From 21220045259f810e05d50185e4d90dfe89e44054 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 8 Nov 2023 19:10:43 +0100 Subject: [PATCH 1/2] update to go1.21.4, go1.20.11 go1.21.4 (released 2023-11-07) includes security fixes to the path/filepath package, as well as bug fixes to the linker, the runtime, the compiler, and the go/types, net/http, and runtime/cgo packages. See the Go 1.21.4 milestone on our issue tracker for details: - https://github.com/golang/go/issues?q=milestone%3AGo1.21.4+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.21.3...go1.21.4 from the security mailing: [security] Go 1.21.4 and Go 1.20.11 are released Hello gophers, We have just released Go versions 1.21.4 and 1.20.11, minor point releases. These minor releases include 2 security fixes following the security policy: - path/filepath: recognize `\??\` as a Root Local Device path prefix. On Windows, a path beginning with `\??\` is a Root Local Device path equivalent to a path beginning with `\\?\`. Paths with a `\??\` prefix may be used to access arbitrary locations on the system. For example, the path `\??\c:\x` is equivalent to the more common path c:\x. The filepath package did not recognize paths with a `\??\` prefix as special. Clean could convert a rooted path such as `\a\..\??\b` into the root local device path `\??\b`. It will now convert this path into `.\??\b`. `IsAbs` did not report paths beginning with `\??\` as absolute. It now does so. VolumeName now reports the `\??\` prefix as a volume name. `Join(`\`, `??`, `b`)` could convert a seemingly innocent sequence of path elements into the root local device path `\??\b`. It will now convert this to `\.\??\b`. This is CVE-2023-45283 and https://go.dev/issue/63713. - path/filepath: recognize device names with trailing spaces and superscripts The `IsLocal` function did not correctly detect reserved names in some cases: - reserved names followed by spaces, such as "COM1 ". - "COM" or "LPT" followed by a superscript 1, 2, or 3. `IsLocal` now correctly reports these names as non-local. This is CVE-2023-45284 and https://go.dev/issue/63713. Signed-off-by: Sebastiaan van Stijn --- .github/workflows/build-test-images.yml | 2 +- .github/workflows/ci.yml | 4 ++-- .github/workflows/codeql.yml | 2 +- .github/workflows/images.yml | 2 +- .github/workflows/nightly.yml | 2 +- .github/workflows/release.yml | 2 +- Vagrantfile | 2 +- contrib/Dockerfile.test | 2 +- contrib/fuzz/oss_fuzz_build.sh | 4 ++-- script/setup/prepare_env_windows.ps1 | 2 +- 10 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build-test-images.yml b/.github/workflows/build-test-images.yml index 91351262f..d95af1de5 100644 --- a/.github/workflows/build-test-images.yml +++ b/.github/workflows/build-test-images.yml @@ -43,7 +43,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: "1.21.3" + go-version: "1.21.4" - uses: actions/checkout@v3 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 276c182ca..e77cde019 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,7 +9,7 @@ on: env: # Go version we currently use to build containerd across all CI. # Note: don't forget to update `Binaries` step, as it contains the matrix of all supported Go versions. - GO_VERSION: "1.21.3" + GO_VERSION: "1.21.4" permissions: # added using https://github.com/step-security/secure-workflows contents: read @@ -209,7 +209,7 @@ jobs: strategy: matrix: os: [ubuntu-22.04, macos-12, windows-2019, windows-2022] - go-version: ["1.20.10", "1.21.3"] + go-version: ["1.20.11", "1.21.4"] steps: - uses: actions/setup-go@v4 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6d1c69d20..fa04ef5fa 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -34,7 +34,7 @@ jobs: - uses: actions/setup-go@v3 with: - go-version: 1.21.3 + go-version: 1.21.4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml index 461e8d81b..633a2001c 100644 --- a/.github/workflows/images.yml +++ b/.github/workflows/images.yml @@ -28,7 +28,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: "1.21.3" + go-version: "1.21.4" - uses: actions/checkout@v3 with: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 739124e9e..93d34136b 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -7,7 +7,7 @@ on: - ".github/workflows/nightly.yml" env: - GO_VERSION: "1.21.3" + GO_VERSION: "1.21.4" permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 64570af85..7eb3c9c88 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ on: name: Release env: - GO_VERSION: "1.21.3" + GO_VERSION: "1.21.4" permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/Vagrantfile b/Vagrantfile index 0f68b278c..e7b0546df 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -104,7 +104,7 @@ EOF config.vm.provision "install-golang", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-golang" sh.env = { - 'GO_VERSION': ENV['GO_VERSION'] || "1.21.3", + 'GO_VERSION': ENV['GO_VERSION'] || "1.21.4", } sh.inline = <<~SHELL #!/usr/bin/env bash diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test index 2059e3219..58a3cf328 100644 --- a/contrib/Dockerfile.test +++ b/contrib/Dockerfile.test @@ -29,7 +29,7 @@ # docker run --privileged containerd-test # ------------------------------------------------------------------------------ -ARG GOLANG_VERSION=1.21.3 +ARG GOLANG_VERSION=1.21.4 ARG GOLANG_IMAGE=golang FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang diff --git a/contrib/fuzz/oss_fuzz_build.sh b/contrib/fuzz/oss_fuzz_build.sh index cffa1f193..af2d09843 100755 --- a/contrib/fuzz/oss_fuzz_build.sh +++ b/contrib/fuzz/oss_fuzz_build.sh @@ -43,11 +43,11 @@ go run main.go $SRC/containerd/images apt-get update && apt-get install -y wget cd $SRC -wget --quiet https://go.dev/dl/go1.21.3.linux-amd64.tar.gz +wget --quiet https://go.dev/dl/go1.21.4.linux-amd64.tar.gz mkdir temp-go rm -rf /root/.go/* -tar -C temp-go/ -xzf go1.21.3.linux-amd64.tar.gz +tar -C temp-go/ -xzf go1.21.4.linux-amd64.tar.gz mv temp-go/go/* /root/.go/ cd $SRC/containerd diff --git a/script/setup/prepare_env_windows.ps1 b/script/setup/prepare_env_windows.ps1 index 597f7a3a6..f14cd01eb 100644 --- a/script/setup/prepare_env_windows.ps1 +++ b/script/setup/prepare_env_windows.ps1 @@ -5,7 +5,7 @@ # lived test environment. Set-MpPreference -DisableRealtimeMonitoring:$true -$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.21.3"; make = ""; nssm = "" } +$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.21.4"; make = ""; nssm = "" } Write-Host "Downloading chocolatey package" curl.exe -L "https://packages.chocolatey.org/chocolatey.0.10.15.nupkg" -o 'c:\choco.zip' From 734219a21aae2cb1882b5650d6e5d2f2d7f79725 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 5 Dec 2023 23:34:44 +0100 Subject: [PATCH 2/2] update to go1.21.5, go1.20.12 go1.21.5 (released 2023-12-05) includes security fixes to the go command, and the net/http and path/filepath packages, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/rand, net, os, and syscall packages. See the Go 1.21.5 milestone on our issue tracker for details: - https://github.com/golang/go/issues?q=milestone%3AGo1.21.5+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.21.4...go1.21.5 from the security mailing: [security] Go 1.21.5 and Go 1.20.12 are released Hello gophers, We have just released Go versions 1.21.5 and 1.20.12, minor point releases. These minor releases include 3 security fixes following the security policy: - net/http: limit chunked data overhead A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. Thanks to Bartek Nowotarski for reporting this issue. This is CVE-2023-39326 and Go issue https://go.dev/issue/64433. - cmd/go: go get may unexpectedly fallback to insecure git Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). Thanks to David Leadbeater for reporting this issue. This is CVE-2023-45285 and Go issue https://go.dev/issue/63845. - path/filepath: retain trailing \ when cleaning paths like \\?\c:\ Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?