go1.20.6 (released 2023-07-11) includes a security fix to the net/http package,
as well as bug fixes to the compiler, cgo, the cover tool, the go command,
the runtime, and the crypto/ecdsa, go/build, go/printer, net/mail, and text/template
packages. See the Go 1.20.6 milestone on our issue tracker for details.
https://github.com/golang/go/issues?q=milestone%3AGo1.20.6+label%3ACherryPickApproved
Full diff: https://github.com/golang/go/compare/go1.20.5...go1.20.6
These minor releases include 1 security fixes following the security policy:
net/http: insufficient sanitization of Host header
The HTTP/1 client did not fully validate the contents of the Host header.
A maliciously crafted Host header could inject additional headers or entire
requests. The HTTP/1 client now refuses to send requests containing an
invalid Request.Host or Request.URL.Host value.
Thanks to Bartek Nowotarski for reporting this issue.
Includes security fixes for [CVE-2023-29406 ][1] and Go issue https://go.dev/issue/60374
[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and
runtime packages, as well as bug fixes to the compiler, the go command, the
runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone
on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved
full diff: https://github.com/golang/go/compare/go1.20.4...go1.20.5
These minor releases include 3 security fixes following the security policy:
- cmd/go: cgo code injection
The go command may generate unexpected code at build time when using cgo. This
may result in unexpected behavior when running a go program which uses cgo.
This may occur when running an untrusted module which contains directories with
newline characters in their names. Modules which are retrieved using the go command,
i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
GO111MODULE=off, may be affected).
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.
- runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary had the setuid/setgid
bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
I/O file descriptors closed, opening any files could result in unexpected
content being read/written with elevated prilieges. Similarly if a setuid/setgid
program was terminated, either via panic or signal, it could leak the contents
of its registers.
Thanks to Vincent Dehors from Synacktiv for reporting this issue.
This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.
- cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time when using cgo. This may
occur when running "go get" on a malicious module, or when running any other
command which builds untrusted code. This is can by triggered by linker flags,
specified via a "#cgo LDFLAGS" directive.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Use stdlib's os.UserHomeDir() instead of depending only on $HOME. Note that
this does not yet does nss lookups for situations where $HOME / $USERPROFILE
is not set.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
commit a13ff50017 simplified the handling of
env-vars in getPassDir(), but moved interpolation of env-vars to the end
of the function.
As a result, a custom path passed through `$PASSWORD_STORE_DIR` would now
be interpolated, instead of taken as-is. For example;
PASSWORD_STORE_DIR=$PWD/world
Would now interpolate `$PWD`, instead of using a literal `$PWD`.
This patch changes the logic to only expand env-vars for the default location.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- renamed the "key" variable, which was slightly confusing
- include the name of the binary in the error
Before this change:
docker-credential-osxkeychain nosuchaction
Unknown credential action `nosuchaction`
After this change:
docker-credential-osxkeychain nosuchaction
docker-credential-osxkeychain: unknown action: nosuchaction
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
GNU guidelines describes; https://www.gnu.org/prep/standards/html_node/_002d_002dversion.html#g_t_002d_002dversion
The program’s name should be a constant string; don’t compute it from argv[0].
The idea is to state the standard or canonical name for the program, not its
file name.
Although the above recommendation is for `--version` output, it probably makes
sense to do the same for the "usage" output.
Before this change:
/usr/local/bin/docker-credential-osxkeychain invalid command
Usage: /usr/local/bin/docker-credential-osxkeychain <store|get|erase|list|version>
/Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain invalid command
Usage: /Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain <store|get|erase|list|version>
With this patch:
/usr/local/bin/docker-credential-osxkeychain invalid command
Usage: docker-credential-osxkeychain <store|get|erase|list|version>
/Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain invalid command
Usage: docker-credential-osxkeychain <store|get|erase|list|version>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Explicitly suppress some unhandled errors
- Use "pass" credentials helper in examples, which is available
on more platforms than "secretservice" (only supporte on Linux)
- Update domain and username in examples.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Don't set Env if not set; the default is already handled if it's nil; from
the documentation: https://pkg.go.dev/os/exec@go1.20.4#Cmd.Env
// If Env is nil, the new process uses the current process's
// environment.
Use `os/exec/Cmd.Environ()` instead of `os.Environ()`, which was added in
go1.19, and handles additional environment variables, such as `PWD` on POSIX
systems, and `SYSTEMROOT` on Windows. https://pkg.go.dev/os/exec@go1.20.4#Cmd.Environ
Also remove a redundant `fmt.Sprintf()`, as we're only concatenating strings.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn