search

jo-m / trainbot

Watches a piece of train track, detects trains, and stitches together images of them.
https://trains.jo-m.ch/
MIT License
465 stars 8 forks source link

Bump go version to fix runtime vulnerability #4

Closed ArneRobberechts closed 1 year ago

ArneRobberechts commented 1 year ago

Vulnerability: GO-2023-1840 More info: https://pkg.go.dev/vuln/GO-2023-1840

Standard library Found in: runtime@go1.20.4 Fixed in: runtime@go1.20.5

ArneRobberechts commented 1 year ago

For reference, the output of govulncheck for build_docker with go version 1.20.4:

#0 45.24 govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.    ch file or directory
#0 45.24 
#0 45.24 Using go1.20.4 and govulncheck@v0.0.0 with
#0 45.24 vulnerability data from https://vuln.go.dev (last modified 2023-06-09 15:42:52 +0000 UTC).       ch file or directory
#0 46.44 
#0 46.44 Scanning your code and 340 packages across 38 dependent modules for known vulnerabilities...     annot mkdir: Permission denied
#0 50.72 Your code is affected by 1 vulnerability from the Go standard library.
#0 50.72 
#0 50.72 Vulnerability #1: GO-2023-1840
#0 50.72   On Unix platforms, the Go runtime does not behave differently
#0 50.72   when a binary is run with the setuid/setgid bits. This can be
#0 50.72   dangerous in certain cases, such as when dumping memory state,
#0 50.72   or assuming the status of standard i/o file descriptors. If a
#0 50.72   setuid/setgid binary is executed with standard I/O file
#0 50.72   descriptors closed, opening any files can result in unexpected
#0 50.72   content being read or written with elevated privileges.
#0 50.72   Similarly, if a setuid/setgid program is terminated, either via
#0 50.72   panic or signal, it may leak the contents of its registers.
#0 50.72 
#0 50.72   More info: https://pkg.go.dev/vuln/GO-2023-1840
#0 50.72 
#0 50.72   Standard library
#0 50.72     Found in: runtime@go1.20.4
#0 50.72     Fixed in: runtime@go1.20.5
#0 50.72 
#0 50.72     Call stacks in your code:
#0 50.72       cmd/trainbot/main.go:184:32: github.com/jo-m/trainbot/cmd/trainbot.detectTrainsForever calls runtime/pprof.WriteHeapProfile, which eventually calls runtime.MemProfile
#0 50.72       cmd/trainbot/main.go:184:32: github.com/jo-m/trainbot/cmd/trainbot.detectTrainsForever calls runtime/pprof.WriteHeapProfile, which eventually calls runtime.MemProfileRecord.InUseObjects            escapes.dir: Cannot mkdir: N
#0 50.72       cmd/trainbot/main.go:184:32: github.com/jo-m/trainbot/cmd/trainbot.detectTrainsForever calls runtime/pprof.WriteHeapProfile, which eventually calls runtime.MemProfileRecord.Stack                   r: Permission denied
#0 50.72       cmd/trainbot/main.go:184:32: github.com/jo-m/trainbot/cmd/trainbot.detectTrainsForever calls runtime/pprof.WriteHeapProfile, which eventually calls runtime.ReadMemStats
#0 50.72       cmd/trainbot/main.go:221:28: github.com/jo-m/trainbot/cmd/trainbot.processTrains calls github.com/nfnt/resize.Thumbnail, which eventually calls runtime.GOMAXPROCS
#0 50.72       cmd/trainbot/main.go:353:18: github.com/jo-m/trainbot/cmd/trainbot.main calls github.com/rs/zerolog.Event.Err, which eventually calls runtime.TypeAssertionError.Error
#0 50.72       cmd/trainbot/main.go:353:18: github.com/jo-m/trainbot/cmd/trainbot.main calls github.com/rs/zerolog.Event.Err, which eventually calls runtime.plainError.Error
#0 50.72       cmd/trainbot/main.go:368:3: github.com/jo-m/trainbot/cmd/trainbot.main calls runtime/pprof.StopCPUProfile, which eventually calls runtime.SetCPUProfileRate
#0 50.72       github.com/jo-m/trainbot/internal/pkg/server.init calls runtime.init
#0 50.72       github.com/jo-m/trainbot/internal/pkg/testutil.init calls github.com/stretchr/testify/assert.init, which eventually calls runtime.CallersFrames
#0 50.72       github.com/jo-m/trainbot/internal/pkg/testutil.init calls github.com/stretchr/testify/assert.init, which eventually calls runtime.Frames.Next
#0 50.72       github.com/jo-m/trainbot/pkg/ransac.init calls go-hep.org/x/hep/hplot.init, which eventually calls runtime.GOROOT
#0 50.72       github.com/jo-m/trainbot/pkg/vid.init calls github.com/u2takey/ffmpeg-go.init, which eventually calls runtime.Version
#0 50.72       internal/pkg/server/wwwdata.go:19:36: github.com/jo-m/trainbot/internal/pkg/server.getDataDir calls runtime.Caller
#0 50.72       internal/pkg/testutil/image.go:20:14: github.com/jo-m/trainbot/internal/pkg/testutil.AssertImagesAlmostEqual calls github.com/stretchr/testify/assert.Equal, which eventually calls runtime.Callers
#0 50.72       internal/pkg/testutil/image.go:20:14: github.com/jo-m/trainbot/internal/pkg/testutil.AssertImagesAlmostEqual calls github.com/stretchr/testify/assert.Equal, which eventually calls runtime.Func.Nameide.go: Cannot open: No such
#0 50.72       internal/pkg/testutil/image.go:20:14: github.com/jo-m/trainbot/internal/pkg/testutil.AssertImagesAlmostEqual calls github.com/stretchr/testify/assert.Equal, which eventually calls runtime.FuncForPCusr/local -xzf go1.20.5.linu
#0 50.72       pkg/thermal/thermal.go:17:30: github.com/jo-m/trainbot/pkg/thermal.MeasureDegC calls os.ReadFile, which eventually calls runtime.KeepAlive
#0 50.72       pkg/vid/cam.go:96:12: github.com/jo-m/trainbot/pkg/vid.DetectCams calls sort.Slice, which eventually calls runtime.MemProfileRecord.InUseBytes
#0 50.72       pkg/vid/picam3.go:123:21: github.com/jo-m/trainbot/pkg/vid.NewPiCam3Src calls os/exec.Command, which eventually calls runtime.SetFinalizer
#0 50.72       pkg/vid/picam3.go:123:21: github.com/jo-m/trainbot/pkg/vid.NewPiCam3Src calls os/exec.Command, which eventually calls runtime.Stack
#0 50.76 exit status 3
#0 50.77 make: *** [Makefile:29: lint] Error 1
jo-m commented 1 year ago

Thanks, I have bumped everything in master.