fix: resolve April 2026 docker-ptf security vulnerabilities

- Upgrade Go toolchain 1.25.8 → 1.25.9 (fixes CVE-2026-32280 through
  CVE-2026-32289: stdlib crypto/tls, archive/tar, html/template, os)
- Bump go.opentelemetry.io/otel/sdk v1.40.0 → v1.43.0 in gnmic
  (CVE-2026-39883: PATH hijacking via BSD kenv)
- Add github.com/go-jose/go-jose/[email protected] to gnmic, gnoic, grpcurl
  (CVE-2026-34986: DoS via crafted JSON Web Encryption)
- Bump github.com/docker/docker to latest in gnmic
  (CVE-2026-34040: authorization bypass, CVE-2026-33997: privilege
  validation bypass during plugin installation)
- Add aws-sdk-go-v2 eventstream/s3 latest to gnmic
  (GHSA-xmrv-pmrh-hhx2: DoS via panic in AWS SDK for Go v2)
- Existing apt-get upgrade covers libpng16-16 fix
  (CVE-2026-33416: use-after-free, CVE-2026-33636: OOB read/write)

Co-authored-by: Copilot <[email protected]>
Signed-off-by: Ubuntu <austinpham@austinpham-dev-vm-2.d4y3nv5wwgfelhhopdxv1tqjld.dx.internal.cloudapp.net>
Signed-off-by: Austin Pham (agent) <[email protected]>

Author: auspham

dockers/docker-ptf/Dockerfile.j2

@@ -107,13 +107,17 @@ RUN apt-get update          \
 # to ensure they use a patched Go stdlib (GO-2026-4337: crypto/tls)
 {% if CONFIGURED_ARCH == "armhf" %}
 RUN GO_ARCH=armv6l \
+    && GO_SHA256=7d4f0d266d871301e08ef4ac31c56e66048688893b2848392e5c600276351ee8 \
 {% elif CONFIGURED_ARCH == "arm64" %}
 RUN GO_ARCH=arm64 \
+    && GO_SHA256=ec342e7389b7f489564ed5463c63b16cf8040023dabc7861256677165a8c0e2b \
 {% else %}
 RUN GO_ARCH=amd64 \
+    && GO_SHA256=00859d7bd6defe8bf84d9db9e57b9a4467b2887c18cd93ae7460e713db774bc1 \
 {% endif %}
-    && GO_VERSION=1.25.8 \
+    && GO_VERSION=1.25.9 \
     && curl -L "https://go.dev/dl/go${GO_VERSION}.linux-${GO_ARCH}.tar.gz" -o /tmp/go.tar.gz \
+    && echo "${GO_SHA256}  /tmp/go.tar.gz" | sha256sum -c - \
     && tar -C /usr/local -xzf /tmp/go.tar.gz \
     && rm /tmp/go.tar.gz
 
@@ -125,12 +129,14 @@ RUN GRPCURL_VERSION=v1.9.3 \
     && git clone --depth 1 --branch "${GRPCURL_VERSION}" https://github.com/fullstorydev/grpcurl.git /tmp/grpcurl \
     && cd /tmp/grpcurl \
     && go get google.golang.org/[email protected] \
+    && go get github.com/go-jose/go-jose/v4@latest \
     && go get golang.org/x/crypto@latest golang.org/x/net@latest golang.org/x/text@latest golang.org/x/sys@latest golang.org/x/oauth2@latest \
     && go mod tidy \
     && go build -o /usr/local/bin/grpcurl ./cmd/grpcurl \
     && chmod +x /usr/local/bin/grpcurl \
-    && rm -rf /tmp/grpcurl
+    && rm -rf /tmp/grpcurl /root/go/pkg/mod /root/.cache/go-build
 # Security fixes: upgrade all vulnerable system packages (S360 scan remediation)
+# Covers CVE-2026-33416 and CVE-2026-33636 (libpng16-16) among others
 RUN apt-get update && apt-get upgrade -y \
     && rm -rf /var/lib/apt/lists/*
 
@@ -406,27 +412,35 @@ RUN git clone https://github.com/karimra/gnoic.git \
     && git checkout 27bc5a6 \
     && go get google.golang.org/[email protected] \
     && go get github.com/go-viper/mapstructure/[email protected] \
+    && go get github.com/go-jose/go-jose/v4@latest \
     && go get golang.org/x/crypto@latest golang.org/x/net@latest golang.org/x/text@latest golang.org/x/sys@latest golang.org/x/oauth2@latest \
     && go mod tidy \
     && go build -o /usr/local/bin/gnoic . \
     && cd .. \
-    && rm -rf gnoic
+    && rm -rf gnoic /root/go/pkg/mod /root/.cache/go-build
 
