Skip to content

[release/1.5] update to Go 1.18.8 to address CVE-2022-41716 #7633

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dmcgowan merged 1 commit into from
Nov 7, 2022
Merged

[release/1.5] update to Go 1.18.8 to address CVE-2022-41716 #7633

dmcgowan merged 1 commit into from
Nov 7, 2022

Conversation

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Nov 5, 2022

This Go release also fixes golang/go#56309, a runtime bug which can cause random memory corruption when a goroutine exits with runtime.LockOSThread() set. This fix is necessary to unblock work to replace certain uses of pkg/reexec with unshared OS threads.

@thaJeztah
[release/1.5] update to Go 1.18.8 to address CVE-2022-41716
9d9bd10 
    On Windows, syscall.StartProcess and os/exec.Cmd did not properly
    check for invalid environment variable values. A malicious
    environment variable value could exploit this behavior to set a
    value for a different environment variable. For example, the
    environment variable string "A=B\x00C=D" set the variables "A=B" and
    "C=D".

    Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this
    issue.

    This is CVE-2022-41716 and Go issue https://go.dev/issue/56284.

This Go release also fixes golang/go#56309, a
runtime bug which can cause random memory corruption when a goroutine
exits with runtime.LockOSThread() set. This fix is necessary to unblock
work to replace certain uses of pkg/reexec with unshared OS threads.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah mentioned this pull request Nov 5, 2022
Merged
@fuweid
Copy link
Member

fuweid commented Nov 7, 2022

/retest

@akhilerm akhilerm mentioned this pull request Nov 7, 2022
Merged
@estesp
Copy link
Member

estesp commented Nov 7, 2022

/test pull-containerd-node-e2e

@akhilerm
Copy link
Member

akhilerm commented Nov 7, 2022

@estesp The pull-containerd-node-e2e will fail in containerd 1.5 because of a recent change in k8s master related to removing support for CRI v1alpha2. I have raised a PR in test-infra for creating a separate job for 1.5 branch, but not sure if thats the correct approach.

@estesp
Copy link
Member

estesp commented Nov 7, 2022

@estesp The pull-containerd-node-e2e will fail in containerd 1.5 because of a recent change in k8s master related to removing support for CRI v1alpha2. I have raised a PR in test-infra for creating a separate job for 1.5 branch, but not sure if thats the correct approach.

Yeah, I just followed that trail after I restarted the test :) Let's see what the guidance is from the test-infra folks. Thanks for tracking it down!

@k8s-ci-robot
Copy link

k8s-ci-robot commented Nov 7, 2022

@thaJeztah: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-containerd-node-e2e 9d9bd10 link true /test pull-containerd-node-e2e

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@dmcgowan dmcgowan merged commit e1a2bb0 into containerd:release/1.5 Nov 7, 2022
@thaJeztah thaJeztah deleted the 1.5_bump_go1.18.8 branch November 7, 2022 18:16
@dmcgowan dmcgowan mentioned this pull request Dec 6, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmcgowan dmcgowan dmcgowan approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@thaJeztah @fuweid @estesp @akhilerm @k8s-ci-robot @dmcgowan @AkihiroSuda