From 5091f13a5d027b785084028aedb03beb5b0bd9a6 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 27 Jun 2022 11:22:21 +0200 Subject: [PATCH 1/9] update to golang 1.19 also ran gofmt with go1.19 Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 58413c15cb0382a66c4dd18b8e32205b22cfa833) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- Dockerfile.e2e | 2 +- Dockerfile.simple | 2 +- Dockerfile.windows | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 96d6393ed79a4..6fa4b7af1f695 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ ARG CROSS="false" ARG SYSTEMD="false" # IMPORTANT: When updating this please note that stdlib archive/tar pkg is vendored -ARG GO_VERSION=1.18.10 +ARG GO_VERSION=1.19 ARG DEBIAN_FRONTEND=noninteractive ARG VPNKIT_VERSION=0.5.0 ARG DOCKER_BUILDTAGS="apparmor seccomp" diff --git a/Dockerfile.e2e b/Dockerfile.e2e index 393bb0c7f0dd4..d7f02edc1cbf0 100644 --- a/Dockerfile.e2e +++ b/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.18.10 +ARG GO_VERSION=1.19 FROM golang:${GO_VERSION}-alpine AS base ENV GO111MODULE=off diff --git a/Dockerfile.simple b/Dockerfile.simple index af541eab0c322..305515a5b0faf 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -5,7 +5,7 @@ # This represents the bare minimum required to build and test Docker. -ARG GO_VERSION=1.18.10 +ARG GO_VERSION=1.19 FROM golang:${GO_VERSION}-buster ENV GO111MODULE=off diff --git a/Dockerfile.windows b/Dockerfile.windows index 0aaf4f5167b21..10ef4194bb40a 100644 --- a/Dockerfile.windows +++ b/Dockerfile.windows @@ -165,7 +165,7 @@ FROM microsoft/windowsservercore # Use PowerShell as the default shell SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ARG GO_VERSION=1.18.10 +ARG GO_VERSION=1.19 ARG GOTESTSUM_VERSION=v1.8.2 # Environment variable notes: From 721358e0cb7c10b41508f3c114baeceb2ac9ba0a Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 13 Feb 2023 17:16:43 +0100 Subject: [PATCH 2/9] vendor: update stdlib archive/tar for go1.19 Signed-off-by: Sebastiaan van Stijn --- vendor/archive/tar/common.go | 9 ++++-- vendor/archive/tar/format.go | 4 --- vendor/archive/tar/reader.go | 20 ++++--------- vendor/archive/tar/reader_test.go | 11 +------ vendor/archive/tar/stat_unix.go | 2 +- vendor/archive/tar/strconv.go | 1 + .../tar/testdata/pax-bad-hdr-large.tar.bz2 | Bin 156 -> 0 bytes vendor/archive/tar/writer.go | 3 -- vendor/archive/tar/writer_test.go | 27 ------------------ 9 files changed, 14 insertions(+), 63 deletions(-) delete mode 100644 vendor/archive/tar/testdata/pax-bad-hdr-large.tar.bz2 diff --git a/vendor/archive/tar/common.go b/vendor/archive/tar/common.go index c99b5c19207f7..f6d701d925cba 100644 --- a/vendor/archive/tar/common.go +++ b/vendor/archive/tar/common.go @@ -221,9 +221,11 @@ func (s sparseEntry) endOffset() int64 { return s.Offset + s.Length } // that the file has no data in it, which is rather odd. // // As an example, if the underlying raw file contains the 10-byte data: +// // var compactFile = "abcdefgh" // // And the sparse map has the following entries: +// // var spd sparseDatas = []sparseEntry{ // {Offset: 2, Length: 5}, // Data fragment for 2..6 // {Offset: 18, Length: 3}, // Data fragment for 18..20 @@ -235,6 +237,7 @@ func (s sparseEntry) endOffset() int64 { return s.Offset + s.Length } // } // // Then the content of the resulting sparse file with a Header.Size of 25 is: +// // var sparseFile = "\x00"*2 + "abcde" + "\x00"*11 + "fgh" + "\x00"*4 type ( sparseDatas []sparseEntry @@ -293,9 +296,9 @@ func alignSparseEntries(src []sparseEntry, size int64) []sparseEntry { // The input must have been already validated. // // This function mutates src and returns a normalized map where: -// * adjacent fragments are coalesced together -// * only the last fragment may be empty -// * the endOffset of the last fragment is the total size +// - adjacent fragments are coalesced together +// - only the last fragment may be empty +// - the endOffset of the last fragment is the total size func invertSparseEntries(src []sparseEntry, size int64) []sparseEntry { dst := src[:0] var pre sparseEntry diff --git a/vendor/archive/tar/format.go