From acc3f991fcfa88bcd62e56519b1138413d4f7346 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sat, 5 Nov 2022 17:48:35 +0100 Subject: [PATCH] [20.10] update to Go 1.18.8 to address CVE-2022-41716 On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D". Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. This is CVE-2022-41716 and Go issue https://go.dev/issue/56284. This Go release also fixes https://github.com/golang/go/issues/56309, a runtime bug which can cause random memory corruption when a goroutine exits with runtime.LockOSThread() set. This fix is necessary to unblock work to replace certain uses of pkg/reexec with unshared OS threads. Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- appveyor.yml | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.binary-native | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.e2e | 2 +- dockerfiles/Dockerfile.lint | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index d6a55f9250..a8ca4942ad 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.18.7 +ARG GO_VERSION=1.18.8 ARG XX_VERSION=1.1.0 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx diff --git a/appveyor.yml b/appveyor.yml index 43d329b884..4479604098 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli environment: GOPATH: c:\gopath - GOVERSION: 1.18.7 + GOVERSION: 1.18.8 DEPVERSION: v0.4.1 install: diff --git a/docker-bake.hcl b/docker-bake.hcl index 21f30011c9..0b1ae5d6b0 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.18.7" + default = "1.18.8" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native index 7b49cced11..b86f119fb1 100644 --- a/dockerfiles/Dockerfile.binary-native +++ b/dockerfiles/Dockerfile.binary-native @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.18.7 +ARG GO_VERSION=1.18.8 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 39c1d96459..7d37ace420 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.18.7 +ARG GO_VERSION=1.18.8 FROM golang:${GO_VERSION}-alpine AS golang ENV CGO_ENABLED=0 diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e index 70323cf230..4429d0d244 100644 --- a/dockerfiles/Dockerfile.e2e +++ b/dockerfiles/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.18.7 +ARG GO_VERSION=1.18.8 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION}-buster diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 71d080ae51..719fd037f7 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.18.7 +ARG GO_VERSION=1.18.8 ARG GOLANGCI_LINT_VERSION=v1.45.2 FROM golang:${GO_VERSION}-alpine AS build