blob: eefe652bf5895757ca491548394736fdd6f2dc26 [file] [log] [blame]
id: GO-2022-0289
modules:
- module: std
versions:
- fixed: 1.16.12
- introduced: 1.17.0-0
- fixed: 1.17.5
vulnerable_at: 1.17.4
packages:
- package: syscall
symbols:
- ForkExec
skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
summary: Misdirected I/O in syscall
description: |-
When a Go program running on a Unix system is out of file descriptors and calls
syscall.ForkExec (including indirectly by using the os/exec package),
syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or
can be provoked) repeatedly, it can result in misdirected I/O such as writing
network traffic intended for one connection to a different connection, or
content intended for one file to a different one.
For users who cannot immediately update to the new release, the bug can be
mitigated by raising the per-process file descriptor limit.
published: 2022-05-18T18:23:23Z
cves:
- CVE-2021-44717
credits:
- Tomasz Maczukin
- Kamil TrzciƄski of GitLab
references:
- fix: https://go.dev/cl/370576
- fix: https://go.googlesource.com/go/+/a76511f3a40ea69ee4f5cd86e735e1c8a84f0aa2
- report: https://go.dev/issue/50057
- web: https://groups.google.com/g/golang-announce/c/hcmEScgc00k
- fix: https://go.dev/cl/370577
- fix: https://go.dev/cl/370795
review_status: REVIEWED