Update to Go 1.19.3 to address CVE-2022-41716

On Windows, syscall.StartProcess and os/exec.Cmd did not properly
    check for invalid environment variable values. A malicious
    environment variable value could exploit this behavior to set a
    value for a different environment variable. For example, the
    environment variable string "A=B\x00C=D" set the variables "A=B" and
    "C=D".

    Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this
    issue.

    This is CVE-2022-41716 and Go issue https://go.dev/issue/56284.

This Go release also fixes https://github.com/golang/go/issues/56309, a
runtime bug which can cause random memory corruption when a goroutine
exits with runtime.LockOSThread() set. This fix is necessary to unblock
work to replace certain uses of pkg/reexec with unshared OS threads.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

This commit is contained in:

Sebastiaan van Stijn

2022-11-05 17:39:57 +01:00

parent 8a19043cc7

commit 85eee32f4c

6 changed files with 6 additions and 6 deletions

									
										2

.github/workflows/test.yml
									
										vendored
									
												View File
												
				@ -63,7 +63,7 @@ jobs:

				        name: Set up Go

				        uses: actions/setup-go@v3

				        with:

				          go-version: 1.19.2

				          go-version: 1.19.3

				      -

				        name: Test

				        run: |

Update to Go 1.19.3 to address CVE-2022-41716

2 .github/workflows/test.yml vendored Unescape Escape View File

2

.github/workflows/test.yml vendored

View File