update go to go1.20.5
go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and
runtime packages, as well as bug fixes to the compiler, the go command, the
runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone
on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved
full diff: https://github.com/golang/go/compare/go1.20.4...go1.20.5
These minor releases include 3 security fixes following the security policy:
- cmd/go: cgo code injection
The go command may generate unexpected code at build time when using cgo. This
may result in unexpected behavior when running a go program which uses cgo.
This may occur when running an untrusted module which contains directories with
newline characters in their names. Modules which are retrieved using the go command,
i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
GO111MODULE=off, may be affected).
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.
- runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary had the setuid/setgid
bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
I/O file descriptors closed, opening any files could result in unexpected
content being read/written with elevated prilieges. Similarly if a setuid/setgid
program was terminated, either via panic or signal, it could leak the contents
of its registers.
Thanks to Vincent Dehors from Synacktiv for reporting this issue.
This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.
- cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time when using cgo. This may
occur when running "go get" on a malicious module, or when running any other
command which builds untrusted code. This is can by triggered by linker flags,
specified via a "#cgo LDFLAGS" directive.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 98a44bb18e21c9729575992c1d4a8cbee5a40bb7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 24c882c3e06f61fa6b66c08101399eec898432ed)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-06-14 10:47:05 +00:00
|
|
|
ARG GO_VERSION=1.20.5
|
2019-07-17 11:59:16 +00:00
|
|
|
|
|
|
|
FROM golang:${GO_VERSION}-alpine AS base
|
2019-09-11 07:36:53 +00:00
|
|
|
ENV GO111MODULE=off
|
2018-10-03 00:57:42 +00:00
|
|
|
RUN apk --no-cache add \
|
2017-09-08 14:43:04 +00:00
|
|
|
bash \
|
|
|
|
build-base \
|
|
|
|
curl \
|
|
|
|
lvm2-dev \
|
2018-10-03 00:57:42 +00:00
|
|
|
jq
|
2017-09-08 14:43:04 +00:00
|
|
|
|
2019-04-19 14:15:03 +00:00
|
|
|
RUN mkdir -p /build/
|
2017-09-08 14:43:04 +00:00
|
|
|
RUN mkdir -p /go/src/github.com/docker/docker/
|
|
|
|
WORKDIR /go/src/github.com/docker/docker/
|
|
|
|
|
2019-04-19 14:15:03 +00:00
|
|
|
FROM base AS frozen-images
|
|
|
|
# Get useful and necessary Hub images so we can "docker load" locally instead of pulling
|
|
|
|
COPY contrib/download-frozen-image-v2.sh /
|
|
|
|
RUN /download-frozen-image-v2.sh /build \
|
2021-08-19 21:40:38 +00:00
|
|
|
busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
|
|
|
|
busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
|
|
|
|
debian:bullseye-slim@sha256:dacf278785a4daa9de07596ec739dbc07131e189942772210709c5c0777e8437 \
|
|
|
|
hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
|
|
|
|
arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1
|
2020-12-16 13:53:49 +00:00
|
|
|
# See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list)
|
2019-04-19 14:15:03 +00:00
|
|
|
|
2019-04-19 14:24:33 +00:00
|
|
|
FROM base AS dockercli
|
|
|
|
COPY hack/dockerfile/install/install.sh ./install.sh
|
2022-07-02 15:00:34 +00:00
|
|
|
COPY hack/dockerfile/install/dockercli.installer ./
|
|
|
|
RUN PREFIX=/build ./install.sh dockercli
|
2017-09-08 14:43:04 +00:00
|
|
|
|
2022-06-16 20:47:36 +00:00
|
|
|
# TestDockerCLIBuildSuite dependency
|
2019-04-19 14:26:10 +00:00
|
|
|
FROM base AS contrib
|
|
|
|
COPY contrib/syscall-test /build/syscall-test
|
|
|
|
COPY contrib/httpserver/Dockerfile /build/httpserver/Dockerfile
|
|
|
|
COPY contrib/httpserver contrib/httpserver
|
|
|
|
RUN CGO_ENABLED=0 go build -buildmode=pie -o /build/httpserver/httpserver github.com/docker/docker/contrib/httpserver
|
|
|
|
|
|
|
|
# Build the integration tests and copy the resulting binaries to /build/tests
|
2019-04-19 14:24:33 +00:00
|
|
|
FROM base AS builder
|
2017-09-08 14:43:04 +00:00
|
|
|
|
2017-09-12 12:53:20 +00:00
|
|
|
# Set tag and add sources
|
2019-04-19 14:20:24 +00:00
|
|
|
COPY . .
