aws · eks-distro-bot · Dec 11, 2023 · Dec 5, 2023 · Dec 5, 2023 · Dec 6, 2023
diff --git a/projects/golang/go/1.19/README.md b/projects/golang/go/1.19/README.md
@@ -1,17 +1,17 @@
 # EKS Golang 1.19
 
-Current Release: `13`
+Current Release: `14`
 
 Tracking Tag: `go1.19.13`
 
 ### Artifacts:  
 |Arch|Artifact|sha|
 |:---:|:---:|:---:|
-|noarch|[golang-src-1.19.13-13.amzn2.eks.noarch.rpm](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/13/x86_64/RPMS/noarch/golang-src-1.19.13-13.amzn2.eks.noarch.rpm)|[golang-src-1.19.13-13.amzn2.eks.noarch.rpm.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/13/x86_64/RPMS/noarch/golang-src-1.19.13-13.amzn2.eks.noarch.rpm.sha256)|
-|x86_64|[golang-1.19.13-13.amzn2.eks.x86_64.rpm](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/13/x86_64/RPMS/x86_64/golang-1.19.13-13.amzn2.eks.x86_64.rpm)|[golang-1.19.13-13.amzn2.eks.x86_64.rpm.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/13/x86_64/RPMS/x86_64/golang-1.19.13-13.amzn2.eks.x86_64.rpm.sha256)|
-|aarch64|[golang-1.19.13-13.amzn2.eks.aarch64.rpm](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/13/aarch64/RPMS/aarch64/golang-1.19.13-13.amzn2.eks.aarch64.rpm)|[golang-1.19.13-13.amzn2.eks.aarch64.rpm.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/13/aarch64/RPMS/aarch64/golang-1.19.13-13.amzn2.eks.aarch64.rpm.sha256)|
-|arm64|[go1.19.13.linux-arm64.tar.gz](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/13/archives/linux/arm64/go1.19.13.linux-arm64.tar.gz)|[go1.19.13.linux-arm64.tar.gz.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/13/archives/linux/arm64/go1.19.13.linux-arm64.tar.gz.sha256)|
-|amd64|[go1.19.13.linux-amd64.tar.gz](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/13/archives/linux/amd64/go1.19.13.linux-amd64.tar.gz)|[go1.19.13.linux-amd64.tar.gz.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/13/archives/linux/amd64/go1.19.13.linux-amd64.tar.gz.sha256)|
+|noarch|[golang-src-1.19.13-14.amzn2.eks.noarch.rpm](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/14/x86_64/RPMS/noarch/golang-src-1.19.13-14.amzn2.eks.noarch.rpm)|[golang-src-1.19.13-14.amzn2.eks.noarch.rpm.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/14/x86_64/RPMS/noarch/golang-src-1.19.13-14.amzn2.eks.noarch.rpm.sha256)|
+|x86_64|[golang-1.19.13-14.amzn2.eks.x86_64.rpm](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/14/x86_64/RPMS/x86_64/golang-1.19.13-14.amzn2.eks.x86_64.rpm)|[golang-1.19.13-14.amzn2.eks.x86_64.rpm.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/14/x86_64/RPMS/x86_64/golang-1.19.13-14.amzn2.eks.x86_64.rpm.sha256)|
+|aarch64|[golang-1.19.13-14.amzn2.eks.aarch64.rpm](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/14/aarch64/RPMS/aarch64/golang-1.19.13-14.amzn2.eks.aarch64.rpm)|[golang-1.19.13-14.amzn2.eks.aarch64.rpm.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/14/aarch64/RPMS/aarch64/golang-1.19.13-14.amzn2.eks.aarch64.rpm.sha256)|
+|arm64|[go1.19.13.linux-arm64.tar.gz](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/14/archives/linux/arm64/go1.19.13.linux-arm64.tar.gz)|[go1.19.13.linux-arm64.tar.gz.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/14/archives/linux/arm64/go1.19.13.linux-arm64.tar.gz.sha256)|
+|amd64|[go1.19.13.linux-amd64.tar.gz](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/14/archives/linux/amd64/go1.19.13.linux-amd64.tar.gz)|[go1.19.13.linux-amd64.tar.gz.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/releases/14/archives/linux/amd64/go1.19.13.linux-amd64.tar.gz.sha256)|
 
 
 ### ARM64 Builds

diff --git a/projects/golang/go/1.19/patches/0006-go-1.19.13-eks-net-http-limit-chunked-data-ov.patch b/projects/golang/go/1.19/patches/0006-go-1.19.13-eks-net-http-limit-chunked-data-ov.patch
@@ -0,0 +1,188 @@
+From 91704a7ae30ed4865183fb8e79160e90e6f6b6ee Mon Sep 17 00:00:00 2001
+From: Damien Neil <[email protected]>
+Date: Tue, 7 Nov 2023 10:47:56 -0800
+Subject: [PATCH] net/http: limit chunked data
+ overhead
+
+# AWS EKS
+
+Backported To: go-1.19.13-eks
+Backported On: Tue, 05 Dec 2023
+Backported By: [email protected]
+Backported From: release-branch.go1.20
+Source Commit: https://github.com/golang/go/commit/6446af942e2e2b161c4ec1b60d9703a2b55dc4dd 
+
+# Original Information
+
+The chunked transfer encoding adds some overhead to
+the content transferred. When writing one byte per
+chunk, for example, there are five bytes of overhead
+per byte of data transferred: "1\r\nX\r\n" to send "X".