 # Build gnmic from source with upgraded deps to address known CVEs
+COPY gocloud-patches/ /tmp/gocloud-patches/
 RUN GNMIC_VERSION=v0.43.0 \
     && git clone --depth 1 --branch "${GNMIC_VERSION}" https://github.com/openconfig/gnmic.git /tmp/gnmic \
     && cd /tmp/gnmic \
     && go get google.golang.org/[email protected] \
     && go get github.com/cloudflare/[email protected] \
     && go get github.com/go-git/go-git/v5@latest \
     && go get github.com/nats-io/nats-server/v2@latest \
-    && go get go.opentelemetry.io/otel/sdk@v1.40.0 \
+    && go get go.opentelemetry.io/otel/sdk@latest \
     && go get github.com/docker/docker@latest \
+    && go get github.com/go-jose/go-jose/v4@latest \
+    && go get github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream@latest github.com/aws/aws-sdk-go-v2/service/s3@latest github.com/aws/aws-sdk-go-v2/feature/s3/manager@latest \
     && go get golang.org/x/crypto@latest golang.org/x/net@latest golang.org/x/text@latest golang.org/x/sys@latest golang.org/x/oauth2@latest \
+    && go get [email protected] \
     && go mod tidy \
+    && GOCLOUD_DIR="$(go list -m -f '{{ '{{' }}.Dir{{ '}}' }}' gocloud.dev)" \
+    && chmod -R +w "$GOCLOUD_DIR" \
+    && patch --forward -d "$GOCLOUD_DIR" -p1 < /tmp/gocloud-patches/0001-fix-aws-sdk-go-v2-pointer-api-changes.patch \
     && go build -o /usr/local/bin/gnmic . \
     && chmod +x /usr/local/bin/gnmic \
-    && rm -rf /tmp/gnmic
+    && rm -rf /tmp/gnmic /tmp/gocloud-patches /root/go/pkg/mod /root/.cache/go-build
 
 # Remove Go toolchain to reduce image size
 RUN rm -rf /usr/local/go "$(go env GOPATH 2>/dev/null || echo $HOME/go)"

dockers/docker-ptf/gocloud-patches/0001-fix-aws-sdk-go-v2-pointer-api-changes.patch

@@ -0,0 +1,47 @@
+--- a/blob/s3blob/s3blob.go	2026-04-09 22:48:10.700372961 +0000
++++ b/blob/s3blob/s3blob.go	2026-04-09 22:48:19.654602364 +0000
+@@ -399,7 +399,7 @@
+ 	if b.useV2 {
+ 		in := &s3v2.ListObjectsV2Input{
+ 			Bucket:  aws.String(b.name),
+-			MaxKeys: int32(pageSize),
++			MaxKeys: aws.Int32(int32(pageSize)),
+ 		}
+ 		if len(opts.PageToken) > 0 {
+ 			in.ContinuationToken = aws.String(string(opts.PageToken))
+@@ -425,7 +425,7 @@
+ 				page.Objects[i] = &driver.ListObject{
+ 					Key:     unescapeKey(aws.StringValue(obj.Key)),
+ 					ModTime: *obj.LastModified,
+-					Size:    obj.Size,
++					Size:    aws.Int64Value(obj.Size),
+ 					MD5:     eTagToMD5(obj.ETag),
+ 					AsFunc: func(i interface{}) bool {
+ 						p, ok := i.(*typesv2.Object)
+@@ -576,7 +576,7 @@
+ 	var nextContinuationToken *string
+ 	if legacyResp.NextMarker != nil {
+ 		nextContinuationToken = legacyResp.NextMarker
+-	} else if legacyResp.IsTruncated {
++	} else if aws.BoolValue(legacyResp.IsTruncated) {
+ 		nextContinuationToken = aws.String(aws.StringValue(legacyResp.Contents[len(legacyResp.Contents)-1].Key))
+ 	}
+ 	return &s3v2.ListObjectsV2Output{
+@@ -706,7 +706,7 @@
+ 			Metadata:           md,
+ 			// CreateTime not supported; left as the zero time.
+ 			ModTime: aws.TimeValue(resp.LastModified),
+-			Size:    resp.ContentLength,
++			Size:    aws.Int64Value(resp.ContentLength),
+ 			MD5:     eTagToMD5(resp.ETag),
+ 			ETag:    aws.StringValue(resp.ETag),
+ 			AsFunc: func(i interface{}) bool {
+@@ -803,7 +803,7 @@
+ 			attrs: driver.ReaderAttributes{
+ 				ContentType: aws.StringValue(resp.ContentType),
+ 				ModTime:     aws.TimeValue(resp.LastModified),
+-				Size:        getSize(resp.ContentLength, aws.StringValue(resp.ContentRange)),
++				Size:        getSize(aws.Int64Value(resp.ContentLength), aws.StringValue(resp.ContentRange)),
+ 			},
+ 			rawV2: resp,
+ 		}, nil