diff --git a/data/cve/v5/GO-2023-2185.json b/data/cve/v5/GO-2023-2185.json index 983f804e..09fac455 100644 --- a/data/cve/v5/GO-2023-2185.json +++ b/data/cve/v5/GO-2023-2185.json @@ -13,7 +13,7 @@ "descriptions": [ { "lang": "en", - "value": "The filepath package does not recognize paths with a \\??\\ prefix as special. On Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x. Before fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b. Similarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b. In addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name." + "value": "The filepath package does not recognize paths with a \\??\\ prefix as special. On Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x. Before fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b. Similarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b. In addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored." } ], "affected": [ @@ -119,6 +119,74 @@ } ], "defaultStatus": "unaffected" + }, + { + "vendor": "Go standard library", + "product": "path/filepath", + "collectionURL": "https://pkg.go.dev", + "packageName": "path/filepath", + "versions": [ + { + "version": "1.20.11", + "lessThan": "1.20.12", + "status": "affected", + "versionType": "semver" + }, + { + "version": "1.21.4", + "lessThan": "1.21.5", + "status": "affected", + "versionType": "semver" + } + ], + "platforms": [ + "windows" + ], + "programRoutines": [ + { + "name": "volumeNameLen" + }, + { + "name": "Abs" + }, + { + "name": "Base" + }, + { + "name": "Clean" + }, + { + "name": "Dir" + }, + { + "name": "EvalSymlinks" + }, + { + "name": "Glob" + }, + { + "name": "IsLocal" + }, + { + "name": "Join" + }, + { + "name": "Rel" + }, + { + "name": "Split" + }, + { + "name": "VolumeName" + }, + { + "name": "Walk" + }, + { + "name": "WalkDir" + } + ], + "defaultStatus": "unaffected" } ], "problemTypes": [ @@ -141,6 +209,15 @@ { "url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY" }, + { + "url": "https://go.dev/issue/64028" + }, + { + "url": "https://go.dev/cl/541175" + }, + { + "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ" + }, { "url": "https://pkg.go.dev/vuln/GO-2023-2185" } diff --git a/data/osv/GO-2023-2185.json b/data/osv/GO-2023-2185.json index bf625818..e22ae4c2 100644 --- a/data/osv/GO-2023-2185.json +++ b/data/osv/GO-2023-2185.json @@ -7,7 +7,7 @@ "CVE-2023-45283" ], "summary": "Insecure parsing of Windows paths with a \\??\\ prefix in path/filepath", - "details": "The filepath package does not recognize paths with a \\??\\ prefix as special.\n\nOn Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x.\n\nBefore fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b.\n\nSimilarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b.\n\nIn addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name.", + "details": "The filepath package does not recognize paths with a \\??\\ prefix as special.\n\nOn Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x.\n\nBefore fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b.\n\nSimilarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b.\n\nIn addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name.\n\nUPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored.", "affected": [ { "package": { @@ -70,6 +70,57 @@ } ] } + }, + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.20.11" + }, + { + "fixed": "1.20.12" + }, + { + "introduced": "1.21.4" + }, + { + "fixed": "1.21.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "path/filepath", + "goos": [ + "windows" + ], + "symbols": [ + "Abs", + "Base", + "Clean", + "Dir", + "EvalSymlinks", + "Glob", + "IsLocal", + "Join", + "Rel", + "Split", + "VolumeName", + "Walk", + "WalkDir", + "volumeNameLen" + ] + } + ] + } } ], "references": [ @@ -84,6 +135,18 @@ { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/64028" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/541175" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ" } ], "database_specific": { diff --git a/data/reports/GO-2023-2185.yaml b/data/reports/GO-2023-2185.yaml index 17973f53..08de4adf 100644 --- a/data/reports/GO-2023-2185.yaml +++ b/data/reports/GO-2023-2185.yaml @@ -34,6 +34,33 @@ modules: - fromFS derived_symbols: - FromFS + - module: std + versions: + - introduced: 1.20.11 + fixed: 1.20.12 + - introduced: 1.21.4 + fixed: 1.21.5 + vulnerable_at: 1.21.4 + packages: + - package: path/filepath + goos: + - windows + symbols: + - volumeNameLen + derived_symbols: + - Abs + - Base + - Clean + - Dir + - EvalSymlinks + - Glob + - IsLocal + - Join + - Rel + - Split + - VolumeName + - Walk + - WalkDir summary: Insecure parsing of Windows paths with a \??\ prefix in path/filepath description: |- The filepath package does not recognize paths with a \??\ prefix as special. @@ -52,10 +79,18 @@ description: |- In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as absolute, and VolumeName correctly reports the \??\ prefix as a volume name. + + UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the + volume name in Windows paths starting with \?, resulting in + filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects). + The previous behavior has been restored. references: - report: https://go.dev/issue/63713 - fix: https://go.dev/cl/540277 - web: https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY + - report: https://go.dev/issue/64028 + - fix: https://go.dev/cl/541175 + - web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ cve_metadata: id: CVE-2023-45283 cwe: 'CWE-41: Improper Resolution of Path Equivalence'