Merge pull request #713 from henrybear327/cve/CVE-2023-45288-release-1.3

Bump go toolchain version to address CVE-2023-45288 for release-1.3
etcd-io · Apr 5, 2024 · 2c29534 · 2c29534
2 parents 9f3524b + 9b60c13
commit 2c29534
Show file tree

Hide file tree

Showing 9 changed files with 8 additions and 18 deletions.
diff --git a/.github/workflows/failpoint_test.yaml b/.github/workflows/failpoint_test.yaml
@@ -17,4 +17,3 @@ jobs:
       - run: |
           make gofail-enable
           make test-failpoint
-
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -102,4 +102,3 @@ jobs:
       with:
         go-version: ${{ steps.goversion.outputs.goversion }}
     - run: make coverage
-
diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.17.13
+1.21.9
diff --git a/cmd/bbolt/main_test.go b/cmd/bbolt/main_test.go
@@ -3,7 +3,6 @@ package main_test
 import (
 	"bytes"
 	crypto "crypto/rand"
-	"encoding/binary"
 	"fmt"
 	"io"
 	"math/rand"
@@ -304,12 +303,6 @@ func NewMain() *Main {
 }
 
 func TestCompactCommand_Run(t *testing.T) {
-	var s int64
-	if err := binary.Read(crypto.Reader, binary.BigEndian, &s); err != nil {
-		t.Fatal(err)
-	}
-	rand.Seed(s)
-
 	dstdb := btesting.MustCreateDB(t)
 	dstdb.Close()
 

diff --git a/freelist_test.go b/freelist_test.go
@@ -320,7 +320,6 @@ func benchmark_FreelistRelease(b *testing.B, size int) {
 }
 
 func randomPgids(n int) []pgid {
-	rand.Seed(42)
 	pgids := make(pgids, n)
 	for i := range pgids {
 		pgids[i] = pgid(rand.Int63())

diff --git a/go.mod b/go.mod
@@ -1,16 +1,16 @@
 module go.etcd.io/bbolt
 
-go 1.17
+go 1.21
 
 require (
 	github.com/stretchr/testify v1.8.1
 	go.etcd.io/gofail v0.1.0
+	golang.org/x/sync v0.5.0
 	golang.org/x/sys v0.4.0
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/sync v0.5.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/manydbs_test.go b/manydbs_test.go
@@ -1,8 +1,8 @@
 package bbolt
 
 import (
+	"crypto/rand"
 	"fmt"
-	"math/rand"
 	"os"
 	"path/filepath"
 	"testing"
@@ -46,7 +46,9 @@ func createAndPutKeys(t *testing.T) {
 			}
 
 			var key [16]byte
-			rand.Read(key[:])
+			if _, err := rand.Read(key[:]); err != nil {
+				return err
+			}
 			if err := nodes.Put(key[:], nil); err != nil {
 				return err
 			}

diff --git a/simulation_test.go b/simulation_test.go
@@ -35,8 +35,6 @@ func testSimulate(t *testing.T, openOption *bolt.Options, round, threadCount, pa
 		t.Skip("skipping test in short mode.")
 	}
 
-	rand.Seed(int64(qseed))
-
 	// A list of operations that readers and writers can perform.
 	var readerHandlers = []simulateHandler{simulateGetHandler}
 	var writerHandlers = []simulateHandler{simulateGetHandler, simulatePutHandler}

diff --git a/unsafe.go b/unsafe.go
@@ -32,7 +32,7 @@ func unsafeByteSlice(base unsafe.Pointer, offset uintptr, i, j int) []byte {
 // manipulation of reflect.SliceHeader to prevent misuse, namely, converting
 // from reflect.SliceHeader to a Go slice type.
 func unsafeSlice(slice, data unsafe.Pointer, len int) {
-	s := (*reflect.SliceHeader)(slice)
+	s := (*reflect.SliceHeader)(slice) //nolint:staticcheck
 	s.Data = uintptr(data)
 	s.Cap = len
 	s.Len = len