Percentile 85th percentile Description A remote denial of service vulnerability in libvpx in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High severity due to the possibility of remote denial of service. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-34360591. libvpx (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871931) https://android.googlesource.com/platform/external/libvpx/+/698796fc930baecf5c3fdebef17e73d5d9a58bcb Debian builds configures with --size-limit=16384x16384, Android lowered the limit to something more aligned for smart phones

pixman 0.42.2-1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (32:37) RUN groupadd app && \ useradd -m -g app -s /bin/bash app && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \ apt-get clean -qq && \ rm -rf /var/lib/apt/lists/* Affected range >=0.42.2-1 Fixed version Not Fixed EPSS Score 0.029% EPSS Percentile 7th percentile Description stress-test master commit e4c878 was discovered to contain a FPE vulnerability via the component combine_inner at /pixman-combine-float.c. pixman (unimportant) https://gitlab.freedesktop.org/pixman/pixman/-/issues/76 Crash in test tool, no security impact

[MH0386]

Your image	ghcr.io/alphaspheredotai/vocalizr:123-merge
Current base image	python:3.12-slim
Updated base image	python:3.13-slim