github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
03b9ce56b5
containerd/contrib/fuzz/oss_fuzz_build.sh
Sebastiaan van Stijn eaf6071019
update to go1.21.1, go1.20.8 
go1.21.1 (released 2023-09-06) includes four security fixes to the cmd/go,
crypto/tls, and html/template packages, as well as bug fixes to the compiler,
the go command, the linker, the runtime, and the context, crypto/tls,
encoding/gob, encoding/xml, go/types, net/http, os, and path/filepath packages.
See the Go 1.21.1 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.21.1+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.21.0...go1.21.1

From the security mailing:

[security] Go 1.21.1 and Go 1.20.8 are released

Hello gophers,

We have just released Go versions 1.21.1 and 1.20.8, minor point releases.

These minor releases include 4 security fixes following the security policy:

- cmd/go: go.mod toolchain directive allows arbitrary execution
  The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to
  execute scripts and binaries relative to the root of the module when the "go"
  command was executed within the module. This applies to modules downloaded using
  the "go" command from the module proxy, as well as modules downloaded directly
  using VCS software.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.

- html/template: improper handling of HTML-like comments within script contexts
  The html/template package did not properly handle HMTL-like "<!--" and "-->"
  comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may
  cause the template parser to improperly interpret the contents of <script>
  contexts, causing actions to be improperly escaped. This could be leveraged to
  perform an XSS attack.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
  issue.

  This is CVE-2023-39318 and Go issue https://go.dev/issue/62196.

- html/template: improper handling of special tags within script contexts
  The html/template package did not apply the proper rules for handling occurrences
  of "<script", "<!--", and "</script" within JS literals in <script> contexts.
  This may cause the template parser to improperly consider script contexts to be
  terminated early, causing actions to be improperly escaped. This could be
  leveraged to perform an XSS attack.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
  issue.

  This is CVE-2023-39319 and Go issue https://go.dev/issue/62197.

- crypto/tls: panic when processing post-handshake message on QUIC connections
  Processing an incomplete post-handshake message for a QUIC connection caused a panic.

  Thanks to Marten Seemann for reporting this issue.

  This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-09 01:02:43 +02:00

105 lines
3.0 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Copyright The containerd Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -o nounset
set -o pipefail
set -o errexit
set -x
IFS=$'\n'
compile_fuzzers() {
local regex=$1
local compile_fuzzer=$2
local blocklist=$3
for line in $(git grep --full-name "$regex" | grep -v -E "$blocklist"); do
if [[ "$line" =~ (.*)/.*:.*(Fuzz[A-Za-z0-9]+) ]]; then
local pkg=${BASH_REMATCH[1]}
local func=${BASH_REMATCH[2]}
"$compile_fuzzer" "github.com/containerd/containerd/$pkg" "$func" "fuzz_$func"
else
echo "failed to parse: $line"
exit 1
fi
done
}
# This is from https://github.com/AdamKorcz/instrumentation
cd $SRC/instrumentation
go run main.go $SRC/containerd/images
apt-get update && apt-get install -y wget
cd $SRC
wget --quiet https://go.dev/dl/go1.21.1.linux-amd64.tar.gz
mkdir temp-go
rm -rf /root/.go/*
tar -C temp-go/ -xzf go1.21.1.linux-amd64.tar.gz
mv temp-go/go/* /root/.go/
cd $SRC/containerd
go mod tidy
cd "$(dirname "${BASH_SOURCE[0]}")"
cd ../../
rm -r vendor
# Add temporary CXXFLAGS
OLDCXXFLAGS=$CXXFLAGS
export CXXFLAGS="$CXXFLAGS -lresolv"
# Change path of socket since OSS-fuzz does not grant access to /run
sed -i 's/\/run\/containerd/\/tmp\/containerd/g' $SRC/containerd/defaults/defaults_unix.go
compile_fuzzers '^func Fuzz.*testing\.F' compile_native_go_fuzzer vendor
compile_fuzzers '^func Fuzz.*data' compile_go_fuzzer '(vendor|Integ)'
# The below fuzzers require more setup than the fuzzers above.
# We need the binaries from "make".
wget --quiet https://github.com/protocolbuffers/protobuf/releases/download/v3.11.4/protoc-3.11.4-linux-x86_64.zip
unzip protoc-3.11.4-linux-x86_64.zip -d /usr/local
export CGO_ENABLED=1
export GOARCH=amd64
# Build runc
cd $SRC/
git clone https://github.com/opencontainers/runc --branch release-1.1
cd runc
make
make install
# Build static containerd
cd $SRC/containerd
make STATIC=1
mkdir $OUT/containerd-binaries || true
cd $SRC/containerd/bin && cp * $OUT/containerd-binaries/ && cd -
# Change defaultState and defaultAddress fron /run/containerd-test to /tmp/containerd-test:
sed -i 's/\/run\/containerd-test/\/tmp\/containerd-test/g' $SRC/containerd/integration/client/client_unix_test.go
cd integration/client
compile_fuzzers '^func FuzzInteg.*data' compile_go_fuzzer vendor
cp $SRC/containerd/contrib/fuzz/*.options $OUT/
cp $SRC/containerd/contrib/fuzz/*.dict $OUT/
# Resume CXXFLAGS
export CXXFLAGS=$OLDCXXFLAGS
Reference in New Issue View Git Blame Copy Permalink