| modules: |
| - module: std |
| versions: |
| - fixed: 1.16.12 |
| - introduced: "1.17" |
| fixed: 1.17.5 |
| packages: |
| - package: syscall |
| symbols: |
| - ForkExec |
| description: | |
| When a Go program running on a Unix system is out of file descriptors and |
| calls syscall.ForkExec (including indirectly by using the os/exec package), |
| syscall.ForkExec can close file descriptor 0 as it fails. If this happens |
| (or can be provoked) repeatedly, it can result in misdirected I/O such as |
| writing network traffic intended for one connection to a different |
| connection, or content intended for one file to a different one. |
| |
| For users who cannot immediately update to the new release, the bug can be |
| mitigated by raising the per-process file descriptor limit. |
| published: 2022-05-18T18:23:23Z |
| cves: |
| - CVE-2021-44717 |
| credit: Tomasz Maczukin and Kamil TrzciĆski of GitLab |
| references: |
| - fix: https://go.dev/cl/370576 |
| - fix: https://go.googlesource.com/go/+/a76511f3a40ea69ee4f5cd86e735e1c8a84f0aa2 |
| - report: https://go.dev/issue/50057 |
| - web: https://groups.google.com/g/golang-announce/c/hcmEScgc00k |
| - fix: https://go.dev/cl/370577 |
| - fix: https://go.dev/cl/370795 |
