InTheForest/moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2026-01-11 18:51:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
98a44bb18e21c9729575992c1d4a8cbee5a40bb7
moby/hack/dockerfiles/generate-files.Dockerfile
Sebastiaan van Stijn 98a44bb18e update go to go1.20.5 
go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and
runtime packages, as well as bug fixes to the compiler, the go command, the
runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone
on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.20.4...go1.20.5

These minor releases include 3 security fixes following the security policy:

- cmd/go: cgo code injection
  The go command may generate unexpected code at build time when using cgo. This
  may result in unexpected behavior when running a go program which uses cgo.

  This may occur when running an untrusted module which contains directories with
  newline characters in their names. Modules which are retrieved using the go command,
  i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
  GO111MODULE=off, may be affected).

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

- runtime: unexpected behavior of setuid/setgid binaries

  The Go runtime didn't act any differently when a binary had the setuid/setgid
  bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
  I/O file descriptors closed, opening any files could result in unexpected
  content being read/written with elevated prilieges. Similarly if a setuid/setgid
  program was terminated, either via panic or signal, it could leak the contents
  of its registers.

  Thanks to Vincent Dehors from Synacktiv for reporting this issue.

  This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

- cmd/go: improper sanitization of LDFLAGS

  The go command may execute arbitrary code at build time when using cgo. This may
  occur when running "go get" on a malicious module, or when running any other
  command which builds untrusted code. This is can by triggered by linker flags,
  specified via a "#cgo LDFLAGS" directive.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-14 12:47:05 +02:00

74 lines
2.2 KiB
Docker
Raw Blame History

# syntax=docker/dockerfile:1
ARG GO_VERSION=1.20.5
ARG BASE_DEBIAN_DISTRO="bullseye"
ARG PROTOC_VERSION=3.11.4
# protoc is dynamically linked to glibc so can't use alpine base
FROM golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO} AS base
RUN apt-get update && apt-get --no-install-recommends install -y git unzip
ARG PROTOC_VERSION
ARG TARGETOS
ARG TARGETARCH
RUN <<EOT
set -e
arch=$(echo $TARGETARCH | sed -e s/amd64/x86_64/ -e s/arm64/aarch_64/)
wget -q https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-${TARGETOS}-${arch}.zip
unzip protoc-${PROTOC_VERSION}-${TARGETOS}-${arch}.zip -d /usr/local
EOT
WORKDIR /go/src/github.com/docker/docker
FROM base AS src
WORKDIR /out
COPY . .
RUN <<EOT
set -ex
git config --global user.email "moby@example.com"
git config --global user.name "moby"
git init .
git add .
git commit -m 'init'
EOT
FROM base AS tools
RUN --mount=from=src,source=/out,target=.,rw \
--mount=type=cache,target=/root/.cache/go-build <<EOT
set -ex
./hack/with-go-mod.sh go install -v -mod=vendor -modfile=vendor.mod \
github.com/gogo/protobuf/protoc-gen-gogo \
github.com/gogo/protobuf/protoc-gen-gogofaster \
github.com/gogo/protobuf/protoc-gen-gogoslick \
github.com/golang/protobuf/protoc-gen-go
./hack/with-go-mod.sh go build -v -mod=vendor -modfile=vendor.mod \
-o /usr/bin/pluginrpc-gen \
./pkg/plugins/pluginrpc-gen
EOT
FROM tools AS generated
ENV GO111MODULE=off
RUN --mount=from=src,source=/out,target=.,rw <<EOT
set -ex
go generate -v ./...
mkdir /out
git ls-files -m --others -- ':!vendor' 'profiles/seccomp/default.json' '**/*.pb.go' | tar -cf - --files-from - | tar -C /out -xf -
EOT
FROM scratch AS update
COPY --from=generated /out /
FROM base AS validate
RUN --mount=from=src,source=/out,target=.,rw \
--mount=type=bind,from=generated,source=/out,target=/generated-files <<EOT
set -e
git add -A
if [ "$(ls -A /generated-files)" ]; then
cp -rf /generated-files/* .
fi
diff=$(git status --porcelain -- ':!vendor' 'profiles/seccomp/default.json' '**/*.pb.go')
if [ -n "$diff" ]; then
echo >&2 'ERROR: The result of "go generate" differs. Please update with "make generate-files"'
echo "$diff"
exit 1
fi
EOT
Reference in New Issue View Git Blame Copy Permalink