b/vendor/archive/tar/format.go index 8898c438b513e..21b9d9d4dbc62 100644 --- a/vendor/archive/tar/format.go +++ b/vendor/archive/tar/format.go @@ -143,10 +143,6 @@ const ( blockSize = 512 // Size of each block in a tar stream nameSize = 100 // Max length of the name field in USTAR format prefixSize = 155 // Max length of the prefix field in USTAR format - - // Max length of a special file (PAX header, GNU long name or link). - // This matches the limit used by libarchive. - maxSpecialFileSize = 1 << 20 ) // blockPadding computes the number of bytes needed to pad offset up to the diff --git a/vendor/archive/tar/reader.go b/vendor/archive/tar/reader.go index e609c15f27af7..f1b35c34f6f25 100644 --- a/vendor/archive/tar/reader.go +++ b/vendor/archive/tar/reader.go @@ -103,7 +103,7 @@ func (tr *Reader) next() (*Header, error) { continue // This is a meta header affecting the next header case TypeGNULongName, TypeGNULongLink: format.mayOnlyBe(FormatGNU) - realname, err := readSpecialFile(tr) + realname, err := io.ReadAll(tr) if err != nil { return nil, err } @@ -293,7 +293,7 @@ func mergePAX(hdr *Header, paxHdrs map[string]string) (err error) { // parsePAX parses PAX headers. // If an extended header (type 'x') is invalid, ErrHeader is returned func parsePAX(r io.Reader) (map[string]string, error) { - buf, err := readSpecialFile(r) + buf, err := io.ReadAll(r) if err != nil { return nil, err } @@ -336,9 +336,9 @@ func parsePAX(r io.Reader) (map[string]string, error) { // header in case further processing is required. // // The err will be set to io.EOF only when one of the following occurs: -// * Exactly 0 bytes are read and EOF is hit. -// * Exactly 1 block of zeros is read and EOF is hit. -// * At least 2 blocks of zeros are read. +// - Exactly 0 bytes are read and EOF is hit. +// - Exactly 1 block of zeros is read and EOF is hit. +// - At least 2 blocks of zeros are read. func (tr *Reader) readHeader() (*Header, *block, error) { // Two blocks of zero bytes marks the end of the archive. if _, err := io.ReadFull(tr.r, tr.blk[:]); err != nil { @@ -828,16 +828,6 @@ func tryReadFull(r io.Reader, b []byte) (n int, err error) { return n, err } -// readSpecialFile is like io.ReadAll except it returns -// ErrFieldTooLong if more than maxSpecialFileSize is read. -func readSpecialFile(r io.Reader) ([]byte, error) { - buf, err := io.ReadAll(io.LimitReader(r, maxSpecialFileSize+1)) - if len(buf) > maxSpecialFileSize { - return nil, ErrFieldTooLong - } - return buf, err -} - // discard skips n bytes in r, reporting an error if unable to do so. func discard(r io.Reader, n int64) error { // If possible, Seek to the last byte before the end of the data section. diff --git a/vendor/archive/tar/reader_test.go b/vendor/archive/tar/reader_test.go index 140c736429120..f21a6065b4857 100644 --- a/vendor/archive/tar/reader_test.go +++ b/vendor/archive/tar/reader_test.go @@ -6,7 +6,6 @@ package tar import ( "bytes" - "compress/bzip2" "crypto/md5" "errors" "fmt" @@ -244,9 +243,6 @@ func TestReader(t *testing.T) { }, { file: "testdata/pax-bad-hdr-file.tar", err: ErrHeader, - }, { - file: "testdata/pax-bad-hdr-large.tar.bz2", - err: ErrFieldTooLong, }, { file: "testdata/pax-bad-mtime-file.tar", err: ErrHeader, @@ -629,14 +625,9 @@ func TestReader(t *testing.T) { } defer f.Close() - var fr io.Reader = f - if strings.HasSuffix(v.file, ".bz2") { - fr = bzip2.NewReader(fr) - } - // Capture all headers and checksums. var ( - tr = NewReader(fr) + tr = NewReader(f) hdrs []*Header chksums []string rdbuf = make([]byte, 8) diff --git a/vendor/archive/tar/stat_unix.go b/vendor/archive/tar/stat_unix.go index b743c76b8cbcf..5f2a4dd6fb37c 100644 --- a/vendor/archive/tar/stat_unix.go +++ b/vendor/archive/tar/stat_unix.go @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -//go:build aix || linux || darwin || dragonfly || freebsd || openbsd || netbsd || solaris +//go:build unix package tar diff --git a/vendor/archive/tar/strconv.go b/vendor/archive/tar/strconv.go index 275db6f0263f2..ac3196370e611 100644 --- a/vendor/archive/tar/strconv.go +++ b/vendor/archive/tar/strconv.go @@ -306,6 +306,7 @@ func formatPAXRecord(k, v string) (string, error) { // validPAXRecord reports whether the key-value pair is valid where each // record is formatted as: +// // "%d %s=%s\n" % (size, key, value) // // Keys and values should be UTF-8, but the number of bad writers out there diff --git a/vendor/archive/tar/testdata/pax-bad-hdr-large.tar.bz2 b/vendor/archive/tar/testdata/pax-bad-hdr-large.tar.bz2 deleted file mode 100644 index 06bf710d3ae4e96a27487124f08e30c9e318699d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 156 zcmV;N0Av3`T4*^jL0KkKS;SwlM*sj&-;n5#Kmq^806<7UWm)Y~!