\, resulting in filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among other effects). The previous behavior has been restored. This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028. Signed-off-by: Sebastiaan van Stijn --- .github/workflows/build-test-images.yml | 2 +- .github/workflows/ci.yml | 4 ++-- .github/workflows/codeql.yml | 2 +- .github/workflows/images.yml | 2 +- .github/workflows/nightly.yml | 2 +- .github/workflows/release.yml | 2 +- Vagrantfile | 2 +- contrib/Dockerfile.test | 2 +- contrib/fuzz/oss_fuzz_build.sh | 4 ++-- script/setup/prepare_env_windows.ps1 | 2 +- 10 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build-test-images.yml b/.github/workflows/build-test-images.yml index d95af1de5..e90c1f68e 100644 --- a/.github/workflows/build-test-images.yml +++ b/.github/workflows/build-test-images.yml @@ -43,7 +43,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: "1.21.4" + go-version: "1.21.5" - uses: actions/checkout@v3 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e77cde019..982975b37 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,7 +9,7 @@ on: env: # Go version we currently use to build containerd across all CI. # Note: don't forget to update `Binaries` step, as it contains the matrix of all supported Go versions. - GO_VERSION: "1.21.4" + GO_VERSION: "1.21.5" permissions: # added using https://github.com/step-security/secure-workflows contents: read @@ -209,7 +209,7 @@ jobs: strategy: matrix: os: [ubuntu-22.04, macos-12, windows-2019, windows-2022] - go-version: ["1.20.11", "1.21.4"] + go-version: ["1.20.12", "1.21.5"] steps: - uses: actions/setup-go@v4 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index fa04ef5fa..3e95fccf1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -34,7 +34,7 @@ jobs: - uses: actions/setup-go@v3 with: - go-version: 1.21.4 + go-version: 1.21.5 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml index 633a2001c..6c4893713 100644 --- a/.github/workflows/images.yml +++ b/.github/workflows/images.yml @@ -28,7 +28,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: "1.21.4" + go-version: "1.21.5" - uses: actions/checkout@v3 with: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 93d34136b..4b1a0f088 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -7,7 +7,7 @@ on: - ".github/workflows/nightly.yml" env: - GO_VERSION: "1.21.4" + GO_VERSION: "1.21.5" permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7eb3c9c88..998aa7d13 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ on: name: Release env: - GO_VERSION: "1.21.4" + GO_VERSION: "1.21.5" permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/Vagrantfile b/Vagrantfile index e7b0546df..09b97b512 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -104,7 +104,7 @@ EOF config.vm.provision "install-golang", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-golang" sh.env = { - 'GO_VERSION': ENV['GO_VERSION'] || "1.21.4", + 'GO_VERSION': ENV['GO_VERSION'] || "1.21.5", } sh.inline = <<~SHELL #!/usr/bin/env bash diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test index 58a3cf328..3bcb2b6d4 100644 --- a/contrib/Dockerfile.test +++ b/contrib/Dockerfile.test @@ -29,7 +29,7 @@ # docker run --privileged containerd-test # ------------------------------------------------------------------------------ -ARG GOLANG_VERSION=1.21.4 +ARG GOLANG_VERSION=1.21.5 ARG GOLANG_IMAGE=golang FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang diff --git a/contrib/fuzz/oss_fuzz_build.sh b/contrib/fuzz/oss_fuzz_build.sh index af2d09843..7888b6c6f 100755 --- a/contrib/fuzz/oss_fuzz_build.sh +++ b/contrib/fuzz/oss_fuzz_build.sh @@ -43,11 +43,11 @@ go run main.go $SRC/containerd/images apt-get update && apt-get install -y wget cd $SRC -wget --quiet https://go.dev/dl/go1.21.4.linux-amd64.tar.gz +wget --quiet https://go.dev/dl/go1.21.5.linux-amd64.tar.gz mkdir temp-go rm -rf /root/.go/* -tar -C temp-go/ -xzf go1.21.4.linux-amd64.tar.gz +tar -C temp-go/ -xzf go1.21.5.linux-amd64.tar.gz mv temp-go/go/* /root/.go/ cd $SRC/containerd diff --git a/script/setup/prepare_env_windows.ps1 b/script/setup/prepare_env_windows.ps1 index f14cd01eb..45b448351 100644 --- a/script/setup/prepare_env_windows.ps1 +++ b/script/setup/prepare_env_windows.ps1 @@ -5,7 +5,7 @@ # lived test environment. Set-MpPreference -DisableRealtimeMonitoring:$true -$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.21.4"; make = ""; nssm = "" } +$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.21.5"; make = ""; nssm = "" } Write-Host "Downloading chocolatey package" curl.exe -L "https://packages.chocolatey.org/chocolatey.0.10.15.nupkg" -o 'c:\choco.zip'