data/reports/GO-2023-2186.yaml - vulndb - Git at Google

 id: GO-2023-2186
 modules:
     - module: std
       versions:
         - fixed: 1.20.11
         - introduced: 1.21.0-0
           fixed: 1.21.4
       vulnerable_at: 1.21.3
       packages:
         - package: path/filepath
           symbols:
             - IsLocal
 summary: Incorrect detection of reserved device names on Windows in path/filepath
 description: |-
     On Windows, The IsLocal function does not correctly detect reserved device names
     in some cases.

     Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and
     "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local.

     With fix, IsLocal now correctly reports these names as non-local.
 references:
     - report: https://go.dev/issue/63713
     - fix: https://go.dev/cl/540277
     - web: https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY
 cve_metadata:
     id: CVE-2023-45284
     cwe: 'CWE-41: Improper Resolution of Path Equivalence'
	id: GO-2023-2186
	modules:
	- module: std
	versions:
	- fixed: 1.20.11
	- introduced: 1.21.0-0
	fixed: 1.21.4
	vulnerable_at: 1.21.3
	packages:
	- package: path/filepath
	symbols:
	- IsLocal
	summary: Incorrect detection of reserved device names on Windows in path/filepath
	description: \|-
	On Windows, The IsLocal function does not correctly detect reserved device names
	in some cases.

	Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and
	"LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local.

	With fix, IsLocal now correctly reports these names as non-local.
	references:
	- report: https://go.dev/issue/63713
	- fix: https://go.dev/cl/540277
	- web: https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY
	cve_metadata:
	id: CVE-2023-45284
	cwe: 'CWE-41: Improper Resolution of Path Equivalence'