| id: GO-2022-0289 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.16.12 |
| - introduced: 1.17.0-0 |
| - fixed: 1.17.5 |
| vulnerable_at: 1.17.4 |
| packages: |
| - package: syscall |
| symbols: |
| - ForkExec |
| skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)' |
| summary: Misdirected I/O in syscall |
| description: |- |
| When a Go program running on a Unix system is out of file descriptors and calls |
| syscall.ForkExec (including indirectly by using the os/exec package), |
| syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or |
| can be provoked) repeatedly, it can result in misdirected I/O such as writing |
| network traffic intended for one connection to a different connection, or |
| content intended for one file to a different one. |
| |
| For users who cannot immediately update to the new release, the bug can be |
| mitigated by raising the per-process file descriptor limit. |
| published: 2022-05-18T18:23:23Z |
| cves: |
| - CVE-2021-44717 |
| credits: |
| - Tomasz Maczukin |
| - Kamil TrzciĆski of GitLab |
| references: |
| - fix: https://go.dev/cl/370576 |
| - fix: https://go.googlesource.com/go/+/a76511f3a40ea69ee4f5cd86e735e1c8a84f0aa2 |
| - report: https://go.dev/issue/50057 |
| - web: https://groups.google.com/g/golang-announce/c/hcmEScgc00k |
| - fix: https://go.dev/cl/370577 |
| - fix: https://go.dev/cl/370795 |
| review_status: REVIEWED |