From e9f63f64f55c07e71bf96f305219bcee2cdd6289 Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Tue, 20 Jun 2023 23:59:18 +0200
Subject: [PATCH] update go to go1.20.5, go1.19.10

go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and
runtime packages, as well as bug fixes to the compiler, the go command, the
runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone
on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.20.4...go1.20.5

These minor releases include 3 security fixes following the security policy:

- cmd/go: cgo code injection
  The go command may generate unexpected code at build time when using cgo. This
  may result in unexpected behavior when running a go program which uses cgo.

  This may occur when running an untrusted module which contains directories with
  newline characters in their names. Modules which are retrieved using the go command,
  i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
  GO111MODULE=off, may be affected).

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

- runtime: unexpected behavior of setuid/setgid binaries

  The Go runtime didn't act any differently when a binary had the setuid/setgid
  bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
  I/O file descriptors closed, opening any files could result in unexpected
  content being read/written with elevated prilieges. Similarly if a setuid/setgid
  program was terminated, either via panic or signal, it could leak the contents
  of its registers.

  Thanks to Vincent Dehors from Synacktiv for reporting this issue.

  This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

- cmd/go: improper sanitization of LDFLAGS

  The go command may execute arbitrary code at build time when using cgo. This may
  occur when running "go get" on a malicious module, or when running any other
  command which builds untrusted code. This is can by triggered by linker flags,
  specified via a "#cgo LDFLAGS" directive.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 .github/workflows/build-test-images.yml | 2 +-
 .github/workflows/ci.yml                | 4 ++--
 .github/workflows/codeql.yml            | 2 +-
 .github/workflows/images.yml            | 2 +-
 .github/workflows/nightly.yml           | 2 +-
 .github/workflows/release.yml           | 2 +-
 Vagrantfile                             | 2 +-
 contrib/Dockerfile.test                 | 2 +-
 script/setup/prepare_env_windows.ps1    | 2 +-
 9 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build-test-images.yml b/.github/workflows/build-test-images.yml
index ae682421a..0b12aa9e4 100644
--- a/.github/workflows/build-test-images.yml
+++ b/.github/workflows/build-test-images.yml
@@ -43,7 +43,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.20.4"
+          go-version: "1.20.5"
 
       - uses: actions/checkout@v3
         with:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 782b323de..f8d928c6f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,7 +9,7 @@ on:
 env:
   # Go version we currently use to build containerd across all CI.
   # Note: don't forget to update `Binaries` step, as it contains the matrix of all supported Go versions.
-  GO_VERSION: "1.20.4"
+  GO_VERSION: "1.20.5"
 
 permissions: # added using https://github.com/step-security/secure-workflows
   contents: read
@@ -209,7 +209,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-20.04, macos-12, windows-2019, windows-2022]
-        go-version: ["1.20.4", "1.19.9"]
+        go-version: ["1.20.5", "1.19.10"]
     steps:
       - uses: actions/setup-go@v4
         with:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 4c087cb55..b840c3de3 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -34,7 +34,7 @@ jobs:
 
       - uses: actions/setup-go@v3
         with:
-          go-version: 1.20.4
+          go-version: 1.20.5
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml
index 40d49cd55..fa337e81c 100644
--- a/.github/workflows/images.yml
+++ b/.github/workflows/images.yml
@@ -28,7 +28,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.20.4"
+          go-version: "1.20.5"
 
       - uses: actions/checkout@v3
         with:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 1bf2c1520..8f34094bc 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -7,7 +7,7 @@ on:
       - ".github/workflows/nightly.yml"
 
 env:
-  GO_VERSION: "1.20.4"
+  GO_VERSION: "1.20.5"
 
 permissions: # added using https://github.com/step-security/secure-workflows
   contents: read
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ebc52a28a..366ee99a7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,7 +13,7 @@ on:
 name: Release
 
 env:
-  GO_VERSION: "1.20.4"
+  GO_VERSION: "1.20.5"
 
 permissions: # added using https://github.com/step-security/secure-workflows
   contents: read
diff --git a/Vagrantfile b/Vagrantfile
index 0beef5933..032ec9074 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -101,7 +101,7 @@ EOF
   config.vm.provision "install-golang", type: "shell", run: "once" do |sh|
     sh.upload_path = "/tmp/vagrant-install-golang"
     sh.env = {
-        'GO_VERSION': ENV['GO_VERSION'] || "1.20.4",
+        'GO_VERSION': ENV['GO_VERSION'] || "1.20.5",
     }
     sh.inline = <<~SHELL
         #!/usr/bin/env bash
diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test
index 5df0fb8cd..c097db7a3 100644
--- a/contrib/Dockerfile.test
+++ b/contrib/Dockerfile.test
@@ -29,7 +29,7 @@
 #   docker run --privileged containerd-test
 # ------------------------------------------------------------------------------
 
-ARG GOLANG_VERSION=1.20.4
+ARG GOLANG_VERSION=1.20.5
 ARG GOLANG_IMAGE=golang
 
 FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang
diff --git a/script/setup/prepare_env_windows.ps1 b/script/setup/prepare_env_windows.ps1
index 7cfc13b49..46b7e5511 100644
--- a/script/setup/prepare_env_windows.ps1
+++ b/script/setup/prepare_env_windows.ps1
@@ -5,7 +5,7 @@
 # lived test environment.
 Set-MpPreference -DisableRealtimeMonitoring:$true
 
-$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.20.4"; make = ""; nssm = "" }
+$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.20.5"; make = ""; nssm = "" }
 
 Write-Host "Downloading chocolatey package"
 curl.exe -L "https://packages.chocolatey.org/chocolatey.0.10.15.nupkg" -o 'c:\choco.zip'