From 854c0dc83c6a6afe3e16f474446f73ee9b9d1118 Mon Sep 17 00:00:00 2001 From: Drew Newberry Date: Thu, 12 Mar 2026 09:01:27 -0700 Subject: [PATCH 1/4] chore: upgrade Python to 3.13, openclaw to 2026.3.11, and fix transitive tar vulnerabilities - base: replace Ubuntu Noble's Python 3.12 with Python 3.13 from deadsnakes PPA - openclaw: pin openclaw@2026.3.11 to fix GHSA-5wcw-8jjv-m286 (WebSocket hijacking) - nemoclaw: force-upgrade nested tar copies to 7.5.11 (GHSA-qffp-2rhf-9h96 et al.) --- sandboxes/base/Dockerfile | 14 ++++++++++---- sandboxes/nemoclaw/Dockerfile | 9 +++++++++ sandboxes/openclaw/Dockerfile | 5 +++-- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/sandboxes/base/Dockerfile b/sandboxes/base/Dockerfile index 78b51e7..51f33f4 100644 --- a/sandboxes/base/Dockerfile +++ b/sandboxes/base/Dockerfile @@ -20,7 +20,7 @@ ENV DEBIAN_FRONTEND=noninteractive \ WORKDIR /sandbox # Core system dependencies -# python3 + pip: agent scripting and SDK usage +# python3.13 + pip: agent scripting and SDK usage (deadsnakes PPA for Noble) # iproute2: network namespace management (ip netns, veth pairs) # dnsutils: dig, nslookup RUN apt-get update && apt-get install -y --no-install-recommends \ @@ -31,10 +31,16 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ iputils-ping \ net-tools \ netcat-openbsd \ - python3 \ - python3-pip \ - python3-venv \ + software-properties-common \ traceroute \ + && add-apt-repository -y ppa:deadsnakes/ppa \ + && apt-get update \ + && apt-get install -y --no-install-recommends \ + python3.13 \ + python3.13-venv \ + && curl -sS https://bootstrap.pypa.io/get-pip.py | python3.13 \ + && update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.13 1 \ + && update-alternatives --install /usr/bin/python python /usr/bin/python3.13 1 \ && rm -rf /var/lib/apt/lists/* # Create supervisor and sandbox users/groups diff --git a/sandboxes/nemoclaw/Dockerfile b/sandboxes/nemoclaw/Dockerfile index 5b91c7d..3414649 100644 --- a/sandboxes/nemoclaw/Dockerfile +++ b/sandboxes/nemoclaw/Dockerfile @@ -56,4 +56,13 @@ RUN set -e; \ npm uninstall -g esbuild; \ rm -rf /opt/nemoclaw-devx/node_modules +# Fix transitive tar vulnerabilities (GHSA-qffp-2rhf-9h96, +# GHSA-9ppj-qmqm-q256, GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w, +# GHSA-34x7-hfp2-rc4v, GHSA-83g3-92jg-28cx). +# The base image pins tar@7.5.11 globally, but openclaw and npm ship older +# nested copies; force-upgrade all of them. +RUN npm install -g tar@7.5.11 && \ + npm --prefix "$(npm root -g)/openclaw" update tar && \ + npm --prefix "$(npm root -g)/npm" update tar + ENTRYPOINT ["/bin/bash"] diff --git a/sandboxes/openclaw/Dockerfile b/sandboxes/openclaw/Dockerfile index 36e53a0..b118ccf 100644 --- a/sandboxes/openclaw/Dockerfile +++ b/sandboxes/openclaw/Dockerfile @@ -14,8 +14,9 @@ FROM ${BASE_IMAGE} USER root -# Install OpenClaw CLI -RUN npm install -g openclaw +# Install OpenClaw CLI (pinned to fix GHSA-rchv-x836-w7xp, GHSA-6mgf-v5j7-45cr, +# GHSA-5wcw-8jjv-m286) +RUN npm install -g openclaw@2026.3.11 # Copy sandbox policy COPY policy.yaml /etc/navigator/policy.yaml From 2078368eed6bafd6fca43a018ced5b5452822e54 Mon Sep 17 00:00:00 2001 From: Drew Newberry Date: Thu, 12 Mar 2026 09:43:53 -0700 Subject: [PATCH 2/4] fix: pin @hono/node-server@1.19.11 to fix authorization bypass (GHSA-wc8c-qw6v-h7f6) --- sandboxes/nemoclaw/Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sandboxes/nemoclaw/Dockerfile