| Copyright 2024 The Go Authors. All rights reserved. |
| Use of this source code is governed by a BSD-style |
| license that can be found in the LICENSE file. |
| |
| Expected output of TestCVE5ToReport/CVE-2023-45283. |
| |
| -- CVE-2023-45283 -- |
| id: PLACEHOLDER-ID |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.20.11 |
| - introduced: 1.21.0-0 |
| fixed: 1.21.4 |
| packages: |
| - package: internal/safefilepath |
| goos: |
| - windows |
| symbols: |
| - fromFS |
| - FromFS |
| - module: std |
| versions: |
| - fixed: 1.20.11 |
| - introduced: 1.21.0-0 |
| fixed: 1.21.4 |
| packages: |
| - package: path/filepath |
| goos: |
| - windows |
| symbols: |
| - Clean |
| - volumeNameLen |
| - join |
| - Abs |
| - Base |
| - Dir |
| - EvalSymlinks |
| - Glob |
| - IsLocal |
| - Join |
| - Rel |
| - Split |
| - VolumeName |
| - Walk |
| - WalkDir |
| - module: std |
| versions: |
| - introduced: 1.20.11 |
| fixed: 1.20.12 |
| - introduced: 1.21.4 |
| fixed: 1.21.5 |
| packages: |
| - package: path/filepath |
| goos: |
| - windows |
| symbols: |
| - volumeNameLen |
| - Abs |
| - Base |
| - Clean |
| - Dir |
| - EvalSymlinks |
| - Glob |
| - IsLocal |
| - Join |
| - Rel |
| - Split |
| - VolumeName |
| - Walk |
| - WalkDir |
| summary: Insecure parsing of Windows paths with a \??\ prefix in path/filepath |
| description: |- |
| The filepath package does not recognize paths with a \??\ prefix as special. On |
| Windows, a path beginning with \??\ is a Root Local Device path equivalent to a |
| path beginning with \\?\. Paths with a \??\ prefix may be used to access |
| arbitrary locations on the system. For example, the path \??\c:\x is equivalent |
| to the more common path c:\x. Before fix, Clean could convert a rooted path such |
| as \a\..\??\b into the root local device path \??\b. Clean will now convert this |
| to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence |
| of path elements into the root local device path \??\b. Join will now convert |
| this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths |
| beginning with \??\ as absolute, and VolumeName correctly reports the \??\ |
| prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed |
| the definition of the volume name in Windows paths starting with \?, resulting |
| in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other |
| effects). The previous behavior has been restored. |
| references: |
| - report: https://go.dev/issue/63713 |
| - fix: https://go.dev/cl/540277 |
| - web: https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY |
| - report: https://go.dev/issue/64028 |
| - fix: https://go.dev/cl/541175 |
| - web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ |
| - web: http://www.openwall.com/lists/oss-security/2023/12/05/2 |
| cve_metadata: |
| id: CVE-2023-45283 |
| cwe: 'CWE-41: Improper Resolution of Path Equivalence' |
| notes: |
| - fix: 'module merge error: could not merge versions of module std: range events must be in strictly ascending order (found 1.20.11>=1.20.11)' |
| source: |
| id: CVE-2023-45283 |