Skip to content

Update to Go 1.19.3 to address CVE-2022-41716#3850

Merged
thaJeztah merged 1 commit intodocker:masterfrom
thaJeztah:bump_go_1.19.3
Nov 7, 2022
Merged

Update to Go 1.19.3 to address CVE-2022-41716#3850
thaJeztah merged 1 commit intodocker:masterfrom
thaJeztah:bump_go_1.19.3

Conversation

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Nov 5, 2022 

On Windows, syscall.StartProcess and os/exec.Cmd did not properly
check for invalid environment variable values. A malicious
environment variable value could exploit this behavior to set a
value for a different environment variable. For example, the
environment variable string "A=B\x00C=D" set the variables "A=B" and
"C=D".

Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this
issue.

This is CVE-2022-41716 and Go issue https://go.dev/issue/56284.

This Go release also fixes golang/go#56309, a runtime bug which can cause random memory corruption when a goroutine exits with runtime.LockOSThread() set. This fix is necessary to unblock work to replace certain uses of pkg/reexec with unshared OS threads.

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

@thaJeztah
Update to Go 1.19.3 to address CVE-2022-41716
85eee32 
    On Windows, syscall.StartProcess and os/exec.Cmd did not properly
    check for invalid environment variable values. A malicious
    environment variable value could exploit this behavior to set a
    value for a different environment variable. For example, the
    environment variable string "A=B\x00C=D" set the variables "A=B" and
    "C=D".

    Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this
    issue.

    This is CVE-2022-41716 and Go issue https://go.dev/issue/56284.

This Go release also fixes golang/go#56309, a
runtime bug which can cause random memory corruption when a goroutine
exits with runtime.LockOSThread() set. This fix is necessary to unblock
work to replace certain uses of pkg/reexec with unshared OS threads.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah added this to the 22.06.0 milestone Nov 5, 2022
@codecov-commenter
Copy link

codecov-commenter commented Nov 5, 2022

Codecov Report

Merging #3850 (85eee32) into master (8a19043) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #3850   +/-   ##
=======================================
  Coverage   59.17%   59.17%           
=======================================
  Files         288      288           
  Lines       24647    24647           
=======================================
  Hits        14586    14586           
  Misses       9176     9176           
  Partials      885      885

@thaJeztah thaJeztah merged commit c312c85 into docker:master Nov 7, 2022
@thaJeztah thaJeztah deleted the bump_go_1.19.3 branch November 7, 2022 13:28
@thaJeztah thaJeztah mentioned this pull request Feb 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vvoland vvoland vvoland approved these changes

Assignees

No one assigned

Labels

area/packaging impact/changelog status/2-code-review

Projects

None yet

Milestone

23.0.0

Development

Successfully merging this pull request may close these issues.

runtime: "runtime·lock: lock count" fatal error when cgo is enabled [1.19 backport]

3 participants

@thaJeztah @codecov-commenter @vvoland