Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release/1.5] update golang to 1.17.12 #7161

Merged
merged 1 commit into from
Jul 14, 2022

Conversation

thaJeztah
Copy link
Member

- Update Go runtime to 1.17.12 to address CVE-2022-1705, CVE-2022-1962, CVE-2022-28131,
  CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635,
  and CVE-2022-32148.

go1.17.12 (released 2022-07-12) includes security fixes to the compress/gzip,
encoding/gob, encoding/xml, go/parser, io/fs, net/http, and path/filepath
packages, as well as bug fixes to the compiler, the go command, the runtime,
and the runtime/metrics package. See the Go 1.17.12 milestone on the issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.17.12+label%3ACherryPickApproved

This update addresses:

CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631,
CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, and CVE-2022-32148.

Full diff: golang/go@go1.17.11...go1.17.12

From the security announcement;
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

We have just released Go versions 1.18.4 and 1.17.12, minor point releases. These
minor releases include 9 security fixes following the security policy:

  • net/http: improper sanitization of Transfer-Encoding header

    The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
    a "chunked" encoding. This could potentially allow for request smuggling, but
    only if combined with an intermediate server that also improperly failed to
    reject the header as invalid.

    This is CVE-2022-1705 and https://go.dev/issue/53188.

  • When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map
    containing a nil value for the X-Forwarded-For header, ReverseProxy would set
    the client IP as the value of the X-Forwarded-For header, contrary to its
    documentation. In the more usual case where a Director function set the
    X-Forwarded-For header value to nil, ReverseProxy would leave the header
    unmodified as expected.

    This is https://go.dev/issue/53423 and CVE-2022-32148.

    Thanks to Christian Mehlmauer for reporting this issue.

  • compress/gzip: stack exhaustion in Reader.Read

    Calling Reader.Read on an archive containing a large number of concatenated
    0-length compressed files can cause a panic due to stack exhaustion.

    This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

  • encoding/xml: stack exhaustion in Unmarshal

    Calling Unmarshal on a XML document into a Go struct which has a nested field
    that uses the any field tag can cause a panic due to stack exhaustion.

    This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

  • encoding/xml: stack exhaustion in Decoder.Skip

    Calling Decoder.Skip when parsing a deeply nested XML document can cause a
    panic due to stack exhaustion. The Go Security team discovered this issue, and
    it was independently reported by Juho Nurminen of Mattermost.

    This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

  • encoding/gob: stack exhaustion in Decoder.Decode

    Calling Decoder.Decode on a message which contains deeply nested structures
    can cause a panic due to stack exhaustion.

    This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

  • path/filepath: stack exhaustion in Glob

    Calling Glob on a path which contains a large number of path separators can
    cause a panic due to stack exhaustion.

    Thanks to Juho Nurminen of Mattermost for reporting this issue.

    This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

  • io/fs: stack exhaustion in Glob

    Calling Glob on a path which contains a large number of path separators can
    cause a panic due to stack exhaustion.

    This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

  • go/parser: stack exhaustion in all Parse* functions

    Calling any of the Parse functions on Go source code which contains deeply
    nested types or declarations can cause a panic due to stack exhaustion.

    Thanks to Juho Nurminen of Mattermost for reporting this issue.

    This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.

Signed-off-by: Sebastiaan van Stijn github@gone.nl

go1.17.12 (released 2022-07-12) includes security fixes to the compress/gzip,
encoding/gob, encoding/xml, go/parser, io/fs, net/http, and path/filepath
packages, as well as bug fixes to the compiler, the go command, the runtime,
and the runtime/metrics package. See the Go 1.17.12 milestone on the issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.17.12+label%3ACherryPickApproved

This update addresses:

CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631,
CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, and CVE-2022-32148.

Full diff: golang/go@go1.17.11...go1.17.12

From the security announcement;
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

We have just released Go versions 1.18.4 and 1.17.12, minor point releases. These
minor releases include 9 security fixes following the security policy:

- net/http: improper sanitization of Transfer-Encoding header

  The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
  a "chunked" encoding. This could potentially allow for request smuggling, but
  only if combined with an intermediate server that also improperly failed to
  reject the header as invalid.

  This is CVE-2022-1705 and https://go.dev/issue/53188.

- When `httputil.ReverseProxy.ServeHTTP` was called with a `Request.Header` map
  containing a nil value for the X-Forwarded-For header, ReverseProxy would set
  the client IP as the value of the X-Forwarded-For header, contrary to its
  documentation. In the more usual case where a Director function set the
  X-Forwarded-For header value to nil, ReverseProxy would leave the header
  unmodified as expected.

  This is https://go.dev/issue/53423 and CVE-2022-32148.

  Thanks to Christian Mehlmauer for reporting this issue.

- compress/gzip: stack exhaustion in Reader.Read

  Calling Reader.Read on an archive containing a large number of concatenated
  0-length compressed files can cause a panic due to stack exhaustion.

  This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

- encoding/xml: stack exhaustion in Unmarshal

  Calling Unmarshal on a XML document into a Go struct which has a nested field
  that uses the any field tag can cause a panic due to stack exhaustion.

  This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

- encoding/xml: stack exhaustion in Decoder.Skip

  Calling Decoder.Skip when parsing a deeply nested XML document can cause a
  panic due to stack exhaustion. The Go Security team discovered this issue, and
  it was independently reported by Juho Nurminen of Mattermost.

  This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

- encoding/gob: stack exhaustion in Decoder.Decode

  Calling Decoder.Decode on a message which contains deeply nested structures
  can cause a panic due to stack exhaustion.

  This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

- path/filepath: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

- io/fs: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

- go/parser: stack exhaustion in all Parse* functions

  Calling any of the Parse functions on Go source code which contains deeply
  nested types or declarations can cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Copy link
Member

@estesp estesp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fuweid fuweid merged commit ee05ca2 into containerd:release/1.5 Jul 14, 2022
@thaJeztah thaJeztah deleted the 1.5_update_go branch July 14, 2022 06:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants