From 0211f9e44dba888fa62dc2ba59ea573ad70e9708 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sat, 5 Nov 2022 17:55:06 +0100 Subject: [PATCH] [20.10] update to Go 1.18.8 to address CVE-2022-41716 On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D". Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. This is CVE-2022-41716 and Go issue https://go.dev/issue/56284. This Go release also fixes https://github.com/golang/go/issues/56309, a runtime bug which can cause random memory corruption when a goroutine exits with runtime.LockOSThread() set. This fix is necessary to unblock work to replace certain uses of pkg/reexec with unshared OS threads. Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- Dockerfile.e2e | 2 +- Dockerfile.simple | 2 +- Dockerfile.windows | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9472c512a6..253114ad15 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ ARG CROSS="false" ARG SYSTEMD="false" # IMPORTANT: When updating this please note that stdlib archive/tar pkg is vendored -ARG GO_VERSION=1.18.7 +ARG GO_VERSION=1.18.8 ARG DEBIAN_FRONTEND=noninteractive ARG VPNKIT_VERSION=0.5.0 ARG DOCKER_BUILDTAGS="apparmor seccomp" diff --git a/Dockerfile.e2e b/Dockerfile.e2e index f92bec85b0..5eb6a00eb6 100644 --- a/Dockerfile.e2e +++ b/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.18.7 +ARG GO_VERSION=1.18.8 FROM golang:${GO_VERSION}-alpine AS base ENV GO111MODULE=off diff --git a/Dockerfile.simple b/Dockerfile.simple index 8aa6d7ff94..fc87f0fc11 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -5,7 +5,7 @@ # This represents the bare minimum required to build and test Docker. -ARG GO_VERSION=1.18.7 +ARG GO_VERSION=1.18.8 FROM golang:${GO_VERSION}-buster ENV GO111MODULE=off diff --git a/Dockerfile.windows b/Dockerfile.windows index 6f8242decc..96183ade19 100644 --- a/Dockerfile.windows +++ b/Dockerfile.windows @@ -165,7 +165,7 @@ FROM microsoft/windowsservercore # Use PowerShell as the default shell SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ARG GO_VERSION=1.18.7 +ARG GO_VERSION=1.18.8 ARG GOTESTSUM_VERSION=v1.7.0 # Environment variable notes: