[release/1.5] update to Go 1.18.8 to address CVE-2022-41716

thaJeztah · thaJeztah · commit 9d9bd10b462c · 2022-11-05T18:02:14.000+01:00
On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D". Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. This is CVE-2022-41716 and Go issue https://go.dev/issue/56284. This Go release also fixes golang/go#56309, a runtime bug which can cause random memory corruption when a goroutine exits with runtime.LockOSThread() set. This fix is necessary to unblock work to replace certain uses of pkg/reexec with unshared OS threads. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -20,7 +20,7 @@ jobs:
 
     strategy:
       matrix:
-        go-version: [1.18.7]
+        go-version: [1.18.8]
         os: [ubuntu-18.04, macos-12, windows-2019]
 
     steps:
@@ -46,7 +46,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.18.7'
+          go-version: '1.18.8'
 
       - uses: actions/checkout@v2
         with:
@@ -72,7 +72,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.18.7'
+          go-version: '1.18.8'
 
       - uses: actions/checkout@v2
         with:
@@ -104,7 +104,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.18.7'
+          go-version: '1.18.8'
       - uses: actions/checkout@v2
       - run: go install github.com/cpuguy83/go-md2man/v2@v2.0.1
       - run: make man
@@ -138,7 +138,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.18.7'
+          go-version: '1.18.8'
       - uses: actions/checkout@v2
       - run: |
           set -e -x
@@ -195,7 +195,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-18.04, macos-12, windows-2019]
-        go-version: ['1.18.7']
+        go-version: ['1.18.8']
 
     steps:
       - uses: actions/setup-go@v2
@@ -237,7 +237,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.18.7'
+          go-version: '1.18.8'
 
       - uses: actions/checkout@v2
         with:
@@ -326,7 +326,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.18.7'
+          go-version: '1.18.8'
 
       - uses: actions/checkout@v2
 
@@ -468,7 +468,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.18.7'
+          go-version: '1.18.8'
       - uses: actions/checkout@v2
       - run: sudo -E PATH=$PATH script/setup/install-gotestsum
       - name: Tests
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -18,7 +18,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.18.7'
+          go-version: '1.18.8'
 
       - uses: actions/checkout@v2
         with:
@@ -135,7 +135,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.18.7'
+          go-version: '1.18.8'
 
       - uses: actions/checkout@v2
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -62,7 +62,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: '1.18.7'
+          go-version: '1.18.8'
 
       - name: Set env
         shell: bash
diff --git a/Vagrantfile b/Vagrantfile
@@ -77,7 +77,7 @@ Vagrant.configure("2") do |config|
   config.vm.provision "install-golang", type: "shell", run: "once" do |sh|
     sh.upload_path = "/tmp/vagrant-install-golang"
     sh.env = {
-        'GO_VERSION': ENV['GO_VERSION'] || "1.18.7",
+        'GO_VERSION': ENV['GO_VERSION'] || "1.18.8",
     }
     sh.inline = <<~SHELL
         #!/usr/bin/env bash
diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test
@@ -10,7 +10,7 @@
 #
 # docker build -t containerd-test --build-arg RUNC_VERSION=v1.0.0-rc93 -f Dockerfile.test ../
 
-ARG GOLANG_VERSION=1.18.7
+ARG GOLANG_VERSION=1.18.8
 
 FROM golang:${GOLANG_VERSION} AS golang-base
 RUN mkdir -p /go/src/github.com/containerd/containerd

Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ Vagrant.configure("2") do \|config\|`
`77`	`77`	`config.vm.provision "install-golang", type: "shell", run: "once" do \|sh\|`
`78`	`78`	`sh.upload_path = "/tmp/vagrant-install-golang"`
`79`	`79`	`sh.env = {`
`80`		`- 'GO_VERSION': ENV['GO_VERSION'] \|\| "1.18.7",`
	`80`	`+ 'GO_VERSION': ENV['GO_VERSION'] \|\| "1.18.8",`
`81`	`81`	`}`
`82`	`82`	`sh.inline = <<~SHELL`
`83`	`83`	`#!/usr/bin/env bash`
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`#`
`11`	`11`	`# docker build -t containerd-test --build-arg RUNC_VERSION=v1.0.0-rc93 -f Dockerfile.test ../`
`12`	`12`
`13`		`-ARG GOLANG_VERSION=1.18.7`
	`13`	`+ARG GOLANG_VERSION=1.18.8`
`14`	`14`
`15`	`15`	`FROM golang:${GOLANG_VERSION} AS golang-base`
`16`	`16`	`RUN mkdir -p /go/src/github.com/containerd/containerd`