+
+Chunks may include "chunk extensions",
+which we skip over and do not use.
+For example: "1;chunk extension here\r\nX\r\n".
+
+A malicious sender can use chunk extensions to add
+about 4k of overhead per byte of data.
+(The maximum chunk header line size we will accept.)
+
+Track the amount of overhead read in chunked data,
+and produce an error if it seems excessive.
+
+Updates #64433
+Fixes #64434
+Fixes CVE-2023-39326
+
+Change-Id: I40f8d70eb6f9575fb43f506eb19132ccedafcf39
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2076135
+Reviewed-by: Tatiana Bradley <[email protected]>
+Reviewed-by: Roland Shoemaker <[email protected]>
+(cherry picked from commit 3473ae72ee66c60744665a24b2fde143e8964d4f)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2095407
+Run-TryBot: Roland Shoemaker <[email protected]>
+TryBot-Result: Security TryBots <[email protected]>
+Reviewed-by: Damien Neil <[email protected]>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/547355
+Reviewed-by: Dmitri Shuralyov <[email protected]>
+LUCI-TryBot-Result: Go LUCI <[email protected]>
+---
+ src/net/http/internal/chunked.go      | 36 +++++++++++++---
+ src/net/http/internal/chunked_test.go | 59 +++++++++++++++++++++++++++
+ 2 files changed, 89 insertions(+), 6 deletions(-)
+
+diff --git a/src/net/http/internal/chunked.go b/src/net/http/internal/chunked.go
+index 5a174415dc..8b6e94b5d4 100644
+--- a/src/net/http/internal/chunked.go
++++ b/src/net/http/internal/chunked.go
+@@ -39,7 +39,8 @@ type chunkedReader struct {
+ 	n        uint64 // unread bytes in chunk
+ 	err      error
+ 	buf      [2]byte
+-	checkEnd bool // whether need to check for \r\n chunk footer
++	checkEnd bool  // whether need to check for \r\n chunk footer
++	excess   int64 // "excessive" chunk overhead, for malicious sender detection
+ }
+
+ func (cr *chunkedReader) beginChunk() {
+@@ -49,10 +50,38 @@ func (cr *chunkedReader) beginChunk() {
+ 	if cr.err != nil {
+ 		return
+ 	}
++	cr.excess += int64(len(line)) + 2 // header, plus \r\n after the chunk data
++	line = trimTrailingWhitespace(line)
++	line, cr.err = removeChunkExtension(line)
++	if cr.err != nil {
++		return
++	}
+ 	cr.n, cr.err = parseHexUint(line)
+ 	if cr.err != nil {
+ 		return
+ 	}
++	// A sender who sends one byte per chunk will send 5 bytes of overhead
++	// for every byte of data. ("1\r\nX\r\n" to send "X".)
++	// We want to allow this, since streaming a byte at a time can be legitimate.
++	//
++	// A sender can use chunk extensions to add arbitrary amounts of additional
++	// data per byte read. ("1;very long extension\r\nX\r\n" to send "X".)
++	// We don't want to disallow extensions (although we discard them),
++	// but we also don't want to allow a sender to reduce the signal/noise ratio
++	// arbitrarily.
++	//
++	// We track the amount of excess overhead read,
++	// and produce an error if it grows too large.
++	//
++	// Currently, we say that we're willing to accept 16 bytes of overhead per chunk,
++	// plus twice the amount of real data in the chunk.