b/sandboxes/nemoclaw/Dockerfile index 3414649..271875f 100644 --- a/sandboxes/nemoclaw/Dockerfile +++ b/sandboxes/nemoclaw/Dockerfile @@ -27,6 +27,9 @@ COPY policy-proxy.js /usr/local/lib/policy-proxy.js COPY proto/ /usr/local/lib/nemoclaw-proto/ RUN npm install -g @grpc/grpc-js @grpc/proto-loader js-yaml +# Fix @hono/node-server authorization bypass (GHSA-wc8c-qw6v-h7f6) +RUN npm install -g @hono/node-server@1.19.11 + # Allow the sandbox user to read the default policy (the startup script # copies it to a writable location; this chown covers non-Landlock envs) RUN chown -R sandbox:sandbox /etc/navigator From f96f3fea6836f7d58f1c553d1ecd5d0353dc314c Mon Sep 17 00:00:00 2001 From: Drew Newberry Date: Thu, 12 Mar 2026 09:55:50 -0700 Subject: [PATCH 3/4] chore: add openssh-sftp-server, procps, and tar@7.5.11 to base image Incorporates changes from PR #22: - openssh-sftp-server and procps are required for VS Code / Cursor remote SSH connections (SFTP file transfer, process inspection) - tar@7.5.11 in the base image fixes 6 CVEs at the earliest layer --- sandboxes/base/Dockerfile | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sandboxes/base/Dockerfile b/sandboxes/base/Dockerfile index 51f33f4..a555500 100644 --- a/sandboxes/base/Dockerfile +++ b/sandboxes/base/Dockerfile @@ -31,6 +31,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ iputils-ping \ net-tools \ netcat-openbsd \ + openssh-sftp-server \ + procps \ software-properties-common \ traceroute \ && add-apt-repository -y ppa:deadsnakes/ppa \ @@ -60,6 +62,11 @@ RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \ nano \ && rm -rf /var/lib/apt/lists/* +# Fix transitive tar vulnerabilities (GHSA-qffp-2rhf-9h96, +# GHSA-9ppj-qmqm-q256, GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w, +# GHSA-34x7-hfp2-rc4v, GHSA-83g3-92jg-28cx). +RUN npm install -g tar@7.5.11 + # GitHub CLI RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \ -o /usr/share/keyrings/githubcli-archive-keyring.gpg && \ From 68eeee01f49d6463dae356d7d37a5d3a01139dad Mon Sep 17 00:00:00 2001 From: Drew Newberry Date: Thu, 12 Mar 2026 10:19:32 -0700 Subject: [PATCH 4/4] fix: drop npm internal tar update that fails on missing @npmcli/docs npm's bundled node_modules cannot be safely updated via --prefix; the update resolves @npmcli/docs@^1.0.0 which does not exist on the registry. The global tar@7.5.11 install and the openclaw-scoped update are sufficient. --- sandboxes/nemoclaw/Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sandboxes/nemoclaw/Dockerfile b/sandboxes/nemoclaw/Dockerfile index 271875f..32de94e 100644 --- a/sandboxes/nemoclaw/Dockerfile +++ b/sandboxes/nemoclaw/Dockerfile @@ -62,10 +62,10 @@ RUN set -e; \ # Fix transitive tar vulnerabilities (GHSA-qffp-2rhf-9h96, # GHSA-9ppj-qmqm-q256, GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w, # GHSA-34x7-hfp2-rc4v, GHSA-83g3-92jg-28cx). -# The base image pins tar@7.5.11 globally, but openclaw and npm ship older -# nested copies; force-upgrade all of them. +# The base image pins tar@7.5.11 globally, but openclaw ships older nested +# copies; force-upgrade them. (npm's own bundled tar is not updatable via +# --prefix without pulling missing internal deps like @npmcli/docs.) RUN npm install -g tar@7.5.11 && \ - npm --prefix "$(npm root -g)/openclaw" update tar && \ - npm --prefix "$(npm root -g)/npm" update tar + npm --prefix "$(npm root -g)/openclaw" update tar ENTRYPOINT ["/bin/bash"]