Skip to content

Commit

Permalink
data/reports: update GO-2023-2185.yaml
Browse files Browse the repository at this point in the history 
Aliases: CVE-2023-45283

Updates #2185

Change-Id: Id5455a4e6a87b877c7c74845b5580cdb6574fa62
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/547558
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
  • Loading branch information
@tatianab
tatianab committed Dec 6, 2023
1 parent f648b65 commit 35b48f5
Show file tree
Hide file tree
Showing 3 changed files with 177 additions and 2 deletions.
79 changes: 78 additions & 1 deletion data/cve/v5/GO-2023-2185.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
"descriptions": [
{
"lang": "en",
"value": "The filepath package does not recognize paths with a \\??\\ prefix as special. On Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x. Before fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b. Similarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b. In addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name."
"value": "The filepath package does not recognize paths with a \\??\\ prefix as special. On Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x. Before fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b. Similarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b. In addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored."
}
],
"affected": [
Expand Down Expand Up @@ -119,6 +119,74 @@
}
],
"defaultStatus": "unaffected"
},
{
"vendor": "Go standard library",
"product": "path/filepath",
"collectionURL": "https://pkg.go.dev",
"packageName": "path/filepath",
"versions": [
{
"version": "1.20.11",
"lessThan": "1.20.12",
"status": "affected",
"versionType": "semver"
},
{
"version": "1.21.4",
"lessThan": "1.21.5",
"status": "affected",
"versionType": "semver"
}
],
"platforms": [
"windows"
],
"programRoutines": [
{
"name": "volumeNameLen"
},
{
"name": "Abs"
},
{
"name": "Base"
},
{
"name": "Clean"
},
{
"name": "Dir"
},
{
"name": "EvalSymlinks"
},
{
"name": "Glob"
},
{
"name": "IsLocal"
},
{
"name": "Join"
},
{
"name": "Rel"
},
{
"name": "Split"
},
{
"name": "VolumeName"
},
{
"name": "Walk"
},
{
"name": "WalkDir"
}
],
"defaultStatus": "unaffected"
}
],
"problemTypes": [
Expand All @@ -141,6 +209,15 @@
{
"url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY"
},
{
"url": "https://go.dev/issue/64028"
},
{
"url": "https://go.dev/cl/541175"
},
{
"url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-2185"
}
Expand Down
65 changes: 64 additions & 1 deletion data/osv/GO-2023-2185.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"CVE-2023-45283"
],
"summary": "Insecure parsing of Windows paths with a \\??\\ prefix in path/filepath",
"details": "The filepath package does not recognize paths with a \\??\\ prefix as special.\n\nOn Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x.\n\nBefore fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b.\n\nSimilarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b.\n\nIn addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name.",
"details": "The filepath package does not recognize paths with a \\??\\ prefix as special.\n\nOn Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x.\n\nBefore fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b.\n\nSimilarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b.\n\nIn addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name.\n\nUPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored.",
"affected": [
{
"package": {
Expand Down Expand Up @@ -70,6 +70,57 @@
}
]
}
},
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.20.11"
},
{
"fixed": "1.20.12"
},
{
"introduced": "1.21.4"
},
{
"fixed": "1.21.5"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "path/filepath",
"goos": [
"windows"
],
"symbols": [
"Abs",
"Base",
"Clean",
"Dir",
"EvalSymlinks",
"Glob",
"IsLocal",
"Join",
"Rel",
"Split",
"VolumeName",
"Walk",
"WalkDir",
"volumeNameLen"
]
}
]
}
}
],
"references": [
Expand All @@ -84,6 +135,18 @@
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/64028"
},
{
"type": "FIX",
"url": "https://go.dev/cl/541175"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ"
}
],
"database_specific": {
Expand Down
35 changes: 35 additions & 0 deletions data/reports/GO-2023-2185.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,33 @@ modules:
- fromFS
derived_symbols:
- FromFS
- module: std
versions:
- introduced: 1.20.11
fixed: 1.20.12
- introduced: 1.21.4
fixed: 1.21.5
vulnerable_at: 1.21.4
packages:
- package: path/filepath
goos:
- windows
symbols:
- volumeNameLen
derived_symbols:
- Abs
- Base
- Clean
- Dir
- EvalSymlinks
- Glob
- IsLocal
- Join
- Rel
- Split
- VolumeName
- Walk
- WalkDir
summary: Insecure parsing of Windows paths with a \??\ prefix in path/filepath
description: |-
The filepath package does not recognize paths with a \??\ prefix as special.
Expand All @@ -52,10 +79,18 @@ description: |-
In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as
absolute, and VolumeName correctly reports the \??\ prefix as a volume name.
UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the
volume name in Windows paths starting with \?, resulting in
filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects).
The previous behavior has been restored.
references:
- report: https://go.dev/issue/63713
- fix: https://go.dev/cl/540277
- web: https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY
- report: https://go.dev/issue/64028
- fix: https://go.dev/cl/541175
- web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
cve_metadata:
id: CVE-2023-45283
cwe: 'CWE-41: Improper Resolution of Path Equivalence'

0 comments on commit 35b48f5

Please sign in to comment.