++	cr.excess -= 16 + (2 * int64(cr.n))
++	if cr.excess < 0 {
++		cr.excess = 0
++	}
++	if cr.excess > 16*1024 {
++		cr.err = errors.New("chunked encoding contains too much non-data")
++	}
+ 	if cr.n == 0 {
+ 		cr.err = io.EOF
+ 	}
+@@ -140,11 +169,6 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
+ 	if len(p) >= maxLineLength {
+ 		return nil, ErrLineTooLong
+ 	}
+-	p = trimTrailingWhitespace(p)
+-	p, err = removeChunkExtension(p)
+-	if err != nil {
+-		return nil, err
+-	}
+ 	return p, nil
+ }
+
+diff --git a/src/net/http/internal/chunked_test.go b/src/net/http/internal/chunked_test.go
+index 5e29a786dd..b99090c1f8 100644
+--- a/src/net/http/internal/chunked_test.go
++++ b/src/net/http/internal/chunked_test.go
+@@ -239,3 +239,62 @@ func TestChunkEndReadError(t *testing.T) {
+ 		t.Errorf("expected %v, got %v", readErr, err)
+ 	}
+ }
++
++func TestChunkReaderTooMuchOverhead(t *testing.T) {
++	// If the sender is sending 100x as many chunk header bytes as chunk data,
++	// we should reject the stream at some point.
++	chunk := []byte("1;")
++	for i := 0; i < 100; i++ {
++		chunk = append(chunk, 'a') // chunk extension
++	}
++	chunk = append(chunk, "\r\nX\r\n"...)
++	const bodylen = 1 << 20
++	r := NewChunkedReader(&funcReader{f: func(i int) ([]byte, error) {
++		if i < bodylen {
++			return chunk, nil
++		}
++		return []byte("0\r\n"), nil
++	}})
++	_, err := io.ReadAll(r)
++	if err == nil {
++		t.Fatalf("successfully read body with excessive overhead; want error")
++	}
++}
++
++func TestChunkReaderByteAtATime(t *testing.T) {
++	// Sending one byte per chunk should not trip the excess-overhead detection.
++	const bodylen = 1 << 20
++	r := NewChunkedReader(&funcReader{f: func(i int) ([]byte, error) {
++		if i < bodylen {
++			return []byte("1\r\nX\r\n"), nil
++		}
++		return []byte("0\r\n"), nil
++	}})
++	got, err := io.ReadAll(r)
++	if err != nil {
++		t.Errorf("unexpected error: %v", err)
++	}
++	if len(got) != bodylen {
++		t.Errorf("read %v bytes, want %v", len(got), bodylen)
++	}
++}
++
++type funcReader struct {
++	f   func(iteration int) ([]byte, error)
++	i   int
++	b   []byte
++	err error
++}
++
++func (r *funcReader) Read(p []byte) (n int, err error) {
++	if len(r.b) == 0 && r.err == nil {
++		r.b, r.err = r.f(r.i)
++		r.i++
++	}
++	n = copy(p, r.b)
++	r.b = r.b[n:]
++	if len(r.b) > 0 {
++		return n, nil
++	}
++	return n, r.err
++}
+-- 
+2.43.0
+
diff --git a/projects/golang/go/1.19/patches/0007-go-1.19.13-eks-path-filepath-consider-c-as-a-.patch b/projects/golang/go/1.19/patches/0007-go-1.19.13-eks-path-filepath-consider-c-as-a-.patch
@@ -0,0 +1,130 @@
+From 30b82a7f5da68149a2b66059748d69de32fdceae Mon Sep 17 00:00:00 2001
+From: Damien Neil <[email protected]>
+Date: Thu, 9 Nov 2023 09:53:44 -0800
+Subject: [PATCH] path/filepath: consider \\?\c: as
+ a volume on Windows
+
+# AWS EKS
+
+Backported To: go-1.19.13-eks
+Backported On: Tue, 05 Dec 2023
+Backported By: [email protected]
+Backported From: release-branch.go1.20
+Source Commit: https://github.com/golang/go/commit/1b59b017db1ac4a63ed08173c00d7f08d47530be
+
+# Original Information
+
+While fixing several bugs in path handling on Windows,
+beginning with \\?\.
+
+Prior to #540277, VolumeName considered the first path component
+after the \\?\ prefix to be part of the volume name.
+After, it considered only the \\? prefix to be the volume name.
+
+Restore the previous behavior.
+
+For #64028.
+Fixes #64040.