#90LDZj0F4RNS<;o$l$z=JG_q>Xyl@Bs{9VZu K;X*?Ze#IONT1LeH diff --git a/vendor/archive/tar/writer.go b/vendor/archive/tar/writer.go index 9b2e3e25d4ceb..3729f7e82c192 100644 --- a/vendor/archive/tar/writer.go +++ b/vendor/archive/tar/writer.go @@ -199,9 +199,6 @@ func (tw *Writer) writePAXHeader(hdr *Header, paxHdrs map[string]string) error { flag = TypeXHeader } data := buf.String() - if len(data) > maxSpecialFileSize { - return ErrFieldTooLong - } if err := tw.writeRawFile(name, data, flag, FormatPAX); err != nil || isGlobal { return err // Global headers return here } diff --git a/vendor/archive/tar/writer_test.go b/vendor/archive/tar/writer_test.go index 640264984a96e..da3fb89e65e51 100644 --- a/vendor/archive/tar/writer_test.go +++ b/vendor/archive/tar/writer_test.go @@ -1004,33 +1004,6 @@ func TestIssue12594(t *testing.T) { } } -func TestWriteLongHeader(t *testing.T) { - for _, test := range []struct { - name string - h *Header - }{{ - name: "name too long", - h: &Header{Name: strings.Repeat("a", maxSpecialFileSize)}, - }, { - name: "linkname too long", - h: &Header{Linkname: strings.Repeat("a", maxSpecialFileSize)}, - }, { - name: "uname too long", - h: &Header{Uname: strings.Repeat("a", maxSpecialFileSize)}, - }, { - name: "gname too long", - h: &Header{Gname: strings.Repeat("a", maxSpecialFileSize)}, - }, { - name: "PAX header too long", - h: &Header{PAXRecords: map[string]string{"GOLANG.x": strings.Repeat("a", maxSpecialFileSize)}}, - }} { - w := NewWriter(io.Discard) - if err := w.WriteHeader(test.h); err != ErrFieldTooLong { - t.Errorf("%v: w.WriteHeader() = %v, want ErrFieldTooLong", test.name, err) - } - } -} - // testNonEmptyWriter wraps an io.Writer and ensures that // Write is never called with an empty buffer. type testNonEmptyWriter struct{ io.Writer } From 6cc1ef32a28e7e6e74383d4775bd178d36495181 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 6 Sep 2022 22:33:13 +0200 Subject: [PATCH 3/9] Update to go 1.19.1 to address CVE-2022-27664, CVE-2022-32190 From the mailing list: We have just released Go versions 1.19.1 and 1.18.6, minor point releases. These minor releases include 2 security fixes following the security policy: - net/http: handle server errors after sending GOAWAY A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service. Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this. This is CVE-2022-27664 and Go issue https://go.dev/issue/54658. - net/url: JoinPath does not strip relative path components in all circumstances JoinPath and URL.JoinPath would not remove `../` path components appended to a relative path. For example, `JoinPath("https://go.dev", "../go")` returned the URL `https://go.dev/../go`, despite the JoinPath documentation stating that `../` path elements are cleaned from the result. Thanks to q0jt for reporting this issue. This is CVE-2022-32190 and Go issue https://go.dev/issue/54385. Release notes: go1.19.1 (released 2022-09-06) includes security fixes to the net/http and net/url packages, as well as bug fixes to the compiler, the go command, the pprof command, the linker, the runtime, and the crypto/tls and crypto/x509 packages. See the Go 1.19.1 milestone on the issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.19.1+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 1eadbdd9fadca31c02b6f0aebfbbab4d8c6cf716) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- Dockerfile.e2e | 2 +- Dockerfile.simple | 2 +- Dockerfile.windows | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6fa4b7af1f695..af8064a976c6d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ ARG CROSS="false" ARG SYSTEMD="false" # IMPORTANT: When updating this please note that stdlib archive/tar pkg is vendored -ARG GO_VERSION=1.19 +ARG GO_VERSION=1.19.1 ARG DEBIAN_FRONTEND=noninteractive ARG VPNKIT_VERSION=0.5.0 ARG DOCKER_BUILDTAGS="apparmor seccomp" diff --git a/Dockerfile.e2e b/Dockerfile.e2e index d7f02edc1cbf0..a278741006636 100644 --- a/Dockerfile.e2e +++ b/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19 +ARG GO_VERSION=1.19.1 FROM golang:${GO_VERSION}-alpine AS base ENV GO111MODULE=off diff --git a/Dockerfile.simple b/Dockerfile.simple index 305515a5b0faf..4c4fc5089882d 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -5,7 +5,7 @@ # This represents the bare minimum required to build and test Docker. -ARG GO_VERSION=1.19 +ARG GO_VERSION=1.19.1 FROM golang:${GO_VERSION}-buster ENV GO111MODULE=off diff --git a/Dockerfile.windows b/Dockerfile.windows index 10ef4194bb40a..f0f2c2f6ca7d4 100644 --- a/Dockerfile.windows +++ b/Dockerfile.windows @@ -165,7 +165,7 @@ FROM microsoft/windowsservercore # Use PowerShell as the default shell SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ARG GO_VERSION=1.19 +ARG GO_VERSION=1.19.1 ARG GOTESTSUM_VERSION=v1.8.2 # Environment variable notes: From 1c8c16524f94ae69eb33c5c9000e87615ce973a6 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 4 Oct 2022 20:41:45 +0200 Subject: [PATCH 4/9] Update to go 1.19.2 to address CVE-2022-2879, CVE-2022-2880, CVE-2022-41715 From the mailing list: We have just released Go versions 1.19.2 and 1.18.7, minor point releases. These minor releases include 3 security fixes following the security policy: - archive/tar: unbounded memory consumption when reading headers Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-2879 and Go issue https://go.dev/issue/54853. - net/http/httputil: ReverseProxy should not forward unparseable query parameters Requests forwarded by ReverseProxy included the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. ReverseProxy will now sanitize the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy.Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged. Thanks to Gal Goldstein (Security Researcher, Oxeye) and Daniel Abeles (Head of Research, Oxeye) for reporting this issue. This is CVE-2022-2880 and Go issue https://go.dev/issue/54663. - regexp/syntax: limit memory used by parsing regexps The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-41715 and Go issue https://go.dev/issue/55949. View the release notes for more information: https://go.dev/doc/devel/release#go1.19.2 Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 7b4e4c08b5a03cd7448adb72626382bd36bef981) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- Dockerfile.e2e | 2 +- Dockerfile.simple | 2 +- Dockerfile.windows | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index af8064a976c6d..7dfb66f33a1d7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ ARG CROSS="false" ARG SYSTEMD="false" # IMPORTANT: When updating this please note that stdlib archive/tar pkg is vendored -ARG GO_VERSION=1.19.1 +ARG GO_VERSION=1.19.2 ARG DEBIAN_FRONTEND=noninteractive ARG VPNKIT_VERSION=0.5.0 ARG DOCKER_BUILDTAGS="apparmor seccomp" diff --git a/Dockerfile.e2e b/Dockerfile.e2e index a278741006636..5baffff5ffe7c 100644 --- a/Dockerfile.e2e +++ b/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.1 +ARG GO_VERSION=1.19.2 FROM golang:${GO_VERSION}-alpine AS base ENV GO111MODULE=off diff --git a/Dockerfile.simple b/Dockerfile.simple index 4c4fc5089882d..4f84491b8b568 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -5,7 +5,7 @@ # This represents the bare minimum required to build and test Docker. -ARG GO_VERSION=1.19.1 +ARG GO_VERSION=1.19.2 FROM golang:${GO_VERSION}-buster ENV GO111MODULE=off diff --git a/Dockerfile.windows b/Dockerfile.windows index f0f2c2f6ca7d4..c94b6970554b4 100644 --- a/Dockerfile.windows +++ b/Dockerfile.windows @@ -165,7 +165,7 @@ FROM microsoft/windowsservercore # Use PowerShell as the default shell SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ARG GO_VERSION=1.19.1 +ARG