Go 1.18.4 のリリース【セキュリティ・アップデート】

no extension

5月のGW以降,妙に忙しくて諸々の更新をサボっていたら Go のセキュリティ・アップデートはバンバン出るし 1.19 のリリース候補版も登場してるしでアワアワしている。

この記事では 1.18.1 以降のセキュリティ・アップデートをまとめて紹介する。

CVE-2022-29526 syscall: fix Faccessat on Linux

When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • 深刻度: 警告 (Score: 5.3)
基本評価基準 評価値
攻撃元区分 ネットワーク
攻撃条件の複雑さ
必要な特権レベル 不要
ユーザ関与レベル 不要
スコープ 変更なし
機密性への影響
完全性への影響 なし
可用性への影響 なし

CVE-2022-30634 crypto/rand: rand.Read hangs with extremely large buffers

On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes.

(以下未稿)

CVE-2022-30629 crypto/tls: session tickets lack random ticket_age_add

Session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

(以下未稿)

CVE-2022-30580 os/exec: empty Cmd.Path can result in running unintended binary on Windows

If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput are executed when Cmd.Path is unset and, in the working directory, there are binaries named either “..com” or “..exe”, they will be executed.

(以下未稿)

CVE-2022-29804 path/filepath: Clean(.\c:) returns c: on Windows

On Windows, the filepath.Clean function could convert an invalid path to a valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

(以下未稿)

CVE-2022-1705 net/http: improper sanitization of Transfer-Encoding header

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a “chunked” encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.

(以下未稿)

CVE-2022-32148

When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected.

(以下未稿)

CVE-2022-30631 compress/gzip: stack exhaustion in Reader.Read

Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.

(以下未稿)

CVE-2022-30633 encoding/xml: stack exhaustion in Unmarshal

Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.

(以下未稿)

CVE-2022-28131 encoding/xml: stack exhaustion in Decoder.Skip

Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.

(以下未稿)

CVE-2022-30635 encoding/gob: stack exhaustion in Decoder.Decode

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

(以下未稿)

CVE-2022-30632 path/filepath: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

(以下未稿)

CVE-2022-30630 io/fs: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

(以下未稿)

CVE-2022-1962 go/parser: stack exhaustion in all Parse* functions

Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.

(以下未稿)

例によって…

Ubuntu の APT で管理している Go コンパイラは古いので,ダウンロードページからバイナリ(go1.18.4.linux-amd64.tar.gz)を取ってきてインストールすることを強く推奨する。 以下は完全手動での作業例。

$ cd /usr/local/src
$ sudo curl -L "https://go.dev/dl/go1.18.4.linux-amd64.tar.gz" -O
$ cd ..
$ sudo unlink go # 以前の Go が入っている場合
$ sudo tar xvf src/go1.18.4.linux-amd64.tar.gz
$ sudo mv go go1.18.4
$ sudo ln -s go1.18.4 go
$ go version # /usr/local/go/bin にパスが通っている場合
go version go1.18.4 linux/amd64

Windows は Scoop 経由で OK

アップデートは計画的に。

参考図書

photo
プログラミング言語Go
アラン・ドノバン (著), ブライアン・カーニハン (著), 柴田芳樹 (著)
丸善出版 2016-06-20 (Release 2021-07-13)
Kindle版
B099928SJD (ASIN)
評価     

Kindle 版出た! 一部内容が古びてしまったが,この本は Go 言語の教科書と言ってもいいだろう。感想はこちら

reviewed by Spiegel on 2021-05-22 (powered by PA-APIv5)