+
+Change-Id: I6523789e61776342800bd607fb3f29d496257e68
+Reviewed-on: https://go-review.googlesource.com/c/go/+/541175
+LUCI-TryBot-Result: Go LUCI <[email protected]>
+Reviewed-by: Roland Shoemaker <[email protected]>
+(cherry picked from commit eda42f7c60adab26ed1a340414c726c4bf46b1f7)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/541520
+Auto-Submit: Dmitri Shuralyov <[email protected]>
+TryBot-Result: Gopher Robot <[email protected]>
+Run-TryBot: Dmitri Shuralyov <[email protected]>
+Reviewed-by: Damien Neil <[email protected]>
+Reviewed-by: Dmitri Shuralyov <[email protected]>
+---
+ src/path/filepath/path_test.go    | 18 +++++++++++++-----
+ src/path/filepath/path_windows.go | 20 +++++++-------------
+ 2 files changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/src/path/filepath/path_test.go b/src/path/filepath/path_test.go
+index 204b3bb5c8..679c3fa883 100644
+--- a/src/path/filepath/path_test.go
++++ b/src/path/filepath/path_test.go
+@@ -99,6 +99,11 @@ var wincleantests = []PathTest{
+ 	{`.\c:`, `.\c:`},
+ 	{`.\c:\foo`, `.\c:\foo`},
+ 	{`.\c:foo`, `.\c:foo`},
++	{`//abc`, `\\abc`},
++	{`///abc`, `\\\abc`},
++	{`//abc//`, `\\abc\\`},
++	{`\\?\C:\`, `\\?\C:\`},
++	{`\\?\C:\a`, `\\?\C:\a`},
+
+ 	// Don't allow cleaning to move an element with a colon to the start of the path.
+ 	{`a/../c:`, `.\c:`},
+@@ -1388,10 +1393,13 @@ var volumenametests = []VolumeNameTest{
+ 	{`//.`, `\\.`},
+ 	{`//./`, `\\.\`},
+ 	{`//./NUL`, `\\.\NUL`},
+-	{`//?/`, `\\?`},
++	{`//?`, `\\?`},
++	{`//?/`, `\\?\`},
++	{`//?/NUL`, `\\?\NUL`},
++	{`/??`, `\??`},
++	{`/??/`, `\??\`},
++	{`/??/NUL`, `\??\NUL`},
+ 	{`//./a/b`, `\\.\a`},
+-	{`//?/`, `\\?`},
+-	{`//?/`, `\\?`},
+ 	{`//./C:`, `\\.\C:`},
+ 	{`//./C:/`, `\\.\C:`},
+ 	{`//./C:/a/b/c`, `\\.\C:`},
+@@ -1400,8 +1408,8 @@ var volumenametests = []VolumeNameTest{
+ 	{`//./UNC/host\`, `\\.\UNC\host\`},
+ 	{`//./UNC`, `\\.\UNC`},
+ 	{`//./UNC/`, `\\.\UNC\`},
+-	{`\\?\x`, `\\?`},
+-	{`\??\x`, `\??`},
++	{`\\?\x`, `\\?\x`},
++	{`\??\x`, `\??\x`},
+ }
+
+ func TestVolumeName(t *testing.T) {
+diff --git a/src/path/filepath/path_windows.go b/src/path/filepath/path_windows.go
+index 134114a39d..4c7daad325 100644
+--- a/src/path/filepath/path_windows.go
++++ b/src/path/filepath/path_windows.go
+@@ -112,12 +112,14 @@ func volumeNameLen(path string) int {
+ 		// \\.\unc\a\b\..\c into \\.\unc\a\c.
+ 		return uncLen(path, len(`\\.\UNC\`))
+
+-	case pathHasPrefixFold(path, `\\.`):
+-		// Path starts with \\., and is a Local Device path.
++	case pathHasPrefixFold(path, `\\.`) ||
++		pathHasPrefixFold(path, `\\?`) || pathHasPrefixFold(path, `\??`):
++		// Path starts with \\.\, and is a Local Device path; or
++		// path starts with \\?\ or \??\ and is a Root Local Device path.
+ 		//
+-		// We currently treat the next component after the \\.\ prefix
+-		// as part of the volume name, although there doesn't seem to be
+-		// a principled reason to do this.
++		// We treat the next component after the \\.\ prefix as
++		// part of the volume name, which means Clean(`\\?\c:\`)
++		// won't remove the trailing \. (See #64028.)
+ 		if len(path) == 3 {
+ 			return 3 // exactly \\.
+ 		}
+@@ -127,14 +129,6 @@ func volumeNameLen(path string) int {
+ 		}
+ 		return len(path) - len(rest) - 1
+
+-	case pathHasPrefixFold(path, `\\?`) || pathHasPrefixFold(path, `\??`):
+-		// Path starts with \\?\ or \??\, and is a Root Local Device path.
+-		//
+-		// While Windows usually treats / and \ as equivalent,
+-		// /??/ does not seem to be recognized as a Root Local Device path.
+-		// We treat it as one anyway here to be safe.
+-		return 3
+-
+ 	case len(path) >= 2 && isSlash(path[1]):
+ 		// Path starts with \\, and is a UNC path.
+ 		return uncLen(path, 2)
+-- 
+2.43.0
+