[release/1.6] Update go 1.18.7, addresses CVE-2022-2879, CVE-2022-2880, CVE-2022-41715#7475
Merged
AkihiroSuda merged 5 commits intocontainerd:release/1.6from Oct 5, 2022
Merged
Conversation
Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
1.6_bump_go_1.18.7
branch
3 times, most recently
from
aab2c88 to
96864cc
Compare
Member
Author
|
I have a feeling that the |
it looks like golangci-lint's gofmt check uses go1.19 rules, despite being run with go1.18. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Maksym Pavlenko <[email protected]> (cherry picked from commit 3a3f43f) Signed-off-by: Sebastiaan van Stijn <[email protected]>
for compatibility with Go 1.18 Signed-off-by: Sebastiaan van Stijn <[email protected]>
CVE-2022-41715 From the mailing list: We have just released Go versions 1.19.2 and 1.18.7, minor point releases. These minor releases include 3 security fixes following the security policy: - archive/tar: unbounded memory consumption when reading headers Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-2879 and Go issue https://go.dev/issue/54853. - net/http/httputil: ReverseProxy should not forward unparseable query parameters Requests forwarded by ReverseProxy included the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. ReverseProxy will now sanitize the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy.Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged. Thanks to Gal Goldstein (Security Researcher, Oxeye) and Daniel Abeles (Head of Research, Oxeye) for reporting this issue. This is CVE-2022-2880 and Go issue https://go.dev/issue/54663. - regexp/syntax: limit memory used by parsing regexps The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-41715 and Go issue https://go.dev/issue/55949. View the release notes for more information: https://go.dev/doc/devel/release#go1.18.7 Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
1.6_bump_go_1.18.7
branch
from
96864cc to
28324c5
Compare
AkihiroSuda
approved these changes
Oct 5, 2022
fuweid
approved these changes
Oct 5, 2022
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
From the mailing list:
We have just released Go versions 1.19.2 and 1.18.7, minor point releases.
These minor releases include 3 security fixes following the security policy:
archive/tar: unbounded memory consumption when reading headers
Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB.
Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.
net/http/httputil: ReverseProxy should not forward unparseable query parameters
Requests forwarded by ReverseProxy included the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value.
ReverseProxy will now sanitize the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy.Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
Thanks to Gal Goldstein (Security Researcher, Oxeye) and Daniel Abeles (Head of Research, Oxeye) for reporting this issue.
This is CVE-2022-2880 and Go issue https://go.dev/issue/54663.
regexp/syntax: limit memory used by parsing regexps
The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory.
Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected.
Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.
View the release notes for more information: https://go.dev/doc/devel/release#go1.18.7