GO_VERSION=1.19.2 ARG GOTESTSUM_VERSION=v1.8.2 # Environment variable notes: From 091b8896bea67ff68971a32f6cbca2cd7c07d63c Mon Sep 17 00:00:00 2001 From: Cory Snider Date: Fri, 24 Feb 2023 12:36:15 -0500 Subject: [PATCH 5/9] vendor: update stdlib archive/tar for go1.19.2 Signed-off-by: Cory Snider --- vendor/archive/tar/format.go | 4 +++ vendor/archive/tar/reader.go | 14 +++++++-- vendor/archive/tar/reader_test.go | 11 ++++++- .../tar/testdata/pax-bad-hdr-large.tar.bz2 | Bin 0 -> 156 bytes vendor/archive/tar/writer.go | 3 ++ vendor/archive/tar/writer_test.go | 27 ++++++++++++++++++ 6 files changed, 56 insertions(+), 3 deletions(-) create mode 100644 vendor/archive/tar/testdata/pax-bad-hdr-large.tar.bz2 diff --git a/vendor/archive/tar/format.go b/vendor/archive/tar/format.go index 21b9d9d4dbc62..8898c438b513e 100644 --- a/vendor/archive/tar/format.go +++ b/vendor/archive/tar/format.go @@ -143,6 +143,10 @@ const ( blockSize = 512 // Size of each block in a tar stream nameSize = 100 // Max length of the name field in USTAR format prefixSize = 155 // Max length of the prefix field in USTAR format + + // Max length of a special file (PAX header, GNU long name or link). + // This matches the limit used by libarchive. + maxSpecialFileSize = 1 << 20 ) // blockPadding computes the number of bytes needed to pad offset up to the diff --git a/vendor/archive/tar/reader.go b/vendor/archive/tar/reader.go index f1b35c34f6f25..45848304ed9d0 100644 --- a/vendor/archive/tar/reader.go +++ b/vendor/archive/tar/reader.go @@ -103,7 +103,7 @@ func (tr *Reader) next() (*Header, error) { continue // This is a meta header affecting the next header case TypeGNULongName, TypeGNULongLink: format.mayOnlyBe(FormatGNU) - realname, err := io.ReadAll(tr) + realname, err := readSpecialFile(tr) if err != nil { return nil, err } @@ -293,7 +293,7 @@ func mergePAX(hdr *Header, paxHdrs map[string]string) (err error) { // parsePAX parses PAX headers. // If an extended header (type 'x') is invalid, ErrHeader is returned func parsePAX(r io.Reader) (map[string]string, error) { - buf, err := io.ReadAll(r) + buf, err := readSpecialFile(r) if err != nil { return nil, err } @@ -828,6 +828,16 @@ func tryReadFull(r io.Reader, b []byte) (n int, err error) { return n, err } +// readSpecialFile is like io.ReadAll except it returns +// ErrFieldTooLong if more than maxSpecialFileSize is read. +func readSpecialFile(r io.Reader) ([]byte, error) { + buf, err := io.ReadAll(io.LimitReader(r, maxSpecialFileSize+1)) + if len(buf) > maxSpecialFileSize { + return nil, ErrFieldTooLong + } + return buf, err +} + // discard skips n bytes in r, reporting an error if unable to do so. func discard(r io.Reader, n int64) error { // If possible, Seek to the last byte before the end of the data section. diff --git a/vendor/archive/tar/reader_test.go b/vendor/archive/tar/reader_test.go index f21a6065b4857..140c736429120 100644 --- a/vendor/archive/tar/reader_test.go +++ b/vendor/archive/tar/reader_test.go @@ -6,6 +6,7 @@ package tar import ( "bytes" + "compress/bzip2" "crypto/md5" "errors" "fmt" @@ -243,6 +244,9 @@ func TestReader(t *testing.T) { }, { file: "testdata/pax-bad-hdr-file.tar", err: ErrHeader, + }, { + file: "testdata/pax-bad-hdr-large.tar.bz2", + err: ErrFieldTooLong, }, { file: "testdata/pax-bad-mtime-file.tar", err: ErrHeader, @@ -625,9 +629,14 @@ func TestReader(t *testing.T) { } defer f.Close() + var fr io.Reader = f + if strings.HasSuffix(v.file, ".bz2") { + fr = bzip2.NewReader(fr) + } + // Capture all headers and checksums. var ( - tr = NewReader(f) + tr = NewReader(fr) hdrs []*Header chksums []string rdbuf = make([]byte, 8) diff --git a/vendor/archive/tar/testdata/pax-bad-hdr-large.tar.bz2 b/vendor/archive/tar/testdata/pax-bad-hdr-large.tar.bz2 new file mode 100644 index 0000000000000000000000000000000000000000..06bf710d3ae4e96a27487124f08e30c9e318699d GIT binary patch literal 156 zcmV;N0Av3`T4*^jL0KkKS;SwlM*sj&-;n5#Kmq^806<7UWm)Y~!#90LDZj0F4RNS<;o$l$z=JG_q>Xyl@Bs{9VZu K;X*?Ze#IONT1LeH literal 0 HcmV?d00001 diff --git a/vendor/archive/tar/writer.go b/vendor/archive/tar/writer.go index 3729f7e82c192..9b2e3e25d4ceb 100644 --- a/vendor/archive/tar/writer.go +++ b/vendor/archive/tar/writer.go @@ -199,6 +199,9 @@ func (tw *Writer) writePAXHeader(hdr *Header, paxHdrs map[string]string) error { flag = TypeXHeader } data := buf.String() + if len(data) > maxSpecialFileSize { + return ErrFieldTooLong + } if err := tw.writeRawFile(name, data, flag, FormatPAX); err != nil || isGlobal { return err // Global headers return here } diff --git a/vendor/archive/tar/writer_test.go b/vendor/archive/tar/writer_test.go index da3fb89e65e51..640264984a96e 100644 --- a/vendor/archive/tar/writer_test.go +++ b/vendor/archive/tar/writer_test.go @@ -1004,6 +1004,33 @@ func TestIssue12594(t *testing.T) { } } +func TestWriteLongHeader(t *testing.T) { + for _, test := range []struct { + name string + h *Header + }{{ + name: "name too long", + h: &Header{Name: strings.Repeat("a", maxSpecialFileSize)}, + }, { + name: "linkname too long", + h: &Header{Linkname: strings.Repeat("a", maxSpecialFileSize)}, + }, { + name: "uname too long", + h: &Header{Uname: strings.Repeat("a", maxSpecialFileSize)}, + }, { + name: "gname too long", + h: &Header{Gname: strings.Repeat("a", maxSpecialFileSize)}, + }, { + name: "PAX header too long", + h: &Header{PAXRecords: map[string]string{"GOLANG.x": strings.Repeat("a", maxSpecialFileSize)}}, + }} { + w := NewWriter(io.Discard) + if err := w.WriteHeader(test.h); err != ErrFieldTooLong { + t.Errorf("%v: w.WriteHeader() = %v, want ErrFieldTooLong", test.name, err) + } + } +} + // testNonEmptyWriter wraps an io.Writer and ensures that // Write is never called with an empty buffer. type testNonEmptyWriter struct{ io.Writer } From 4701ca9f719f5386d2ca2417b566b5950aa8a929 Mon Sep 17 00:00:00 2001 From: Cory Snider Date: Tue, 1 Nov 2022 16:54:48 -0400 Subject: [PATCH 6/9] Update to Go 1.19.3 to address CVE-2022-41716 On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D". Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. This is CVE-2022-41716 and Go issue https://go.dev/issue/56284. This Go release also fixes https://github.com/golang/go/issues/56309, a runtime bug which can cause random memory corruption when a goroutine exits with runtime.LockOSThread() set. This fix is necessary to unblock work to replace certain uses of pkg/reexec with unshared OS threads. Signed-off-by: Cory Snider (cherry picked from commit f9d4589976c9a1b07506839b053022212362b5f3) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- Dockerfile.e2e | 2 +- Dockerfile.simple | 2 +- Dockerfile.windows | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7dfb66f33a1d7..e71fe0efe82db 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ ARG CROSS="false" ARG SYSTEMD="false" # IMPORTANT: When updating this please note that stdlib archive/tar pkg is vendored -ARG GO_VERSION=1.19.2 +ARG GO_VERSION=1.19.3 ARG DEBIAN_FRONTEND=noninteractive ARG VPNKIT_VERSION=0.5.0 ARG DOCKER_BUILDTAGS="apparmor seccomp" diff --git a/Dockerfile.e2e b/Dockerfile.e2e index 5baffff5ffe7c..a3e8b9a1b08f2 100644 --- a/Dockerfile.e2e +++ b/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.2 +ARG GO_VERSION=1.19.3 FROM golang:${GO_VERSION}-alpine AS base ENV GO111MODULE=off diff --git a/Dockerfile.simple b/Dockerfile.simple index 4f84491b8b568..37dbf4fdccce5 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -5,7 +5,7 @@ # This represents the bare minimum required to build and test Docker. -ARG GO_VERSION=1.19.2 +ARG GO_VERSION=1.19.3 FROM golang:${GO_VERSION}-buster ENV GO111MODULE=off diff --git a/Dockerfile.windows b/Dockerfile.windows index c94b6970554b4..038ccbc52d8e7 100644 --- a/Dockerfile.windows +++ b/Dockerfile.windows @@ -165,7 +165,7 @@ FROM microsoft/windowsservercore # Use PowerShell as the default shell SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ARG GO_VERSION=1.19.2 +ARG GO_VERSION=1.19.3 ARG GOTESTSUM_VERSION=v1.8.2 # Environment variable notes: From 82b0ac1166cc553e2757c5d490ce69078064ef6e Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 6 Dec 2022 22:57:25 +0100 Subject: [PATCH 7/9] update to go1.19.4 Includes security fixes for net/http (CVE-2022-41717, CVE-2022-41720), and