From ff13dd39f37b8c1ebf58f657dfdaa0338df6e78b Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Sat, 5 Nov 2022 17:39:57 +0100
Subject: [PATCH] Update to Go 1.19.3 to address CVE-2022-41716

    On Windows, syscall.StartProcess and os/exec.Cmd did not properly
    check for invalid environment variable values. A malicious
    environment variable value could exploit this behavior to set a
    value for a different environment variable. For example, the
    environment variable string "A=B\x00C=D" set the variables "A=B" and
    "C=D".

    Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this
    issue.

    This is CVE-2022-41716 and Go issue https://go.dev/issue/56284.

This Go release also fixes https://github.com/golang/go/issues/56309, a
runtime bug which can cause random memory corruption when a goroutine
exits with runtime.LockOSThread() set. This fix is necessary to unblock
work to replace certain uses of pkg/reexec with unshared OS threads.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 85eee32f4cdec142fe1eef993eecd1f9558e9055)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 Dockerfile                           | 2 +-
 appveyor.yml                         | 2 +-
 docker-bake.hcl                      | 2 +-
 dockerfiles/Dockerfile.binary-native | 2 +-
 dockerfiles/Dockerfile.dev           | 2 +-
 dockerfiles/Dockerfile.e2e           | 2 +-
 dockerfiles/Dockerfile.lint          | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index a343d7f67d..e1bf84d34e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 ARG BASE_VARIANT=alpine
-ARG GO_VERSION=1.19.2
+ARG GO_VERSION=1.19.3
 ARG ALPINE_VERSION=3.16
 ARG XX_VERSION=1.1.0
 
diff --git a/appveyor.yml b/appveyor.yml
index de5b0a5018..99978a9ecc 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli
 
 environment:
   GOPATH: c:\gopath
-  GOVERSION: 1.19.2
+  GOVERSION: 1.19.3
   DEPVERSION: v0.4.1
 
 install:
diff --git a/docker-bake.hcl b/docker-bake.hcl
index 3a01889ed1..b271506f9c 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -1,5 +1,5 @@
 variable "GO_VERSION" {
-    default = "1.19.2"
+    default = "1.19.3"
 }
 variable "VERSION" {
     default = ""
diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native
index 1f64260143..6f1a411330 100644
--- a/dockerfiles/Dockerfile.binary-native
+++ b/dockerfiles/Dockerfile.binary-native
@@ -1,4 +1,4 @@
-ARG GO_VERSION=1.19.2
+ARG GO_VERSION=1.19.3
 
 FROM    golang:${GO_VERSION}-alpine
 
diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev
index c719d059ee..799bfef11b 100644
--- a/dockerfiles/Dockerfile.dev
+++ b/dockerfiles/Dockerfile.dev
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.19.2
+ARG GO_VERSION=1.19.3
 ARG ALPINE_VERSION=3.16
 
 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang
diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e
index d86f5eea91..cb2a6a1d1f 100644
--- a/dockerfiles/Dockerfile.e2e
+++ b/dockerfiles/Dockerfile.e2e
@@ -1,4 +1,4 @@
-ARG GO_VERSION=1.19.2
+ARG GO_VERSION=1.19.3
 
 # Use Debian based image as docker-compose requires glibc.
 FROM golang:${GO_VERSION}-buster
diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint
index d620d5fe26..5988924c2c 100644
--- a/dockerfiles/Dockerfile.lint
+++ b/dockerfiles/Dockerfile.lint
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.19.2
+ARG GO_VERSION=1.19.3
 ARG ALPINE_VERSION=3.16
 ARG GOLANGCI_LINT_VERSION=v1.49.0