|
2019-04-27 04:38:55 +00:00
|
|
|
# Copy test sources tests that use assert can print errors
|
|
|
|
RUN mkdir -p /build${PWD} && find integration integration-cli -name \*_test.go -exec cp --parents '{}' /build${PWD} \;
|
|
|
|
# Build and install test binaries
|
2019-04-30 07:22:22 +00:00
|
|
|
ARG DOCKER_GITCOMMIT=undefined
|
2017-09-08 14:43:04 +00:00
|
|
|
RUN hack/make.sh build-integration-test-binary
|
2019-04-27 04:38:55 +00:00
|
|
|
RUN mkdir -p /build/tests && find . -name test.main -exec cp --parents '{}' /build/tests \;
|
2017-09-08 14:43:04 +00:00
|
|
|
|
2019-04-19 14:15:03 +00:00
|
|
|
## Generate testing image
|
2019-06-23 17:39:20 +00:00
|
|
|
FROM alpine:3.10 as runner
|
2017-09-08 14:43:04 +00:00
|
|
|
|
2019-04-19 14:20:24 +00:00
|
|
|
ENV DOCKER_REMOTE_DAEMON=1
|
|
|
|
ENV DOCKER_INTEGRATION_DAEMON_DEST=/
|
|
|
|
ENTRYPOINT ["/scripts/run.sh"]
|
|
|
|
|
|
|
|
# Add an unprivileged user to be used for tests which need it
|
|
|
|
RUN addgroup docker && adduser -D -G docker unprivilegeduser -s /bin/ash
|
|
|
|
|
2017-09-08 14:43:04 +00:00
|
|
|
# GNU tar is used for generating the emptyfs image
|
2018-10-03 00:57:42 +00:00
|
|
|
RUN apk --no-cache add \
|
2017-09-08 14:43:04 +00:00
|
|
|
bash \
|
|
|
|
ca-certificates \
|
|
|
|
g++ \
|
|
|
|
git \
|
2021-08-19 19:16:01 +00:00
|
|
|
inetutils-ping \
|
2017-09-08 14:43:04 +00:00
|
|
|
iptables \
|
2021-08-19 19:16:01 +00:00
|
|
|
libcap2-bin \
|
2018-01-16 18:49:18 +00:00
|
|
|
pigz \
|
2017-09-08 14:43:04 +00:00
|
|
|
tar \
|
2018-10-03 00:57:42 +00:00
|
|
|
xz
|
2017-09-08 14:43:04 +00:00
|
|
|
|
2019-04-19 14:20:24 +00:00
|
|
|
COPY hack/test/e2e-run.sh /scripts/run.sh
|
|
|
|
COPY hack/make/.ensure-emptyfs /scripts/ensure-emptyfs.sh
|
2017-09-08 14:43:04 +00:00
|
|
|
|
2019-04-19 14:02:22 +00:00
|
|
|
COPY integration/testdata /tests/integration/testdata
|
|
|
|
COPY integration/build/testdata /tests/integration/build/testdata
|
|
|
|
COPY integration-cli/fixtures /tests/integration-cli/fixtures
|
2017-09-08 14:43:04 +00:00
|
|
|
|
2019-04-19 14:15:03 +00:00
|
|
|
COPY --from=frozen-images /build/ /docker-frozen-images
|
2019-04-19 14:24:33 +00:00
|
|
|
COPY --from=dockercli /build/ /usr/bin/
|
2019-04-19 14:26:10 +00:00
|
|
|
COPY --from=contrib /build/ /tests/contrib/
|
2019-04-27 04:38:55 +00:00
|
|
|
COPY --from=builder /build/ /
|