The Wayback Machine - https://web.archive.org/web/20251014204017/https://github.com/docker/docker-ce-packaging/pull/904
Skip to content

[master] update go to go1.20.5 #904

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 21, 2023
Merged

[master] update go to go1.20.5 #904

merged 1 commit into from
Jun 21, 2023

Conversation

thaJeztah
Copy link
Member

go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and runtime packages, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved

full diff: golang/go@go1.20.4...go1.20.5

These minor releases include 3 security fixes following the security policy:

  • cmd/go: cgo code injection The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo.

    This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

    Thanks to Juho Nurminen of Mattermost for reporting this issue.

    This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

  • runtime: unexpected behavior of setuid/setgid binaries

    The Go runtime didn't act any differently when a binary had the setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was executed with standard I/O file descriptors closed, opening any files could result in unexpected content being read/written with elevated prilieges. Similarly if a setuid/setgid program was terminated, either via panic or signal, it could leak the contents of its registers.

    Thanks to Vincent Dehors from Synacktiv for reporting this issue.

    This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

  • cmd/go: improper sanitization of LDFLAGS

    The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive.

    Thanks to Juho Nurminen of Mattermost for reporting this issue.

    This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.

@thaJeztah
update go to go1.20.5
ec6799b 
go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and
runtime packages, as well as bug fixes to the compiler, the go command, the
runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone
on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved

full diff: golang/go@go1.20.4...go1.20.5

These minor releases include 3 security fixes following the security policy:

- cmd/go: cgo code injection
  The go command may generate unexpected code at build time when using cgo. This
  may result in unexpected behavior when running a go program which uses cgo.

  This may occur when running an untrusted module which contains directories with
  newline characters in their names. Modules which are retrieved using the go command,
  i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
  GO111MODULE=off, may be affected).

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

- runtime: unexpected behavior of setuid/setgid binaries

  The Go runtime didn't act any differently when a binary had the setuid/setgid
  bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
  I/O file descriptors closed, opening any files could result in unexpected
  content being read/written with elevated prilieges. Similarly if a setuid/setgid
  program was terminated, either via panic or signal, it could leak the contents
  of its registers.

  Thanks to Vincent Dehors from Synacktiv for reporting this issue.

  This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

- cmd/go: improper sanitization of LDFLAGS

  The go command may execute arbitrary code at build time when using cgo. This may
  occur when running "go get" on a malicious module, or when running any other
  command which builds untrusted code. This is can by triggered by linker flags,
  specified via a "#cgo LDFLAGS" directive.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah
Copy link
Member Author

Ah, looks like Alpine versions need to be updated;

Dockerfile:13
--------------------
  11 |     FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
  12 |     
  13 | >>> FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS build-base-alpine
  14 |     COPY --from=xx / /
  15 |     RUN apk add --no-cache bash clang lld llvm file git
--------------------
ERROR: failed to solve: golang:1.20.5-alpine3.16: docker.io/library/golang:1.20.5-alpine3.16: not found

@thaJeztah
Copy link
Member Author

thaJeztah commented Jun 20, 2023
edited
Loading

Doh! And that's not in this repository, looks like that's compose docker/cli;

+ git -C src/github.com/docker/compose fetch --update-head-ok --depth 1 origin refs/tags/v2.18.1:refs/tags/v2.18.1
From https://github.com/docker/compose
 * [new tag]         v2.18.1    -> v2.18.1
+ git -C src/github.com/docker/compose checkout -q refs/tags/v2.18.1
for p in cross-mac; do \
	make -C static VERSION=0.0.1-dev GO_VERSION=1.20.5 TARGETPLATFORM= CONTAINERD_VERSION= RUNC_VERSION= ${p}; \
done
make[1]: Entering directory '/home/ubuntu/workspace/docker-ce-packaging_PR-904/static'
docker buildx inspect | grep -q 'Driver: docker-container' || docker buildx create --use
charming_lumiere
cd /home/ubuntu/workspace/docker-ce-packaging_PR-904/src/github.com/docker/cli && VERSION=0.0.0-20230612193737-7d723e2 docker buildx bake --set binary.platform=darwin/amd64,darwin/arm64 binary
#1 [internal] booting buildkit
#1 pulling image moby/buildkit:buildx-stable-1
#1 pulling image moby/buildkit:buildx-stable-1 1.8s done
#1 creating container buildx_buildkit_charming_lumiere0
#1 creating container buildx_buildkit_charming_lumiere0 1.1s done
#1 DONE 3.0s

#2 [internal] load build definition from Dockerfile
#2 transferring dockerfile:
#2 transferring dockerfile: 5.48kB done
#2 DONE 0.0s

#3 [internal] load .dockerignore
#3 transferring context: 263B done
#3 DONE 0.1s

#4 [auth] docker/dockerfile:pull token for registry-1.docker.io
#4 DONE 0.0s

#5 resolve image config for docker.io/docker/dockerfile:1
#5 DONE 0.6s

#6 docker-image://docker.io/docker/dockerfile:1@sha256:39b85bbfa7536a5feceb7372a0817649ecb2724562a38360f4d6a7782a409b14
#6 resolve docker.io/docker/dockerfile:1@sha256:39b85bbfa7536a5feceb7372a0817649ecb2724562a38360f4d6a7782a409b14 0.0s done
#6 sha256:a47ff7046597eea0123ea02817165350e3680f75000dc5d69c9a310258e1bedd 0B / 11.55MB 0.2s
#6 sha256:a47ff7046597eea0123ea02817165350e3680f75000dc5d69c9a310258e1bedd 11.55MB / 11.55MB 0.3s done
#6 extracting sha256:a47ff7046597eea0123ea02817165350e3680f75000dc5d69c9a310258e1bedd
#6 extracting sha256:a47ff7046597eea0123ea02817165350e3680f75000dc5d69c9a310258e1bedd 0.1s done
#6 DONE 0.5s

#7 [auth] tonistiigi/xx:pull token for registry-1.docker.io
#7 DONE 0.0s

#8 [auth] dockercore/golang-cross:pull token for registry-1.docker.io
#8 DONE 0.0s

#9 [auth] library/golang:pull token for registry-1.docker.io
#9 DONE 0.0s

#10 [linux/amd64 internal] load metadata for docker.io/library/golang:1.20.5-alpine3.16
#10 ERROR: docker.io/library/golang:1.20.5-alpine3.16: not found

#11 [linux/amd64 internal] load metadata for docker.io/tonistiigi/xx:1.1.1
#11 CANCELED

#12 [darwin/arm64 internal] load metadata for docker.io/dockercore/golang-cross:xx-sdk-extras
#12 CANCELED

#13 [darwin/amd64 internal] load metadata for docker.io/dockercore/golang-cross:xx-sdk-extras
#13 CANCELED
------
 > [linux/amd64 internal] load metadata for docker.io/library/golang:1.20.5-alpine3.16:
------
Dockerfile:13
--------------------
  11 |     FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
  12 |     
  13 | >>> FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS build-base-alpine
  14 |     COPY --from=xx / /
  15 |     RUN apk add --no-cache bash clang lld llvm file git
--------------------
ERROR: failed to solve: golang:1.20.5-alpine3.16: docker.io/library/golang:1.20.5-alpine3.16: not found
make[1]: *** [Makefile:74: cross-mac] Error 1
make[1]: Leaving directory '/home/ubuntu/workspace/docker-ce-packaging_PR-904/static'
make: *** [Makefile:88: static] Error 2
script returned exit code 2

@thaJeztah thaJeztah merged commit c6f5066 into docker:master Jun 21, 2023
@thaJeztah thaJeztah deleted the update_go_1.20.5 branch June 21, 2023 13:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@laurazard laurazard laurazard approved these changes

@sam-thibault sam-thibault sam-thibault approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@thaJeztah @laurazard @sam-thibault