os (CVE-2022-41720). These minor releases include 2 security fixes following the security policy: - os, net/http: avoid escapes from os.DirFS and http.Dir on Windows The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permitted access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") would open the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory \(the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. The behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error. This is CVE-2022-41720 and Go issue https://go.dev/issue/56694. - net/http: limit canonical header cache by bytes, not entries An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. This issue is also fixed in golang.org/x/net/http2 vX.Y.Z, for users manually configuring HTTP/2. Thanks to Josselin Costanzi for reporting this issue. This is CVE-2022-41717 and Go issue https://go.dev/issue/56350. View the release notes for more information: https://go.dev/doc/devel/release#go1.19.4 And the milestone on the issue tracker: https://github.com/golang/go/issues?q=milestone%3AGo1.19.4+label%3ACherryPickApproved Full diff: https://github.com/golang/go/compare/go1.19.3...go1.19.4 The golang.org/x/net fix is in https://github.com/golang/net/commit/1e63c2f08a10a150fa02c50ece89b340ae64efe4 Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 52bc1ad744345b5dd9ec4d3af24ff66cdb23865f) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- Dockerfile.e2e | 2 +- Dockerfile.simple | 2 +- Dockerfile.windows | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index e71fe0efe82db..03dc284028349 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ ARG CROSS="false" ARG SYSTEMD="false" # IMPORTANT: When updating this please note that stdlib archive/tar pkg is vendored -ARG GO_VERSION=1.19.3 +ARG GO_VERSION=1.19.4 ARG DEBIAN_FRONTEND=noninteractive ARG VPNKIT_VERSION=0.5.0 ARG DOCKER_BUILDTAGS="apparmor seccomp" diff --git a/Dockerfile.e2e b/Dockerfile.e2e index a3e8b9a1b08f2..304251a2a47ea 100644 --- a/Dockerfile.e2e +++ b/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.3 +ARG GO_VERSION=1.19.4 FROM golang:${GO_VERSION}-alpine AS base ENV GO111MODULE=off diff --git a/Dockerfile.simple b/Dockerfile.simple index 37dbf4fdccce5..4bc68cca8426b 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -5,7 +5,7 @@ # This represents the bare minimum required to build and test Docker. -ARG GO_VERSION=1.19.3 +ARG GO_VERSION=1.19.4 FROM golang:${GO_VERSION}-buster ENV GO111MODULE=off diff --git a/Dockerfile.windows b/Dockerfile.windows index 038ccbc52d8e7..aa28a0e6f26ae 100644 --- a/Dockerfile.windows +++ b/Dockerfile.windows @@ -165,7 +165,7 @@ FROM microsoft/windowsservercore # Use PowerShell as the default shell SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ARG GO_VERSION=1.19.3 +ARG GO_VERSION=1.19.4 ARG GOTESTSUM_VERSION=v1.8.2 # Environment variable notes: From 5b48f300dd0c6a2bbfc942408bc7e3fbc39609f0 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 11 Jan 2023 00:15:35 +0100 Subject: [PATCH 8/9] update to go1.19.5 go1.19.5 (released 2023-01-10) includes fixes to the compiler, the linker, and the crypto/x509, net/http, sync/atomic, and syscall packages. See the Go 1.19.5 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.19.5+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.19.4...go1.19.5 Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 155e8d7d780200c9d6e03322aeb8394a849dd144) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- Dockerfile.e2e | 2 +- Dockerfile.simple | 2 +- Dockerfile.windows | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 03dc284028349..92f89c2079f26 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ ARG CROSS="false" ARG SYSTEMD="false" # IMPORTANT: When updating this please note that stdlib archive/tar pkg is vendored -ARG GO_VERSION=1.19.4 +ARG GO_VERSION=1.19.5 ARG DEBIAN_FRONTEND=noninteractive ARG VPNKIT_VERSION=0.5.0 ARG DOCKER_BUILDTAGS="apparmor seccomp" diff --git a/Dockerfile.e2e b/Dockerfile.e2e index 304251a2a47ea..45fa188b9766b 100644 --- a/Dockerfile.e2e +++ b/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.4 +ARG GO_VERSION=1.19.5 FROM golang:${GO_VERSION}-alpine AS base ENV GO111MODULE=off diff --git a/Dockerfile.simple b/Dockerfile.simple index 4bc68cca8426b..b8997114f7cad 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -5,7 +5,7 @@ # This represents the bare minimum required to build and test Docker. -ARG GO_VERSION=1.19.4 +ARG GO_VERSION=1.19.5 FROM golang:${GO_VERSION}-buster ENV GO111MODULE=off diff --git a/Dockerfile.windows b/Dockerfile.windows index aa28a0e6f26ae..1b308f159619b 100644 --- a/Dockerfile.windows +++ b/Dockerfile.windows @@ -165,7 +165,7 @@ FROM microsoft/windowsservercore # Use PowerShell as the default shell SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ARG GO_VERSION=1.19.4 +ARG GO_VERSION=1.19.5 ARG GOTESTSUM_VERSION=v1.8.2 # Environment variable notes: From 98c9e3f43833bf87c21e02aca77c75c7a475ecd6 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 14 Feb 2023 20:41:04 +0100 Subject: [PATCH 9/9] update to go1.19.6 go1.19.6 (released 2023-02-14) includes security fixes to the crypto/tls, mime/multipart, net/http, and path/filepath packages, as well as bug fixes to the go command, the linker, the runtime, and the crypto/x509, net/http, and time packages. See the Go 1.19.6 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.19.6+label%3ACherryPickApproved From the announcement on the security mailing: We have just released Go versions 1.20.1 and 1.19.6, minor point releases. These minor releases include 4 security fixes following the security policy: - path/filepath: path traversal in filepath.Clean on Windows On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid path c:\b. This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. The filepath.Clean function will now transform this path into the relative (but still invalid) path .\c:\b. This is CVE-2022-41722 and Go issue https://go.dev/issue/57274. - net/http, mime/multipart: denial of service from excessive resource consumption Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map ntry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader. This is CVE-2022-41725 and Go issue https://go.dev/issue/58006. - crypto/tls: large handshake records may cause panics Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth > = RequestClientCert). This is CVE-2022-41724 and Go issue https://go.dev/issue/58001. - net/http: avoid quadratic complexity in HPACK decoding A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually configuring HTTP/2. This is CVE-2022-41723 and Go issue https://go.dev/issue/57855. Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 94feb31516cd99749fa797e16e2bc11840d86613) Signed-off-by: Cory Snider --- Dockerfile | 2 +- Dockerfile.e2e | 2 +- Dockerfile.simple | 2 +- Dockerfile.windows | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 92f89c2079f26..05b93aad5810e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ ARG CROSS="false" ARG SYSTEMD="false" # IMPORTANT: When updating this please note that stdlib archive/tar pkg is vendored -ARG GO_VERSION=1.19.5 +ARG GO_VERSION=1.19.6 ARG DEBIAN_FRONTEND=noninteractive ARG VPNKIT_VERSION=0.5.0 ARG DOCKER_BUILDTAGS="apparmor seccomp" diff --git a/Dockerfile.e2e b/Dockerfile.e2e index 45fa188b9766b..f3df4a64c6c8c 100644 --- a/Dockerfile.e2e +++ b/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.5 +ARG GO_VERSION=1.19.6 FROM golang:${GO_VERSION}-alpine AS base ENV GO111MODULE=off diff --git a/Dockerfile.simple b/Dockerfile.simple index b8997114f7cad..d79a292a77545 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -5,7 +5,7 @@ # This represents the bare minimum required to build and test Docker. -ARG GO_VERSION=1.19.5 +ARG GO_VERSION=1.19.6 FROM golang:${GO_VERSION}-buster ENV GO111MODULE=off diff --git a/Dockerfile.windows b/Dockerfile.windows index 1b308f159619b..0f6efd96967a9 100644 --- a/Dockerfile.windows +++ b/Dockerfile.windows @@ -165,7 +165,7 @@ FROM microsoft/windowsservercore # Use PowerShell as the default shell SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ARG GO_VERSION=1.19.5 +ARG GO_VERSION=1.19.6 ARG GOTESTSUM_VERSION=v1.8.2 # Environment variable notes: