| Copyright 2024 The Go Authors. All rights reserved. |
| Use of this source code is governed by a BSD-style |
| license that can be found in the LICENSE file. |
| |
| Expected output of TestCVEToReport/CVE-2023-45283. |
| |
| -- CVE-2023-45283 -- |
| id: PLACEHOLDER-ID |
| modules: |
| - module: std |
| packages: |
| - package: path/filepath |
| summary: CVE-2023-45283 in path/filepath |
| description: |- |
| The filepath package does not recognize paths with a \??\ prefix as special. On |
| Windows, a path beginning with \??\ is a Root Local Device path equivalent to a |
| path beginning with \\?\. Paths with a \??\ prefix may be used to access |
| arbitrary locations on the system. For example, the path \??\c:\x is equivalent |
| to the more common path c:\x. Before fix, Clean could convert a rooted path such |
| as \a\..\??\b into the root local device path \??\b. Clean will now convert this |
| to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence |
| of path elements into the root local device path \??\b. Join will now convert |
| this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths |
| beginning with \??\ as absolute, and VolumeName correctly reports the \??\ |
| prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed |
| the definition of the volume name in Windows paths starting with \?, resulting |
| in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other |
| effects). The previous behavior has been restored. |
| references: |
| - report: https://go.dev/issue/63713 |
| - fix: https://go.dev/cl/540277 |
| - web: https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY |
| - report: https://go.dev/issue/64028 |
| - fix: https://go.dev/cl/541175 |
| - web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ |
| - web: http://www.openwall.com/lists/oss-security/2023/12/05/2 |
| cve_metadata: |
| id: CVE-2023-45283 |
| cwe: 'CWE-41: Improper Resolution of Path Equivalence' |
| source: |
| id: CVE-2023-45283 |