Sebastiaan van Stijn
a6e03c60ab
go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and runtime packages, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.20.4...go1.20.5 These minor releases include 3 security fixes following the security policy: - cmd/go: cgo code injection The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29402 and Go issue https://go.dev/issue/60167. - runtime: unexpected behavior of setuid/setgid binaries The Go runtime didn't act any differently when a binary had the setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was executed with standard I/O file descriptors closed, opening any files could result in unexpected content being read/written with elevated prilieges. Similarly if a setuid/setgid program was terminated, either via panic or signal, it could leak the contents of its registers. Thanks to Vincent Dehors from Synacktiv for reporting this issue. This is CVE-2023-29403 and Go issue https://go.dev/issue/60272. - cmd/go: improper sanitization of LDFLAGS The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Introduction
docker-credential-helpers is a suite of programs to use native stores to keep Docker credentials safe.
Installation
Go to the Releases page and download the binary that works better for you. Put that binary in your $PATH, so Docker can find it.
Building
You can build the credential helpers using Docker:
# install emulators
$ docker run --privileged --rm tonistiigi/binfmt --install all
# create builder
$ docker buildx create --use
# build credential helpers from remote repository and output to ./bin/build
$ docker buildx bake "https://github.com/docker/docker-credential-helpers.git"
# or from local source
$ git clone https://github.com/docker/docker-credential-helpers.git
$ cd docker-credential-helpers
$ docker buildx bake
Or if the toolchain is already installed on your machine:
1 - Download the source.
$ git clone https://github.com/docker/docker-credential-helpers.git
$ cd docker-credential-helpers
2 - Use make to build the program you want. That will leave an executable in the bin directory inside the repository.
$ make osxkeychain
3 - Put that binary in your $PATH, so Docker can find it.
$ cp bin/build/docker-credential-osxkeychain /usr/local/bin/
Usage
With the Docker Engine
Set the credsStore option in your ~/.docker/config.json file with the suffix of the program you want to use. For instance, set it to osxkeychain if you want to use docker-credential-osxkeychain.
{
"credsStore": "osxkeychain"
}
With other command line applications
The sub-package client includes functions to call external programs from your own command line applications.
There are three things you need to know if you need to interact with a helper:
- The name of the program to execute, for instance
docker-credential-osxkeychain. - The server address to identify the credentials, for instance
https://example.com. - The username and secret to store, when you want to store credentials.
You can see examples of each function in the client documentation.
Available programs
- osxkeychain: Provides a helper to use the OS X keychain as credentials store.
- secretservice: Provides a helper to use the D-Bus secret service as credentials store.
- wincred: Provides a helper to use Windows credentials manager as store.
- pass: Provides a helper to use
passas credentials store.
Note
pass needs to be configured for docker-credential-pass to work properly.
It must be initialized with a gpg2 key ID. Make sure your GPG key exists is in gpg2 keyring as pass uses gpg2 instead of the regular gpg.
Development
A credential helper can be any program that can read values from the standard input. We use the first argument in the command line to differentiate the kind of command to execute. There are four valid values:
store: Adds credentials to the keychain. The payload in the standard input is a JSON document withServerURL,UsernameandSecret.get: Retrieves credentials from the keychain. The payload in the standard input is the raw value for theServerURL.erase: Removes credentials from the keychain. The payload in the standard input is the raw value for theServerURL.list: Lists stored credentials. There is no standard input payload.
This repository also includes libraries to implement new credentials programs in Go. Adding a new helper program is pretty easy. You can see how the OS X keychain helper works in the osxkeychain directory.
- Implement the interface
credentials.HelperinYOUR_PACKAGE/ - Create a main program in
YOUR_PACKAGE/cmd/. - Add make tasks to build your program and run tests.
License
MIT. See LICENSE for more information.