data/reports/GO-2022-0493.yaml

id: GO-2022-0493
modules:
    - module: std
      versions:
        - fixed: 1.17.10
        - introduced: 1.18.0-0
          fixed: 1.18.2
      vulnerable_at: 1.18.1
      packages:
        - package: syscall
          symbols:
            - Faccessat
    - module: golang.org/x/sys
      versions:
        - fixed: 0.0.0-20220412211240-33da011f77ad
      vulnerable_at: 0.0.0-20220412071739-889880a91fd5
      packages:
        - package: golang.org/x/sys/unix
          symbols:
            - Faccessat
          derived_symbols:
            - Access
summary: Incorrect privilege reporting in syscall and golang.org/x/sys/unix
description: |-
    When called with a non-zero flags parameter, the Faccessat function can
    incorrectly report that a file is accessible.
published: 2022-07-15T23:30:12Z
cves:
    - CVE-2022-29526
ghsas:
    - GHSA-p782-xgp4-8hr8
credits:
    - Joël Gähwiler (@256dpi)
references:
    - fix: https://go.dev/cl/399539
    - report: https://go.dev/issue/52313
    - fix: https://go.dev/cl/400074
    - web: https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU