Skip to content

Update to Go 1.19.3 to address CVE-2022-41716 #3850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thaJeztah merged 1 commit into from
Nov 7, 2022
Merged

Update to Go 1.19.3 to address CVE-2022-41716 #3850

thaJeztah merged 1 commit into from
Nov 7, 2022

Conversation

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Nov 5, 2022 

On Windows, syscall.StartProcess and os/exec.Cmd did not properly
check for invalid environment variable values. A malicious
environment variable value could exploit this behavior to set a
value for a different environment variable. For example, the
environment variable string "A=B\x00C=D" set the variables "A=B" and
"C=D".

Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this
issue.

This is CVE-2022-41716 and Go issue https://go.dev/issue/56284.

This Go release also fixes golang/go#56309, a runtime bug which can cause random memory corruption when a goroutine exits with runtime.LockOSThread() set. This fix is necessary to unblock work to replace certain uses of pkg/reexec with unshared OS threads.

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

@thaJeztah
Update to Go 1.19.3 to address CVE-2022-41716
85eee32 
    On Windows, syscall.StartProcess and os/exec.Cmd did not properly
    check for invalid environment variable values. A malicious
    environment variable value could exploit this behavior to set a
    value for a different environment variable. For example, the
    environment variable string "A=B\x00C=D" set the variables "A=B" and
    "C=D".

    Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this
    issue.

    This is CVE-2022-41716 and Go issue https://go.dev/issue/56284.

This Go release also fixes golang/go#56309, a
runtime bug which can cause random memory corruption when a goroutine
exits with runtime.LockOSThread() set. This fix is necessary to unblock
work to replace certain uses of pkg/reexec with unshared OS threads.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah added this to the 22.06.0 milestone Nov 5, 2022
@codecov-commenter
Copy link

codecov-commenter commented Nov 5, 2022

Codecov Report

Merging #3850 (85eee32) into master (8a19043) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #3850   +/-   ##
=======================================
  Coverage   59.17%   59.17%           
=======================================
  Files         288      288           
  Lines       24647    24647           
=======================================
  Hits        14586    14586           
  Misses       9176     9176           
  Partials      885      885

@thaJeztah thaJeztah merged commit c312c85 into docker:master Nov 7, 2022
@thaJeztah thaJeztah deleted the bump_go_1.19.3 branch November 7, 2022 13:28
@thaJeztah thaJeztah mentioned this pull request Feb 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vvoland vvoland vvoland approved these changes

Assignees

No one assigned

Labels

area/packaging impact/changelog status/2-code-review

Projects

None yet

Milestone

23.0.0

Development

Successfully merging this pull request may close these issues.

runtime: "runtime·lock: lock count" fatal error when cgo is enabled [1.19 backport]

3 participants

@thaJeztah @codecov-commenter @vvoland