Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update go 1.22.5 => 1.23.0 #3902

Closed
wants to merge 1 commit into from

Conversation

Nemikolh
Copy link

@Nemikolh Nemikolh commented Sep 3, 2024

In version of the go compiler prior to 1.23.0, esbuild-wasm can crash with the following stack trace:

✘ [ERROR] panic: runtime error: slice bounds out of range [:-4294967295]
(while printing "<some module>")

  debug.Stack (runtime/debug/stack.go:24)
  helpers.PrettyPrintedStack (internal/helpers/stack.go:9)
  linker.(*linkerContext).recoverInternalError
(internal/linker/linker.go:7084)
  panic (runtime/panic.go:884)
  js_printer.(*printer).printNonNegativeFloat
(internal/js_printer/js_printer.go:3524)
  js_printer.(*printer).printNumber (internal/js_printer/js_printer.go:522)
  js_printer.(*printer).printExpr (internal/js_printer/js_printer.go:3030)
  js_printer.(*binaryExprVisitor).visitRightAndFinish
(internal/js_printer/js_printer.go:3381)
  js_printer.(*printer).printExpr (internal/js_printer/js_printer.go:3231)
  js_printer.(*binaryExprVisitor).visitRightAndFinish
(internal/js_printer/js_printer.go:3381)
  js_printer.(*printer).printExpr (internal/js_printer/js_printer.go:3206)
  js_printer.(*printer).printStmt (internal/js_printer/js_printer.go:4782)
  js_printer.(*printer).printBlock (internal/js_printer/js_printer.go:3662)
  js_printer.(*printer).printBody (internal/js_printer/js_printer.go:3644)
  js_printer.(*printer).printStmt (internal/js_printer/js_printer.go:4530)
  js_printer.(*printer).printBlock (internal/js_printer/js_printer.go:3662)
  js_printer.(*printer).printFn (internal/js_printer/js_printer.go:898)
  js_printer.(*printer).printStmt (internal/js_printer/js_printer.go:4045)
  js_printer.Print (internal/js_printer/js_printer.go:4888)
  linker.(*linkerContext).generateCodeForFileInChunkJS
(internal/linker/linker.go:4919)
  linker.(*linkerContext).generateChunkJS (internal/linker/linker.go:5546)

This was due to a bug in memchr which was incorrectly treating memory addresses as signed integers.

It's now fixed in Go 1.23.0: golang/go@90c6558

Original issue on the golang repository golang/go#65571

@velll
Copy link

velll commented Sep 10, 2024

Good stuff! This will also fix two supply chain vulnerabilities (fix version 1.22.7)

I'm not qualified to say whether they apply at all to esbuild, but they do get picked up by the vulnerability scanner in our CI

@migmartri
Copy link

Yes please, let's release a patch for this. Thanks!

app/node_modules/@esbuild/linux-arm64/bin/esbuild (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.22.5            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message   │
│         │                │          │        │                   │                │ which contains deeply nested structures...                  │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                  │
│         ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34155 │ MEDIUM   │        │                   │                │ go/parser: golang: Calling any of the Parse functions       │
│         │                │          │        │                   │                │ containing deeply nested literals...                        │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34155                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34158 │          │        │                   │                │ go/build/constraint: golang: Calling Parse on a "// +build" │
│         │                │          │        │                   │                │ build tag line with...                                      │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34158                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────

@luka-papez
Copy link

If possible, I'd encourage going one step further and updating to 1.23.1 instead of 1.23.0

Doing that would also get rid of CVE-2024-34156 which has been fixed in 1.23.1

In any case, thanks for preparing the patch!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants